The term “cybersecurity skills shortage” has now become so commonplace that it’s now a cliché, devoid of any real meaning without context. Still, the numbers are so daunting that they must continue to be told:
- Cybersecurity job openings will reach 5 million globally by 2021.
- Fewer than a third of global organizations have what they consider to be the right amount of cybersecurity staffing.
- The gap between job openings and qualified candidates to fill cybersecurity-specific positions is now a canyon, and most organizations claim they have a “problematic shortage of cybersecurity skills.”
Organizations are taking a variety of steps to fill the void, from adopting new automation tools and utilizing machine learning algorithms to re-tasking non-technical professionals already on staff to transition into cybersecurity. But as threat vectors expand due to a variety of reasons—connected things, greater collaboration among cyber-thieves, cheap and easy availability of hacking tools—organizations need more help than ever.
That’s where colleges, universities, vocational schools, industry associations, and cybersecurity academies play an increasingly critical and central role. Higher-education facilities are churning out more graduates each year with computer science and related degrees, and many of those graduates are now specializing in cybersecurity. But, cybersecurity is unlike most other college majors; after all, the study of the Holy Roman Empire or George Washington Carver’s botanical discoveries haven’t changed very much in recent decades.
Not so with cybersecurity, where the rules change every minute of every hour of every day. “Cybersecurity constantly needs to be revamped, and your educational approaches have to be re-validated all the time,” according to Chris Miller, lecturer and program manager for security at The Manchester College, a U.K.-based “further education” college that is the largest of its kind in Europe. Miller notes that traditional computer science degrees no longer meet the needs of employers in both the private and public sectors. “A generic computing degree, perhaps with a specialist module in cybersecurity, is not what employers want,” he said.
Ensuring that university curricula for cybersecurity meets the needs of potential employers is critical to closing the cybersecurity jobs gap because employers need candidates to have real-world skill sets, and not just technical skills. That’s where partnerships between universities, private-sector employers, and the cybersecurity vendor community are essential,” said Steve Jones, professor for information and communications sciences at Ball State University. “Our placement rate over a 30-year period has exceeded 90%, even during economic downturns, and that’s because we ensure that our students get real, hands-on experience in cybersecurity. That comes from our partnerships with vendors like Palo Alto Networks and their Cybersecurity Academy. “With our vendor partnerships, our students get cutting-edge content not created in a classroom environment,” according to Jones. “When my Palo Alto Networks expert is talking about WildFire, for instance, and showing them how it really works,” I’ve got drool running down the side of my mouth. It’s just awesome.”
These and other partnerships, with both vendors and private-industry employers looking to hire new cybersecurity analysts, are necessary because there is just too much content for universities alone to develop and deliver.
“Cybersecurity has a very broad scope and it’s also very deep as a discipline, with a lot of ground to cover,” according to Low Ee Mien, senior lecturer at Singapore’s Republic Polytechnic. “It’s impossible for us to cover everything on our own as we have to be very selective in what we can cover in the Diploma in Infocomm Security Management programme that we offer. As such, we collaborate with industry partners in areas such as curriculum development, internships, and in setting up joint cybersecurity labs to give students a solid grounding in this field.”
Additionally, vendor-agnostic industry associations such as the SANS Institute and the Computing and Technology Industry Association have jumped in with cybersecurity certification programs designed to act as foundation-level competency benchmarks for cybersecurity, allowing vendors to build more specialized and targeted certification training and validation.
But universities and academies also have taken the recommendations from potential employers that they need students who have developed “soft,” non-technical skills. “Our teaching has to have a practical angle to it, because organization need security professionals who can present information clearly and in a compelling manner, or with good research and report development capabilities,” said Miller. “Many students, even so-called ‘millenials’ who have grown up with substantial exposure to technology, lack expertise in areas such as social engineering. We do controlled-environment exercises with them, and many of them still give away user names and passwords. Their educational experience helps them understand how to spot and avoid potential problems like those.”
Jones also noted that more and more of their cybersecurity candidates are coming from non-technical fields, often after trying to land jobs in non-technical fields after pursing majors in such areas as journalism, criminal justice, or psychology. “They might come to us as a frustrated barista, and they leave us as a network security engineer,” he said. “That can be very attractive to employers, because non-IT majors bring to the table human networking skills, where they can actually talk to other human beings with good eye contact and interpersonal skills.
“We want our students to get jobs, and that means we put a lot of ‘buff’ on them to make them appear more professional to potential employers. Students don’t wear holey jeans in our labs, and they’re not wearing baseball caps in my class. If a senior executive comes to our department and talks to our students, I want our candidates to have an elevator pitch as to why they should be hired at Eli Lilly or John Deere or any other major organization’s cybersecurity organization.”