The race to build a cyber workforce
Organizations around the globe are scrambling to train and educate digital defenders.
This article is part of a special CXO Report on the cybersecurity talent pipeline. Read the entire report.
Secureworks can’t hire cybersecurity pros fast enough. The Atlanta-based firm that helps 4,400 companies worldwide fend off cyberattacks has about 140 openings at more than a dozen locations globally. Yet filling those positions has become a grueling — and often impossible — task. The company goes through 12 to 32 interviews just to fill a single analyst position, and the time it takes to find the right candidate continues to lengthen, says Terry McGraw, vice president of global cyberthreat analysis for Secureworks.
Secureworks isn’t alone. Companies across the globe are struggling to find qualified cybersecurity professionals to help fend off attacks, secure their software and connected devices, protect their data, and lock down intellectual property. According to the latest data available from the job-market information firm Burning Glass Technologies, there were about 286,000 U.S. job postings for cybersecurity workers from September 2016 to September 2017. And companies are competing fiercely to fill those positions in a market where talent with the most sought-after skills can earn as much as $380,000 a year.
“We have clients that have turned over their entire security staff four times in three years,” McGraw says. “Some of that is the [corporate] environment, but a lot of it is the nature of the beast. There is a lot of external market pressure of companies paying a lot of dollars for workers with a demonstrable skill set in cybersecurity.”
The shortage in cybersecurity workers is a global problem, one that comes as companies are struggling to act in the face of increasingly widespread and costly data breaches. High salaries — which, for example, rose 8.4 percent to 10.5 percent last year in the U.K., compared to the national average of 2.7 percent, according to recruitment firm Hays — make keeping experienced cybersecurity people difficult. The average salary in the United States for a cybersecurity worker in the one of the top-10 most sought-after positions is $105,000, according to an analysis of data from online jobs board Indeed.com.
The market for cybersecurity professionals — especially the most technical workers — has the frenetic dynamic of a run on plywood or generators before the landfall of a massive hurricane. With numerous examples of data breaches wreaking havoc at companies, demand for cybersecurity workers and better solutions is skyrocketing. According an oft-quoted figure from consultants Frost & Sullivan, there will be a 1.8 million-worker shortage in cybersecurity globally by 2022.
“Whatever numbers that you believe, the demand side of cybersecurity far outstrips what we know as supply. This is a critical issue,” says Corby Hovis, cybersecurity program director for the Advanced Technological Education program at the National Science Foundation, which has invested significant funds into boosting the number of students in cybersecurity and other technical disciplines.
More than a quarter of companies are unable to find qualified cybersecurity professionals to fill necessary positions, according to Information Systems Audit and Control Association (ISACA), a nonprofit industry group. More than half of all companies require three to six months to fill cybersecurity positions and are finding that only a minority of candidates are qualified, according to ISACA’s State of Cybersecurity 2017 report that surveyed managers from companies in the U.S. and Europe.
For graduates seeking cybersecurity jobs, however, the burgeoning demand has meant increasing opportunities. The promise of money has attracted more potential people, but many do not have the right skills. The problem is not too few candidates — everyone seems ready to jump into cybersecurity these days — but a lack of qualified people, says Secureworks’ McGraw. About 80 percent of new hires are recent computer science graduates, while the other 20 percent are “reinventors,” he says, meaning people who switched careers. “The school systems in the U.S. just are not producing qualified candidates with the right mix of skills,” he says. “The industry needs practitioners not generalists.”
Schools that are doing it right by integrating practical experience with classroom study are seeing their students get recruited months before graduation. At Northeastern University, for example, students regularly come back from their co-op experiences with an offer letter for a job, says Themis Papageorge, associate clinical professor of computer and information science and the director of cybersecurity and information assurance employer relations.
“There is no one who does not get a job,” he says. “In many cases, they have multiple offers. … Sometimes international students come back from their co-op with an H1-B visa stapled to an offer letter, and they say they are ready to go. And I say, ‘Where are you going? You still have another semester with the program here.’”
Can universities meet cybersecurity needs?
Colleges and universities are a major source of new workers for the cybersecurity sector, but it’ll take many years for academia to catch up with current demand. While more than 140,000 students will likely graduate with associate, bachelor’s, master’s, and doctoral degrees in computer and information science in the United States, more than three-fourths would have to take jobs in cybersecurity to accommodate the current shortfall, according to an analysis of data from the National Center for Education Statistics. Only a small, but currently unknown, fraction take an interest in computer security.
Another problem for companies: Many of these new graduates don’t have hands-on experience. If higher education is to help mitigate the shortfall in the long term, it will have to change its studies to meet corporate requirements.
Already, universities and colleges in the U.S. and abroad are scrambling to improve their programs or launch new initiatives that offer more practical knowledge as well as focused degrees in cybersecurity. Georgia Institute of Technology, Johns Hopkins University, Northeastern University, Northwestern University, Rochester Institute of Technology, and University of Alabama are all doubling down on cybersecurity. Community and technical colleges such as Gwinnett Tech in Georgia are beginning to focus on training strong candidates for security analyst positions.
Certification programs, especially those that highlight practical and technical skill sets, are becoming a factor in deciding who gets hired. While certifications often lag behind a verifiable hands-on portfolio and formal education in terms of requirements for hiring a worker, the lack of certification is the second most cited reason for not hiring a worker, according to ISACA’s State of Cybersecurity 2017 report.
“In a lot of ways, cybersecurity — the technical disciplines — is white-collar work that needs to be trained like blue-collar jobs,” says Secureworks’ McGraw, arguing that apprenticeships, hands-on experience, and a proven track record are more important than a formal education.
Companies need to develop their own programs for seeking out and attracting potential workers, say experts. Hackathons and community outreach efforts are essential for getting young people interested in the field, says John McCumber, director of cybersecurity advocacy for cybersecurity certification body (ISC)². “I really think companies need to think about having a pipeline,” he says. “This is a matter of ensuring that you have effective personnel or staff and get them into the system.”
The value of retraining enthusiastic workers
While Secureworks sees the majority of its hires coming from students straight out of school, people making a midlife career change are also a significant category. Former IT workers, military service members, and police officers are most common, says McGraw. Nontechnical workers have made the switch, too. “We even have a few chefs,” he says. “People who woke up one morning and said, ‘I want to do something different, but just as challenging, with my life.’”
The people who reinvent themselves often bring more desire and maturity, he says. “Self-taught, self-motivated folks who have jobs that were more difficult or more physically and mentally demanding tend to do better, because they are motivated to do so.”
Increasingly, organizations are finding that the workers who perform best are not the ones with the best certifications or the degree from a top-tier college, but those who are the most enthusiastic to learn. Give them a year and interesting work, and they will be experienced enough to be looking for a new job, says Dan Basile, security operations center director at Texas A&M University System. “Rather than one person with loads of experience, I hire someone who is really enthused,” he says. “And I might not hire one; I will hire five for the same cost. Give people the ability to learn and move in a way that allows them to be excited and grow their potential.”
Businesses that do not think about keeping their employees motivated and interested will have to deal with high attrition rates, especially with the demand for cybersecurity professionals skyrocketing. The average analyst starts looking for something new after a year, and often will not last more than three years, before wanting to move onto different pastures, says McGraw. “If you are asking someone to stare at a screen eight to 10 hours a day in your environment, that gets pretty tedious pretty quickly,” he says. “If there is not a career path to energize them, what we find is — in about 12 or 18 months — someone who is a frontline analyst is going to pop their head up and ask, ‘What’s next?’”
What artificial intelligence means for cybersecurity
Finding a solution to the shortfall in cybersecurity workers is not just about boosting the supply of qualified candidates. Some of the cybersecurity shortfall could be solved by reducing the need for humans by increasing focus on analyzing security data with automated systems. As machines get increasingly smart, they are also becoming much more adept at finding computer vulnerabilities and defending against cyberattacks. That’s good news for companies with small security teams. “Technology is critically important to a small team trying to handle security,” says Clark Flannery, director of IT infrastructure at KEEN Footwear and its parent company, Fuerst Group, Inc. “Finding the right tools at different layers that enhance, but don’t overwhelm, a small team is my goal. Even if not all of the data can be monitored and addressed in real time, the hope is to have it available if or when a deeper forensic dive is needed — presumably by external resources brought in for that engagement.”
For cybersecurity companies such as Secureworks, artificial intelligence software is already helping to ease the workload for overburdened security analysts. AI is reducing the number of alerts that human analysts need to process by 43 percent. PatternX, a cybersecurity firm relying on machine intelligence, boasts that its system can eliminate 90 percent of the false alerts before they get to a human analyst.
Other security operations centers have seen similar benefits. The right tools can help security pros spot the most critical threats, says Basile of Texas A&M. But, at least when it comes to cybersecurity, he says artificial intelligence won’t take over analysis and response. “It gets them more productive, more quickly. It’s not a replacement for manpower: Rather than digging through 50 alerts, you are looking at five.”
But automation has its limits. Machines have problems discerning threats such as social engineering — when attackers attempt to fool human victims into giving up critical information or access to their system. That type of attack remains the biggest worry for most companies, KEEN’s Flannery says. “I don’t think you can fully ‘tech’ your way around it, but I do think tech can remove a few of the sharper edges in the challenge to protect users from themselves.”
Yet tools are only one way to ease demand in cybersecurity. Despite the almost daily drumbeat of news about data breaches and the rush to train more professionals to fend off cybersecurity attacks, it’s unrealistic to expect every small or midsized business to build up its own security team, say experts. “While we run into a lot of people who say they want to hire [cybersecurity workers], there are a lot who don’t know even where to start,” says Bruce Potter, chief information security officer for Expel, a cybersecurity vendor based in suburban Washington, D.C. “I have heard over and over again people saying, ‘I have anti-virus. I have a firewall. But I have no one to manage either one.’”
The shortfall ultimately puts companies into an untenable position. Do they pay high sums for a candidate who may not even have all the qualifications? Do they retrain interested IT workers? Or do they try to make up for the gap in their security program with services and better tools? The answers to those questions depend on the company. One certainty, however, is that a greater attention to security is a necessity for every company, and something that’s especially the case for business leaders, says Potter. Because of the dramatic fallout from high-profile breaches at such companies as Target and Equifax, executives know that their jobs could be on the line in the event of a breach.
“Six or seven years ago, if you went to the board and told them nation-state adversaries were in the network and eating their lunch, they would have ignored you,” Potter says. “Now, either the CISO is on the board or reports to a board member.” The result will be a push for companies to be smarter about security, and a motivation to innovate. A more educated and skilled workforce will be part of that, but just adding people will not be the ultimate solution, he says. “Will we still be running around with our hair on fire, yelling that we need more headcount? I just don’t know.”
