What It Takes To Train The Cybersecurity Workforce
Can Edtech respond to the challenge ahead?
We are going through a cybersecurity workforce crisis.
How we protect our data is more important than ever. Just this past weekend, news broke that highly-sophisticated hackers breached the defenses of publicly-traded cybersecurity firm, FireEye, implanting malware that “targeted and compromised ‘high-value targets, both government and commercial entities’”, including the U.S. Treasury and Commerce departments. Cyber crime damages will cost the world $10.5 trillion annually by 2025 and spending on cybersecurity is expected to exceed $170 billion by 2022. However, beyond just buying technology to combat threats, we must also invest in the people and talent who can actually deploy these tools effectively.
The problem is that we don’t have enough cyber talent. The cyber workforce gap is estimated to be 3.1 million globally: 3.1 million workers that we need right now that we don’t have.
At the same time, I have been hearing cybersecurity pop up a lot in edtech venture, especially when venture investors talk about pathways for reskilling into cyber careers (especially now with the huge labor market dislocation by COVID-19). Since cyber has one of the most pronounced workforce skills gaps, great job security (0% unemployment rate), and an average salary of nearly $90,000 (in the U.S.), you would expect a lot of people to be entering the cyber workforce. So why is there still such a huge gap between cyber talent supply and demand?
The answer, as usual, is a mix of complex issues. What I keep hearing from cyber professionals, at the root of it, is that employers and Higher Ed/training providers still do not have a sufficiently effective shared language or lexicon around how to describe cyber skills, roles, and responsibilities (in spite of established frameworks such as the NICE Framework). To further exacerbate matters, the lexicon is constantly evolving given how quickly the cyber industry is advancing. How can Higher Ed & Workforce solutions train the new generation of cyber talent when it is hard to keep up with the skills employers are looking for? On the flip side of the coin, employers too have a hard time locating the right cyber skills and talent (when in fact great candidates may be hiding in plain sight) and candidates struggle to enter and progress in the cyber industry.
So what does it take to close the talent gap and train the much-needed cyber workforce? And what role can Edtech play?
Today, there are many organizations that focus on training content and certifications. However, there are structural issues underlying the cyber workforce skills gap that continue to call for innovative solutions. From talking to CISOs (Chief Information Security Officers) and cyber workforce training specialists, I share thoughts on what is needed for (1) Reskilling, filling the talent gap and (2) Upskilling, training for existing cyber professionals.
What it takes to get hired in cyber: A Degree, Certifications & Work Experience.
Our portfolio company Burning Glass has compiled detailed data-based evidence on cyber hiring: right now, it takes the trifecta of a degree, certifications, and work experience to get a job in cybersecurity. This is a pretty high bar and clearly creates structural barriers to cyber job pathways. Meanwhile, employers are desperate to find great cyber talent, so it begs the question: why do employers look for all of these qualities in the first place?
The degree.
88% of cybersecurity job postings require at least a Bachelor’s degree. One CISO put it elegantly: cybersecurity is a “hybrid job”, requiring technical and domain knowledge but also importantly, an understanding of the human issues in business. It has significantly more soft/power skills requirements than IT: critical thinking and problem-solving, how to pre-empt threats, speaking across the business, and project management skills. CISOs prioritize hiring for these power skills over technical skills because they are harder to train for, and therefore tend to hire based on degrees as a signal of these “intangible” qualities.
Certifications.
Certifications are a key part of cybersecurity careers but many believe that some certifications such as CISSP are actually “far more useful in getting a job than doing a job”. Historically employers have overburdened job postings with certifications, creating labor market inefficiencies (there are more job postings requiring certifications than there are people certified). Because of the lack of a common lexicon for describing cyber skills and roles, technical team members (aka CISOs) end up having a hard time communicating with HR hiring managers exactly which skills they need to hire for. Thus, certifications have become a standard way to screen candidates based on keywords in the ATS (Applicant Tracking System), a short-term convenient but long-term burdensome filtering method. In reality, jobs may only need select skills not requiring the whole certification. While credential attainment is fantastic for the job seekers’ marketability and career advancement (in the U.S., a certification can increase salaries by 20%+), for CISOs, “the certification is hardly the lynchpin for getting hired; it will only get your foot in the door”. They will still want to test for competency.
Job experience.
This is the classic work experience chicken-and-egg problem. Cyber hiring managers greatly prioritize job experience, with 85% of cybersecurity job postings requiring 3+ years of cyber work experience. Currently, a good (but long) pathway is for candidates to begin building experience in IT/tech jobs in “cyber-adjacent” roles and then transition into a “cyber-core” role.
Where Edtech Can Help
Re-imagining the cyber bootcamp into “cyber apprenticeships”.
There are a number of cyber bootcamps today and what could be truly powerful for cyber is re-imagining that model into an apprenticeship or work-integrated learning model to tackle the “cyber trifecta” problem. In addition to the technical skills that more traditional bootcamps confer, we need to provide students with opportunities to work on real-world projects, develop their soft and power skills in the context of a team, and better understand what it means to be a cyber professional (day one on the job is not super-hacking!) This model can provide work experience, a certification, and help overcome the degree hurdle, by allowing employers to observe (and help train) a potential hire’s power skills while on-the-job. It also helps with career navigation: cyber careers are constantly evolving and tricky to navigate, which may be intimidating to new entrants. Ultimately, we need more solutions with great awareness of employer needs and a focus on actual job placement. There are already startups in edtech innovating around work-integrated learning models (not specific to cyber) that are focused on integration with employers and/or Higher Ed institutions, such as Forage, Paragon One, Parker Dewey, Student Opportunity Center, and WhiteHat.
Competency-based assessments.
A skills-based assessment tool could help employers better identify cyber talent without over-relying on certifications. While there are some performance-based tests out there (ie. virtual battlefield simulators), usually developed by the armed forces, there are few players in this space, especially ones with inexpensive offerings that enterprises could easily purchase and adopt in a widespread way.
I am reminded of an interesting model by one of our portfolio companies, Correlation One, which has developed a sophisticated competency-based data science assessment platform based on collecting a pool of performance indicator data from the many data science hackathons, or “datathons”, that they host. Employers have flocked to this solution because it is similarly hard to not only measure great data science talent but also find diverse candidates that don’t check the traditional boxes. It would be intriguing to apply the same model to cyber, where candidates could showcase their skills, critical thinking, teamwork, and creativity while battling in cyber range simulations, with data collection fueling a true, efficacious skills-based assessment that overcomes degree-filtering or perhaps even an expensive certification test. Also, gamers make great cyber candidates so a game-based simulation is an intriguing idea, especially for exposing young learners to cyber careers earlier on.
(It is important to note that there is regulation in the U.S. around hiring assessments. Assessments can be one aspect of the hiring process but cannot be the sole reason for hiring, and should be tested for validity to prove no “adverse impact” to any populations.)
Soft/power skill assessments.
A soft skills assessment and training solution can overcome the burdensome degree signal. However, there are a lack of inexpensive, effective solutions for soft skills broadly, not only in cyber.
One of our portfolio companies, Imbellus (recently acquired by Roblox), has done interesting work here. With a sophisticated game-based assessment adopted by McKinsey, Imbellus brings candidates into a virtual simulation in the natural world where they solve a problem such as protecting native plants against invader species. Imbellus can then measure qualities such as critical thinking, decision-making and meta-cognition by tracking every move of the mouse, actions and time spent on solving the challenge. Are there similarly effective solutions that can be developed for cyber for widespread distribution?
Structural workforce planning solution based on skills mapping.
Build, don’t buy, cyber talent. It is hard and expensive to hire a great candidate in a high demand market. For a large employer, the better solution may be to build cyber skills capacity internally. Burning Glass and EMSI have both written research advocating for this strategy and elevating which career fields transition well into cybersecurity roles.
What we need is a broad talent platform that can track skills, identify the right candidates that could transition into cyber based on known pathways, map with specificity which additional skills they need, and provide the targeted training to help them get there.
While it may take years to develop the educational apparatus you would need in-house to manage talent and skills for the whole organization, there are tech solutions tackling this problem. Our portfolio company Degreed (or others such as Faethm and SkyHive as part of an emerging category of skills-based workforce planning platforms) serve as platforms already managing and recommending learning across the organization with an internal mobility function to navigate role transitions. A data analytics company such as Burning Glass can further provide the underlying granular data around skills mapping and development.
Cyber career pathway navigation tools.
Career navigation seems to be trickier than usual in the cyber industry. Navigating entry into and progression in cyber careers is complex, especially given the large number of certifying bodies and certification options to choose from. Initiatives such as CyberSeek and My Cyber Path have begun elucidating the career pathway so it is less daunting for candidates to enter the cyber workforce.
The skills that cyber professionals need continue to grow complex, with 93% of cybersecurity professionals expressing a need to keep up their skills. There are a number of enterprise training solutions out there — what kinds of solutions will gain traction and successfully scale to impact learning for the cyber community? Below are a few key takeaways from my conversations with CISOs and cyber training providers on what employers are looking for when buying cyber training for their teams:
Relevant & large library of training content.
No two cyber organizations are the same. The same cyber role in insurance vs banking can look very different and require diverging skills and training based on the sectors, situations, and needs. CISOs want a training solution that is highly relevant to their business. The specialized nature of the training is why, by default, a lot of cybersecurity training has been developed in-house in the past, but an outside vendor has the potential to bring much more effective, well-designed, and engaging content. In addition, CISOs find it hard to develop effective training on new cybersecurity threats and would be interested in a company that could take the latest emerging cyber risks and immediately develop training on them.
Simulation / practical learning is a must-have.
CISOs greatly value hands-on practice simulations in cyber. Especially because it does not seem easy to develop great cyber range training and simulations, this seems to be a critical differentiating factor between cyber training vendors and key to defensibility.
System of record to track skills.
CISOs have expressed interest in a way to track the skills progression of a team over time and have the technology automatically generate recommendations for new training skills gaps. This can be built into a broader talent/learning platform as mentioned above.
Dashboard demonstrating ROI.
While this idea seems simple, the truth is that many C-level executives struggle to understand cybersecurity well and are not sure how to improve the cybersecurity of their organizations. In order to sell into enterprises and gain C-suite buy-in, a cyber training platform should clearly demonstrate ROI to senior management and help the CISO communicate the value of investing in cyber training to the rest of their team.
If you have additional thoughts or insights to add, or if you are a founder building solutions to the above challenges, we’d love to hear from you! Please reach out at jcheng@rteducation.com.
Finally, a big thank you to the cyber professionals who kindly lent their time to chat with me about this fascinating space!
This material is for general informational purposes only and is not intended as investment advice, as an offer or solicitation of an offer to sell or buy, or as an endorsement, recommendation, or sponsorship of any company, security, advisory service, or product. This information should not be used as the sole basis for investment decisions. All content is presented as of the date published or indicated only, and may be superseded by subsequent market events or for other reasons. Past performance is no guarantee of future results. Investing involves risk including the loss of principal and fluctuation of value.
