On paper, those interested in a career in cybersecurity should have no problems finding a job or advancing up the ladder. According to various reports, approximately a million job openings in the cybersecurity field are open, and that number is only expected to increase. What’s behind this gap between job availability and people to fill them?
Jim Frey, VP of Product, and Alex Henthorn-Iwane, VP of Product Marketing at Kentik, said we aren’t filling these jobs because it is a symptom of the long-term computer science skills gap in our country, which begins with the poor level of computer science education in K-12 schools. When it comes to cybersecurity, the situation is worse: Those concepts are simply not taught in K-12, meaning the awareness of cybersecurity as a career path is low.
Then, even though it seems like universities are adding cybersecurity-related majors every year, it is a field of study that lags behind other IT majors, said Paul J. Mocarski, director, Global Information Security with Valspar.
“Reviewing college curriculums will show that not all colleges have cybersecurity programs,” Mocarski said. “However, simply adding programs will not resolve the issue. Colleges that do have cybersecurity programs are often challenged in filling their classes.” That means, he added, that colleges are not producing enough graduates, so, there aren’t enough graduates to meet demand.
Clarify what is needed in a cybersecurity position
But perhaps the real road block in filling cybersecurity positions and finding enough skilled workers is the confusion around what is needed in those jobs. As Corey Wilburn, security practice manager at DataEndure, pointed out, businesses are still looking for something they can’t find. For example, Wilburn saw an entry-level job advertised that required a CISSP certification – which itself requires experience to obtain – and the ability to perform high-level functions such as penetration testing, developing workflows (often a job duty given to management-level employees), and participation in risk assessments and threat modeling.
“Now someone with a CISSP should be able to do this, calling it entry level and paying entry level is a bit of a joke,” said Wilburn. “Each one of the tasks I listed above is its own specialization in the realm of security. A mature company seeks to staff accordingly to their needs, and if their needs dictate it, will seek a specialist in each of the fields.”
What an entry-level position advertisement should look like, Wilburn added, would be a call for either an engineer or analyst role. “An engineer role would be primarily accountable for the deployment, integration, and maintenance of technology-based security controls,” he explained. “An analyst, on an incident response or security operations team, would handle the review of data feeds generated by technology-based security controls to track down potential malicious activity within an organization. They would not be responsible for developing and managing information security programs (policies processes and procedures, security awareness and training, etc.).”
It appears, then, that one of the first steps in filling the cybersecurity career gap is for decision makers to have a better understanding of what security needs they need to fill and whether or not security is going to be a one-person shop with outsourcing or a team effort.
Don’t expect to find a cybersecurity jack-of-all-trades
“There are gaps in all areas of cybersecurity. Application security, security engineering, governance, and identity management all have extensive entry level, senior, and management opportunities,” said Mocarski. While large organizations may provide the opportunity for specialization, expect smaller organizations to require employees to be jacks of all trades.
However, the downfall of expecting employees to be a jack of all trades is this idea that if a person is trained in an IT field, he or she automatically has security know-how and is being thrown into a fire they aren’t prepared for. For companies that want to rely on already employed IT staff to handle security, it will require additional training. The training would be specific to needs and should include any compliance regulations required by the industry.
“Larger organizations will have the resources to develop and execute programs of this type internally,” said Mocarski. “Smaller organizations should consider developing a curriculum and partnering with appropriate IT and cybersecurity training providers. Evaluating their own internal resource gaps will allow an organization to tailor their training programs to fill the identified needs.”
All cybersecurity training, whether it is for students going through traditional educational routes or for employees who would like to add security to their skill set, should include the following, according to PK Agarwal, regional dean and CEO of Northeastern University-Silicon Valley:
Be a good communicator
At a roundtable discussion at Northeastern, five of the experts said they had interviewed a candidate for a cybersecurity position who possessed a strong technical understanding of running a cybersecurity operation but who struggled to explain how it worked to someone without a technology background, explained Agarwal. This presents a serious problem, especially in an area where explaining cybersecurity threats and the need for good security practices is absolutely necessary.
Understand that cybersecurity is not just a technical issue; it’s a human issue
Cybersecurity is more than just a nebulous concept tucked into the deep web, said Agarwal. If you look at the new aspects of cybercrime, they’re just digitized versions of the oldest con in the book: the confidence game. It’s all the same - tricking someone using social engineering, just now through a digital format.
Find the right balance between security and usability
It’s also important to strike a balance between incorporating too many security measures and leaving a system open to attack. Security is a balancing act. You can make things so hard on the end user that they start writing things down on sticky notes and putting them under their keyboard or on their desk. You don’t want to crack down so hard that people can’t remember their passwords, Agarwal added.
“The old way of thinking was that you were either a STEM person or not, but since technology touches so many different areas, we need to expand our thinking and our mind-sets,” Agarwal stated. “Those with the ability to make logical conclusions and analysis have the potential to become security professionals as well.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba