Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/9/2019
02:30 PM
Tom Weithman
Tom Weithman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Close the Critical Cybersecurity Talent Gap

If we don't change our ways, the gap will keep getting worse. Outside-the-box thinking and new techniques are required, and here are a few ways to get started.

Companies are facing an immediate and critical shortage of trained cybersecurity workers at a time when threats of all kinds are on the rise. This shortfall doesn't discriminate based on industry, company size, or geography. When it comes to not having enough cybersecurity talent to keep infrastructure safe, everyone is in the same boat.

Take the Washington, DC, metro region, for example. The area has one of the largest groups of cybersecurity startups in the country, with firms forming to serve both the private sector and government. Yet, according to a recent study conducted by CyberSeek, the area also suffers from some of the highest concentrations of unfilled cybersecurity jobs in the entire nation.

There are several steps that employers in the DC area can take to help mitigate this critical shortfall. And because the problem is not unique to Washington, though it is exaggerated there, those same lessons can be applied across the nation.

Look for Talent in New Places
In the short term, a winning strategy would involve targeting undergraduate and community colleges. Many students are unsure of what they want to do for a career. If students are still early enough into their academic paths, there would be fewer hurdles to jump in terms of taking the necessary classes to graduate with useful cybersecurity degrees. By targeting these students, it could lead to an increase in available talent for hire. While this won't completely eliminate the problem, it could slow down its progression with an infusion of new talent.

But we can go back even earlier in the talent pipeline. Promoting cybersecurity as part of the K–12 curriculum is critical because this will be a universally needed skill set well into the foreseeable future. Foundational K–12 courses could build up skills children will need to thrive in an increasingly digitally transformed world, and would be helpful regardless of their ultimate career path. For example, classes could take the form of logic and critical-thinking courses, and would shepherd talented students into either college or the often-overshadowed two-year trade schools.

And let's not forget about talented military personnel who are leaving the service. Any members of the military on their way back into civilian life would be grateful to have a good career in cybersecurity or information technology after being discharged. While the military doesn't generally train their IT professionals to do everything that their civilian counterparts do, it does offer all of the fundamentals. Between that training and the military's characteristic discipline, it makes working with and increasing the skills of veterans a much easier task in most cases. Mixing in discharged veterans with green students can yield surprisingly strong results in cybersecurity.

Think Outside the Box
Traditional thinking and approaches have not worked, and the cybersecurity talent gap is only getting bigger. It's clear that an out-of-the-box strategy is required. This includes looking at candidates who have similar skill sets and educational backgrounds but who will require some mild to modest retraining. This could include finding individuals with backgrounds in analytics, statistics, and general computer science. Some certifications and classes would likely also be needed, though the payoff would be significant.

A few state and local governments are starting to embrace this kind of thinking. Several states sponsor programs that help place recent graduates with some cybersecurity skills, though not necessarily full degrees, with companies in rural settings, where the shortage of IT professionals is even more acute than most metropolitan areas. Although those workers may need additional training, getting boots on the ground could make all the difference for places with almost no professional cybersecurity presence.

Creative ideas also could involve incorporating emerging technologies. For example, at-home and distance learning could be used to help train employees on critical cybersecurity skills. Or some of the shortfall in manpower can be mitigated by employing artificial intelligence (AI) platforms to tackle the more rudimentary cybersecurity threats. While AI technology today has a long way to go, when paired with automation and orchestration, it can do a good job eliminating lower-level threats, narrowing the cybersecurity talent gap from the other side by reducing the scope of the problem.

Finally, the use of cloud technology and software-as-a-service (SaaS) offerings for protection can reduce the scope of threats. SaaS allows cybersecurity to be used remotely and as needed, freeing up organizations to concentrate on what they do best and leaving cybersecurity to contracted professionals.

Make Something Happen
Doing the same old things won't solve the cybersecurity talent problem. If we don't change our ways, the problem will keep getting worse. It's clear that novel thinking and new techniques are required.

Bringing in talented professionals from places they are not normally recruited, looking at the problem across all demographics, being willing to spend resources on training employees who have basic cybersecurity knowledge or who seem predisposed to learning it, and tapping into emerging technology help combat threats using fewer human resources are just some of the ways this problem might be successfully confronted. This field is too important for us not to fix because it touches industry, government, and even individual citizens in increasingly large ways.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Tom Weithman formed CIT GAP Funds in 2005, which has gained national recognition as one of the nation's most active early-stage venture funds and a premier provider of capital to cybersecurity startups. CIT GAP Funds has provided early funding to early-stage cybersecurity ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
5/13/2019 | 2:22:23 PM
Re: K-12 to close the CyberSecurity gap
This is wonderful and should be encouraged.  Degrees should also be more accessible but that is a tough one because the subject itself is almost impossible to self manage and learn - and most of us do not have a few thousand in change in our pocket for a CIISP degree and course.  We need a better entrance ramp.  And IT itself should get more respect in the C-Suite than outsourcing here and there and hiring young and dumb.  We need to educate a new class of young and smart.  THEN we are making real progress and accept our mature and smart at the same time.  Experience counts heavy on this one. 
TamaraShoe
50%
50%
TamaraShoe,
User Rank: Apprentice
5/9/2019 | 3:07:21 PM
K-12 to close the CyberSecurity gap
This article was music to my ears.  We have been growing the CyberPatriot program across Michigan for the last four years and truly beleive these students will fill the talent gap in Cybersec.  We went from 20 students the first year to over 700 students playing in an ethical virtual cyberdefense game from Nov-April each year!  We are doing all we can to expose these great kids to the many pathways into a cybersec career!  Many thanks for this well written article.  T
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The State of Email Security and Protection
Mike Flouton, Vice President of Email Security at Barracuda Networks,  11/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18881
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
CVE-2019-18882
PUBLISHED: 2019-11-12
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
CVE-2019-18873
PUBLISHED: 2019-11-12
FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the pa...
CVE-2019-18874
PUBLISHED: 2019-11-12
psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object.
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.