A major skills gap is stifling the cybersecurity industry – here’s how employers are tackling it.
Cybersecurity practice continues to grow into an essential pillar of daily life, but a deficit in technical knowledge has created a shortage of people skilled enough to take on the job.
With more than 300,000 cybersecurity jobs left vacant in the US alone, employers are scrambling to fill positions within their security teams.
But as the relatively young job market continues to expand, one training institute maintains that having a working knowledge of math or technology will only get you so far.
“You don’t have to be a math whizz to be in technology,” Steven Ostrowski, a representative from the US-based Computing Technology Industry Association (CompTIA), told The Daily Swig.
“There’s a bit of a gap between what the job really entails, and what they think it means.”
As the contemporary workplace environment is now increasingly dependent on the web and Internet of Things (IoT) to conduct routine business, there is still a lack of understanding of security issues by both employers and their prospective employees.
This reliance on digitization has heightened an awareness of security too, as the ramifications of major data breaches begin to yield consequences outweighing the economic benefits of a lax security protocol.
“More and more companies are going on the offensive and trying to anticipate problems before they happen so that they can plug any potential leaks or holes in their security defences,” said Ostrowski.
“And so we need people in our industry that understand, for example, the business world, in order to help them use whichever technology fits into what they want to accomplish as a business.
“It’s no longer tech people selling a product or service to another tech person – it’s selling a technology product or service to a business person.”
There are currently 301, 873 available jobs in the US, with larger organizations now hiring their own penetration testers and security analysts to avoid the costly embarrassment of a cyber-attack.
“The security analyst is tasked with constantly monitoring who is on the network, looking for potential vulnerabilities that can be plugged before a hacker finds them,” Ostrowski explained.
“A penetration tester would actually try to hack into a network, to probe for vulnerabilities from the outside.”
The technical expertise required to do these jobs, however, remains much lower than the considerable growth in job surplus, with employer competition equally appearing in other underrepresented areas such as science, technology, engineering, and math (STEM) industries.
To fill roles, organizations such as Ostrowski’s are placing greater emphasis on soft skills, like the ability to communicate or work with a team, in order to form paths into a field far too often misunderstood by the general public.
An entry-level candidate, Ostrowski explained, could be currently working “in a business unit, marketing, or HR” and have the creative know-how to solve problems, or have the verbal and written skills to help simplify complicated subjects.
“It’s easier to lay on the technology skills with someone with these proven skills than vice versa,” he said.
“We’re looking for people that can think on their feet.”
Solving problems on the fly in a diverse range of scenarios are some of the things that made security researcher Paul Johnston a valuable penetration tester for 15 years.
“At the beginning you had to persuade people that they needed security,” he told The Daily Swig. “Now everyone knows that they need it and you have to convince them to buy from you.”
Johnston, 38, began writing security-focused open-source software, which he believes landed him his first role in the world of IT. He first learned to code with his mother.
“We used to sit down with a ZX spectrum and start typing out the programs from a manual before realizing that we could type in whatever we wanted,” he said. “It all expanded from there.”
Knowing what the career options are, and whether that’s right for you, is one of the frontlines to growing the cybersecurity workforce, one that will fall short by 1.8 million jobs globally by 2022, as a study published last year predicted.
But without any natural entry into the area, whether through a parent or career counsellor, these jobs go uknown.
“There is a distinct lack of mentorship in the tech industry,” said Ostrowski.
“Young people, who get to the age where they’re starting to consider career options, don’t have anyone in that mentorship role telling them, ‘Hey why don’t you consider this job in technology? Or you have these types of skills that would fit well there.’”
CompTIA offers certification programs that enable its members to obtain professional accreditation and any number of applicable skills.
The association has just received funding to run Cyber Ready in the UK – a six-month program aimed at people who have the drive, but may not have the time to retrain.
“It’s intended to give people an opportunity to at least see if they’re a good fit for this kind of job,” said Ostrowski.
“Not everyone that goes through the program is going to be trained enough to jump into the workforce, but until you take that first step, and try to get some sort of evaluation of your skill level and knowledge, you just don’t want to just assume that you wouldn’t be able to get the job.”
Only 30 candidates will be selected for Cyber Ready, and while there are many similar schemes and retraining opportunities, building a workforce capacity must also rely on the education of teachers.
The National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST), does just that by creating a framework for educators and employers which outlines the skills and experience needed to recruit, develop, and retain talent.
“From an employer perspective, we have to change the mindset of what makes somebody qualified to do the work,” Rodney Petersen, NICE director, told The Daily Swig.
“Looking at it from an education and training provider side, I think we have the same challenge, which is to get them to modify their approaches to learning, to focus on the student or jobseeker as a learner who needs hands on experiences, both inside and outside of the classroom, and who also needs to make sure that there are work-based learning opportunities for them to apply the knowledge that they obtain, so that employers are actually getting someone qualified.”
Learning on the job and other alternative pathways to technical education have demonstrated that there is no one way to enter a job in security – particularly as diversity in both experience and background proves to be successful time and time again.
“Community colleges are playing a very important role, not only in educating young adults, but also as a retraining opportunity for people who might already have a BA, or might be in the middle of their career, and want to come back to gain the skills in cybersecurity,” said Petersen.
“Increasingly certifications are linked to high school training programs, and cybersecurity apprenticeships are also very up-and-coming, which allows somebody to begin working for an employer while they obtain their education.”
Johnston, who now works as a researcher at PortSwigger Web Security, briefly studied computer science at university. He’s not sure what he would do if he stopped working in IT.
“If you want to work as a pen tester, a degree helps you little,” he said. “But having a degree greatly broadens your career options.”