The number of cyber security job openings around the globe is staggering. Cisco estimated that there were 1 million unfilled cyber security jobs worldwide in 2014, and Cybersecurity Ventures predicted there will be 3.5 million openings by 2021. The unprecedented need for cyber security experts has intensified as the industry has grown nearly 35 percent over the last 13 years. Spending in the industry reflects this growth: Between 2017 and 2021, Cybersecurity Ventures also expects cyber security spending to exceed $1 trillion. “While all other tech sectors are driven by reducing inefficiencies and increasing productivity, cybersecurity spending is driven by cybercrime,” explained Cybersecurity Ventures. The unprecedented cybercriminal activity we are witnessing is generating so much cyber spending, it’s become nearly impossible for analysts to accurately track.” Cyber crime is not going away. In fact, it is getting worse. The increasing sophistication of cyber criminals coupled with the cyber security talent shortage is creating an alarming situation—especially as we become ever more connected via technology such as the Internet of Things. So, there’s the problem. But what is the solution? Here are some of the strategies being pursued to confront the rapidly intensifying cyber security workforce crisis.
Rethink Cyber Security Education
The United States is at a crucial juncture – cyber threats and successful attacks increase every day, yet academic institutions struggle to produce students who can be effective in the fight. Today's cyber security experts must possess a strong understanding of 21st-century cyber criminals, their methodologies, tools and constantly evolving strategies. Unfortunately, the majority of cyber security undergraduate and graduate degree programs available today offer an outdated approach to information security degrees that leave their graduates with a gaping skills gap once they enter the workforce. According to an article in The Hill about the “critical” cyber security talent shortage:
Conventional approaches to cybersecurity training and certification are not keeping pace with the reality of today’s fast-changing and complex technology landscape. Traditional approaches to security training need immediate reexamination, and we must quickly and aggressively boost efforts to educate a new generation of cybersecurity experts.
After conducting a survey of 121 top-ranked universities and their undergraduate computer science programs, CloudPassage concluded that U.S. universities are failing when it comes to cyber security education. They noted in their analysis:
The American education system is failing computer science students by deprioritizing cybersecurity training. Universities are inadvertently contributing to the lack of cybersecurity readiness in the U.S. by failing to teach students how to implement security thinking and awareness into all new code design, development, and testing. Given the increasingly complex nature of today’s threat landscape, security can no longer be added on after new products and innovations are delivered to market. Cybersecurity training must be a graduation requirement for all computer science programs.
It is clear that cyber security education needs to be overhauled and reprioritized. Universities must consider a new approach that includes collaborating with local and national stakeholders to develop curricula effective in fighting ever-evolving cyber security threats. Students should understand theory and the be able to apply specific knowledge and skills in the areas of technology, law, policy, compliance, governance, intelligence, incident response, and management. Additionally, a successful cyber security practitioner must have experience within the environments that they will defend. Therefore, the design of an effective program should include extensive immersive experiences in various topic domains. Finally, because the world of cyber security changes constantly, universities must prioritize lifelong learning skills.
Focus on the Millennial workforce
Not only have the majority of universities failed to prioritize 21st century cyber security education, but high schools have also fallen short in promoting cyber security as a career path. A large majority of high school students are unaware that a career in cyber security is even a possibility, and many high schools don’t offer any classes or programs in the discipline. As the millennial generation comes of age and baby boomers retire over the next decade, it is the millennials who will be looked at to fill these critical roles. Yet so far, the figures are not positive. A Global Information Security Workforce Study by (ISC)2 revealed that only 7 percent of cyber security workers surveyed were under age 29, and 13 percent were between ages 30 and 34. The average age of cyber professionals is 42. (ISC)2 is looking at ways to encourage more millennials to consider a career in cyber security by introducing an International Academic Program and initiating a conversation around the way we communicate with millennials. “What we're trying to look at is how to better communicate [with millennials]. (ISC)2 as an organization has to understand approaching millennials and speaking to them in a language that's going to resonate with them to try to get them interested in [security], and we are. But we also have to understand these young folks have been exposed to technology for so long that they look at it as second nature to them," Executive Director David Shearer said at the 2015 RSA Conference. Introducing high school students to cyber security, coding, and STEM disciplines is a simple first step in planting the seed and developing a workforce capable of combating ongoing cyber threats in a digital world.
Invest in Women and Girls
The cyber security field is also failing to attract women. The industry faces a severe gender gap, with women constituting just 11 percent of the world’s information security workforce. In order to attract women, it would help to look to the next generation, as The Girl Scouts of the USA are doing. The organization recently announced the introduction of 18 new cybersecurity badges with the hopes of encouraging young girls to explore opportunities in STEM. In a Kaspersky Lab survey, it was discovered that one reason young women shy away from the field is the negative connotations elicited by certain cyber security terminology such as “hacker.” “Early education plays a critical role in overcoming entry barriers, but there’s also a need to change the industry’s images as a whole and promote the careers within,” Todd Helmbrecht, senior vice president of marketing of Kaspersky Lab North America, said in a news release. Besides the Girl Scouts of the USA, others are attempting to encourage women and girls into the cyber security field with initiatives such as brainbabe and Girls Who Code. With nearly half of the population absent from a field in dire need of talent, there is a tremendous opportunity for women to play a significant role in ending the talent crisis. We need more initiatives like the ones listed above and a greater emphasis on the importance of women in cyber security. This means that organizations and thought leaders must look for ways to make the field more welcoming to women and look for ways to eliminate stereotypes. If we are to fill 3.5 million jobs by 2021, it will take a full-scale effort with contributions not just from government and the private sector but from millennials, women, and universities alike. About the Author: Patricia De Saracho is a Senior Marketing Manager with the University of San Diego where she supports several graduate degree programs including the Master of Science in Cyber Security Operations and Leadership (MS-CSOL) and the Master of Science in Cyber Security Engineering. Patricia is passionate about education and the role it can play in affecting positive change. You can connect with the University of San Diego’s cyber security programs on Twitter and Facebook. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.