Nov. 28, 2018
Earlier this month, CESNA’s colleagues at the FIU-New America Cybersecurity Capacity Building Partnership co-hosted the National Initiative for Cybersecurity Education (NICE) conference in Miami, Florida. For the second year in a row, I was lucky enough to be invited along; our team’s director, Mary Alice McCarthy, gave the keynote speech.
Cybersecurity employment is growing at a staggering rate. From 2016 to 2026, the Bureau of Labor Statistics (BLS) projects a 28 percent increase in the number of people employed as information security analysts (compared with a seven percent average growth rate for all occupations); the online job service ZipRecruiter saw a 40 percent spike in the number of cybersecurity postings from June 2017 to June 2018 alone. With all these openings and sky-high wages (about $46 an hour for analysts, according to BLS), you’d think Americans would be lining up to learn cyber trades. But with between 300,000 and 500,000 cybersecurity job openings in the United States, depending on how you define cybersecurity jobs, and between two and three million vacancies worldwide, it’s clear that cyber has a big workforce problem.
New training options emerge every month, but employers, educational institutions, and federal and state policymakers still struggle to keep pace with the cyber talent shortfall. So on the sidelines of the NICE conference this year, I asked experts looking at different parts of the cyber skills puzzle what makes growing the cybersecurity workforce so tricky.
How can you feel passionate about cybersecurity if you don't really know what it is?
Marrci Conner — Programming, networking, cybersecurity, and digital forensics instructor at Henry Ford College.
A longtime security analyst for Ford Motor Company and a graduate of Michigan’s first cybersecurity master’s program, for 10 years Marrci Conner has taught a full slate of courses at Henry Ford College, a public two-year college in Dearborn, Michigan. “If I were a student coming along now, I would feel totally overwhelmed,” she admits.
Cybersecurity experts develop their skills through a mix of classroom education, on-the-job training, and self-directed learning, often requiring both college degrees and industry certifications. But the difficulty, Conner says, is not just that cybersecurity skills are hard to learn. Across its seven (or eight) occupational domains, cybersecurity work may look completely different from one day to the next—something that’s difficult to anticipate in a traditional college curriculum.
“For me, the goal is to give students lots of different experiences, to make them well-rounded,” says Conner. To do that, she invites industry contacts to provide guest lectures, takes students on field trips to participate in the National Cyber League (a capture-the-flag style competition), and provides workshops for students to learn Perl or Python, two popular programming languages whose dominance in cybersecurity work seems to alternate year-to-year. All of these experiences come together when graduates face their first big challenge as members of the cybersecurity workforce: articulating to prospective employers what they can do.
The first thing you need is awareness—to know what jobs are there and to understand that you can be a part of it. But then if you come asking for an opportunity, you’ve got to have the whole package ready.
David Elcock – Chief diversity officer at Lynx Technology Partners and executive director of the International Consortium of Minority Cybersecurity Professionals (ICMCP)
David Elcock agrees that the biggest challenge for expanding the cybersecurity workforce is communicating to learners what cyber jobs are out there. But as an HR executive for a government-facing cyber risk and compliance firm, and as director of a nonprofit association working to address the longstanding underrepresentation of women and people of color in cyber occupations, Elcock knows that the hardest part of becoming a cyber pro often comes after a training program is complete. Too often, he says, candidates are not ready talk about their abilities to hiring managers.
Elcock’s nonprofit, the ICMCP, works with partners who provide funding for hands-on education in a dedicated virtual training environment. But technical skills alone won’t cut it: ICMCP’s partners also support industry mentorship and soft-skills training. In return for their financial and educational support—and a contractual guarantee that program completers will receive an interview—ICMCP provides its members with a pipeline of aspiring cyber professionals from underrepresented groups who have learned not only how to do cyber work, but also to market themselves and communicate what they know and can do. “It’s almost like algebra,” Elcock says: “you have to be able to explain your work.”
The way you get people to change their attitudes is to get them to emote, to make them feel a certain way about something. It’s no different with cybersecurity jobs.
Sarah Moffat — Enterprise workforce planning and development manager, U.S. federal government
An IT trainer with nearly 15 years of experience, Sarah Moffat has taught government employees how to use everything from Microsoft Office to bespoke software development environments. Now, as a talent manager responsible for keeping up the cyber skills of more than 4,000 IT specialists across one of the largest federal civilian agencies, Moffat often emphasizes the importance of storytelling.
“People don’t know the stories of cybersecurity professionals—it’s not like being a firefighter or a doctor,” she says. But powerful stories are out there. As an example, she brings up one of the most jarring humanitarian crises in recent American history: the separation of nearly 3,000 migrant children from their families at the U.S.–Mexico border.
Ensuring these children’s safety while reuniting them with their families is a massive undertaking, and information security is an important part of the puzzle. “It may be that I’m just setting up a database or a network,” Moffat says, “but if I’m connecting kids to their parents, helping rejoin them to their families, then that’s something else, that’s meaningful work.”
Cybersecurity doesn’t just require software engineers. We need lawyers, we need humanists, we need business people, we need everybody at the table.
Lisa Ho — Academic director, Cybersecurity Program at the University of California School of Information
As director of a new cybersecurity master’s program that aims to draw in students from a variety of different backgrounds, Lisa Ho knows the difficulty of designing a single curriculum to prepare students for the different work roles required to address the huge array of cyber threats in the world today. “People don’t usually have the same fundamental understanding coming into a given class, but we need to teach them the same capabilities and have them come out the end with a real cyber degree.”
That takes an orientation that is both forward-thinking and human-centered, says Ho: “We encourage students to think about the people whose work goes on within the technology.” The challenges of designing a comprehensive, interdisciplinary cyber curriculum to prepare students for a broad range of career paths will be worth it in the long run, she says. “We’re not trying to train people for the jobs they want to do right now, but for the jobs they may have to do 10 years from now.”
Cybersecurity workforce development isn’t really about making people rich. It’s about making sure we have a future for our kids and grandkids, because until we’ve got enough people trained and aware and cognizant, we’re at risk.
Richard Hanson — Dean, Beacom College of Computing and Cyber Sciences at Dakota State University (DSU)
As key partners in a statewide, multi-sector initiative called the South Dakota Partnership for Student Success (SDPaSS), Richard Hanson and his colleagues at DSU are used to thinking creatively about cyber workforce training. Degrees, industry certifications, and apprenticeship are all facets of the new project, which launched this fall. “It’s been about getting all these different agencies, workgroups, and people to find the money, frankly, to stretch a little and do something that’s really out of the box.”
To make the case in other states and regions for new projects like SDPaSS, Hanson says, we need to look to the next big shifts in technology. “We’ve built the program on K-12 immersion, and really teaching the basics to the kids, because our future lies in artificial intelligence and machine learning—the fact that computers and robots are increasingly going to make decisions for us,” he says. “Artificial intelligence is going to exacerbate the gap between haves and have-nots if we don’t have people trained to stay on top of it.”
Cyber threats are constantly evolving, and as we live more and more of our lives online they're becoming ever more dangerous. For people who have never done cybersecurity work, it can be hard to understand what cyber jobs entail, let alone how to develop the mix of technical know-how, soft skills, and adaptability needed across the cybersecurity ecosystem. Scaling up our cyber workforce isn't impossible, though. With rigorous, affordable, and accessible training options—and a better mainstream awareness of the real stories of cybersecurity professionals—many more Americans can find stimulating and well-paid work protecting our communities online.
For more cybersecurity stories, visit the Humans of Cybersecurity blog published by New America's Cybersecurity Initiative. Also, check out Laura Bate's recent cybersecurity workforce development primer, and explore the growth of the cyber apprenticeship model with our Cybersecurity Apprenticeships Tracker, a joint project of CESNA and the FIU-New America C2B Partnership.