Cybersecurity Workforce Development: Real or Imagined Problem?

Yesterday DHS and the Commerce Department released their most recent workforce report “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce”.  The report was commissioned by the Trump administration in May 2017.  Having studied this issue from roles in academia, private industry and government, I thought I would share my thoughts on the report.

Overall, I thought it does a good job and provides good ideas for improvement.  I have always had a bone to pick with reports of astronomical cybersecurity job shortages.  The “Cybersecurity Workforce” report states that there are 299,000 active openings for US cyber-related jobs.  OK, but when I search (cybersecurity + cyber security) on www.indeed.com I find a total of 53,007 jobs.  Somehow 82% of the jobs are not found on Indeed.  Where are they?  The DHS/Commerce report does acknowledge that we really don’t know how many jobs are open and exactly what industry and government need.  What is the cybersecurity workforce and where does it need to be?  This industry is changing so fast that answering that question may be difficult.  I see MSSPs and cloud security services both growing very fast; this will reduce the overall numerical demand.

The report highlights the need for cross-training.  I have long thought that more security roles need to move into the business.  There are people in those domains that have a good security aptitude and, with some security training, can be extremely effective.  90% of their effectiveness would be just knowing the business domain.  At the same time, report findings note that “employers increasingly are concerned about the relevance of cybersecurity-related education programs in meeting the needs of their organizations.”  Later in the report, mention is made of educational programs that focus on technical skills without including the many nontechnical skills needed to implement a security program.  That is one of the gaps being identified.

Two other good points include emphasis on the ideas of apprenticeships and certificate programs for cross disciplinary education.  Every type of career training can benefit from apprenticeships or internships.  Why is this more important for security education?  For one thing security must be holistic.  There can be only a very few people who are individual contributors.  Certificate programs for individuals like project managers, business analysts and contingency planners would greatly improve the uptake of security in an organization.

Another very good point brought up relates to career paths.  What is the cyber security professional career path?  Especially as more workloads move to the cloud and more AI is introduced to SOC’s, what will be the career path?  My recommendation is to define security education more around risk management, both information risk and technology risks.  A more comprehensive definition at the beginning will permit continued specialization and redirection later.  In this way, professionals can expect to be part of any business initiative, all of which will need risk management.  Today, almost all business initiatives will include information risks.  Since, employers also want new hires to have immediately usable skills, such education must also include specialized training in at least one security technical area.

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

More Good Reading

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

Antidote for Fake Everything

Information Security Risks, Gray Rhinos and Black Swans

Managing Information Security On a Limited Budget

Building a Security Start-Up

Cybersecurity Risk Management for Directors

My Reading List for Security Start-Ups

Should Your CIO Learn to Code?

How IT Leaders Can Keep a Seat at the Table

Equifax points out—again—the need for speed in security management

Anatomy of a Security Breach

The Smartest Information Security Companies

Book Review: Play Bigger

Long Term Beneficiaries of WannaCry

RISK: A NEW MOVIE ABOUT JULIAN ASSANGE

TRADE SECRET THEFT CONTINUES UNABATED

TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS

LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS

SIEM VENDORS HAVE IT ALL BACKWARDS

THE SECRET TO GROWING YOUR SECURITY STARTUP

CLOUD JOBS PEAKING?

The Spy Who Couldn’t Spell

IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?

No Blue Pill for Cybersecurity Failures

Presidential Cybersecurity Commission Makes Some Good Suggestions

Understanding Intelligence

Align Your Security Program With the Business

Don’t fall victim to BEC

Enterprise Risk Management and Information Security

Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

First Conviction for Illegally Distributing Android Apps

Locking Up the Ivory Tower

Cloud Vulnerabilities

More Security Lessons Learned from the Y-12 Breach

Security or Compliance?

Home Disaster Recovery Planning

Cloud Computing: Trust but Verify

Background Checks May Not Be Enough

PERFECT SECURITY STORM FOR LAW FIRMS?

How Not To Be a Cyber Janitor

SECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?

Don’t Forget Cloud Availability

Compliance v. Security

GAO Report on Information Security in Federal Government

Lean Security

Mitigate Your Social Engineering Vulnerabilities

HIPAA Security. Are We Making Progress?

Brand Your Security Program

PDCA is Dead

LEARNING FROM PAST MISTAKES

How Better Security Can Create Shared Value

C’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

DDOS Tutorial

The future of information technology

Data Governance Anyone?

Learning from the oil spill disaster

Down the Rabbit-Hole…Again?

Ideas on Risk Management