Understanding the Cybersecurity Workforce Gap
How does the void affect business and government?
The cyber threat landscape continues to expand with no signs of slowing. With ever-evolving sophistication and an increasing number of cyberattacks happening every day, one might expect to see growth in the cybersecurity job market to boost our defenses. Unfortunately, the reality is just the opposite. We’re faced with a widening skills gap in the cyber industry, putting us at greater risk than ever because we don’t have enough people to mitigate, defend and analyze incoming attacks and vulnerabilities. According to recent estimates, we are looking at the possibility of having as many as 3.5 million unfilled cybersecurity positions by 2021.
How did we get here?
It’s hard for businesses to fill many of their IT positions in the face of digital transformation and the ubiquity of web and cloud applications. But advancing technology isn’t the only thing preventing companies from finding and hiring qualified cyber professionals. Larger corporations are typically the ones to snatch up specialized security experts, leaving smaller enterprises to fend for themselves. Another contributing factor is that cybersecurity remains a male-dominated field, with women only making up 14% of the U.S. cybersecurity workforce. There is also a lack of minorities and veterans in the market.
Furthermore, according to an ISC2 study, organizations aren’t able to equip their IT staff with the education and authority to improve their security skill sets. Those that do so turn to traditional off-site course programs. What professionals learn in these courses, however, is obsolete by the time they return to the office — not to mention traditional curricula presentations disengage learners and decrease information retention.
Not only is this impacting companies of all sizes but the government is feeling the pains of the skills gap. The federal government has an especially problematic time filling the ranks due to government pay scales not keeping pace with private sector compensation. A recent report by the Departments of Commerce (DoC) and Homeland Security (DHS) in response to the presidential executive order on strengthening the cybersecurity of federal networks and critical infrastructure states, “The Administration should focus on, and recommend, long-term authorization and sufficient appropriations for high-quality, effective cybersecurity education and workforce development programs in its budget proposals in order to grow and sustain the cybersecurity workforce.”
Closing the Cyber Skills Gap
With a better understanding of why the workforce gap is so large (underrepresentation, compensation, traditional courses and budget constraints), we can figure out how to close it. Enterprises and agencies can take a broad view and consider applicants who possess the intellect, curiosity, motivation and dedication work in this field requires. They can also consider new learning approaches to better engage existing employees in productive skills development.
Diversified Hiring, Soft Skills Wanted
Cybersecurity is known as a field that embraces nontraditional backgrounds. While certifications, degrees and familiarity with certain technologies are important, hiring managers are also prioritizing candidates with strong problem-solving, strategic thinking and communication skills too, knowing they will be able to rapidly acquire the technical abilities needed as they gain experience. The 2017 Global Information Security Workforce (GISW) Study found that 33 percent of cybersecurity executives arrived in the industry via non-technical careers. Hiring managers can also target and encourage more female, minority, military and generally underrepresented applicants to resolve any unrecognized and unintentional bias in hiring practices.
Leveraging AI and Machine Learning
Even considering non-traditional candidates and underrepresented populations to fill these roles, the shortage in cybersecurity professionals won’t shrink at the pace needed any time soon. To complement diversified workforce efforts, many companies are looking to the promise of artificial intelligence (AI) and machine learning to bridge the gap. Human cognition and skill coupled with machine efficiency is a powerhouse solution to addressing today’s cybersecurity challenges. Automation and augmentation play integral roles in closing the workforce gap by providing assistance (and relief) to stressed cybersecurity teams who are stretched thin.
The purpose of AI in cybersecurity is to have a machine rapidly come to as accurate a conclusion as a human would (or better) if given the same data. Without it, a human analyst has a big challenge to parse through reams of log data to assess if there is unusual behavior present. AI techniques, however, promise the ability to autonomously detect unusual behavior, alert the team and escalate the alert to investigators–and this could all be done in a matter of minutes rather than the much longer amount of time it would take a human analyst. Responding at the speed of the threat is the ultimate cyber defense goal, and AI can help us reach that achievement. The hallmark advantage brought by AI is the ability to continue improving as it collects more data, which can be sourced by observing and interacting with human experts. The more it can learn how to imitate intelligent human behavior, the better it can augment and automate tasks like incident response and threat detection for cyber professionals.
Using Cyber Ranges in Schools
Beyond what can be done at the corporate or government levels, teaching cybersecurity skills in academia from a young age will also be a major factor in closing the gap. Universities are under pressure to produce graduates with better security knowledge and applied skills experience. Forward-thinking universities, enterprises and agencies are turning to cyber ranges to help. A cyber range is a virtual environment that provides hands-on learning for cyber warfare skills development. For students to novice professionals to experienced cyber defenders and ethical hackers, cyber ranges deliver access to a wealth of information and training in real-world scenarios that are helping to fortify the workforce of the future. Cyber ranges offer learning solutions that marry traditional classroom concepts with more ‘sticky’ experiential learning techniques.
To conclude, roles in cybersecurity need to be more accessible and attainable if we want to close the workforce gap. To accomplish this, we need to offer lifelong cyber learning programs, utilize non-traditional candidates, and amplify the use of AI and machine learning to support cyber defense effectiveness. If we can start making strides in these areas of cybersecurity readiness and workforce development, enterprise, government and academic institutions will be well poised to beat unauthorized users and better protect their assets and their people.
About Bradley Hayes, Chief Technology Officer at Circadence: With decades of professional experience, Dr. Hayes’ expertise in Artificial Intelligence and Machine Learning supports continual innovation for Circadence’s cyber readiness solutions. Hayes teaches as a professor at the University of Colorado’s Department of Computer Science and serves as the Director of the Collaborative AI and Robotics (CAIRO) Lab. He has in-depth experience developing techniques to build autonomous AI that can learn from and collaborate with humans, making people more efficient and capable during task execution. For more information visit www.circadence.com.