Addressing the Information Security Skills Gap in Partnership With Academia

The cybersecurity industry is booming — but there aren’t enough skilled workers to go around. “More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years,” stated a Peninsula Press analysis of the data published by the U.S. Bureau of Labor Statistics (BLS).

Faced with an ongoing skills gap in information security, the security industry has become adept at finding its next hires by stealing them from a competitor or from federal or state agencies. While those in the field and in human resources are acutely aware of the need for talent, the message hasn’t traveled upstream to the source of that future talent — that is, students, parents, educators and career counselors.

Lack of Fast Solutions to the Skills Gap Issue

Few could have predicted the dire need for people in information security today. While higher education has responded by adding courses and degree programs aimed at placing people in information security, there are still fewer people in the pipeline than what is currently needed and, just as importantly, far fewer than are projected to be needed in the future. BLS data, which currently only tracks information security analysts, shows a growth potential pegged at 37 percent, which is “much faster than average.”

Part of the problem stems from the lack of information about careers in information security. This issue traces its roots all the way down to parents and school counselors not knowing about the full range of opportunities, or at best reducing the field to going to hacking school. Often, parents and students are told that the only way is to go through a traditional computer science program or a networking program, then switch into security. This may have been the reality 10 years ago, but it’s no longer the case: An increasing number of schools are offering graduate and even undergraduate courses feeding directly into information security careers.

As awareness of these career opportunities increases, so, too, are the number of students choosing to declare majors directly in those areas. There are many strong programs in cybersecurity across the U.S. However, traditional paths toward a four-year degree program will, by definition, only bear fruit years from now when students have graduated with their degrees in hand.

Going Closer to the Source

To alleviate the shortage of people, companies such as IBM have come up with worthy outside-the-box ideas. One such idea was announced back in 2010 when IBM teamed up with the City University of New York to create P-TECH, “a computer science-focused school in the city that spans from grade 9 to 14.” By the time students graduate from this special program, they would have an associate degree in hand. In June 2015, the partnership celebrated the first students to have completed the P-TECH program.

However, traditional schooling and the P-TECH program are unable to have an immediate impact on the supply chain of those with information security talent. There are a few other concepts to keep in mind when considering how your organization will address this skills gap.

Shortage Versus Retention

As the opportunities for switching jobs and signing on for more money abound in the field, companies should take another look at how well they are able to retain their existing security talent.

“If you wait until a valued employee’s exit interview to find out why he or she decided to move on, you’ve missed out on keeping a productive member of your team,” a CIO article pointed out. Recruit the right people (job hoppers are usually easy to spot on a resume), provide opportunities for continuing education and professional development and set a clear path for advancement.

Cross-Training

Another possible option is for companies to leverage their existing workforce and transition, or cross-train, that workforce into taking a greater cybersecurity role. CSO Online recently highlighted the Herjavec Group, which did just that.

However, cross-training does not ultimately solve the skills gap. Instead, it shifts it from having to fill cybersecurity positions to having to fill broader IT-related positions (e.g., those that were pilfered to cross-train your existing workforce).

Consortia

Another approach worth mentioning is that of cybersecurity consortia. Cybersecurity consortia have increased in popularity due to their ability to be more nimble than their pure academic counterparts, both from a financial standpoint and from the perspective of cutting through the red tape to make things happen. Consortia, usually organized as 501 (c) (3) organizations, bring together academia and companies in the cybersecurity industry, as well as involvement from federal, state and local governments.

Two such consortia worth mentioning are the Florida Cyber Alliance and the Minnesota Cyber Careers Consortium. Their mission is to advance and develop the talent of their workforce to address cyber issues. Both aim to bring together academia, government organizations and industry players to the table to encourage events, challenges and opportunities for growth and employment. Examples of such activities include:

  • Cyber camps and cyber competitions (the National Initiative for Cybersecurity Careers and Studies (NICCS) maintains an authoritative list of such events);
  • Security conferences;
  • Special career or academic programs, such as recruiting more female students to STEM fields or providing four-year degree options to those who already hold a two-year degree;
  • Security awareness initiatives, some even reaching to K-12 students.

While many other cyber and security academic centers exist around the country, the 501 (c) (3) consortia can provide a more agile and coordinated approach for industry partners by having a single point of contact for both the coordination of activities across multiple institutions and for dealing with the otherwise constrained financial administration required by public institutions of higher education.

Closing the Skills Gap

Working together, we can begin to make a difference in the cybersecurity talent shortage. Efforts will range from retraining existing employees to recruiting high schoolers into special educational pathways and bringing together the government sector, private sector and academia to share amazing opportunities for employment and growth in the ever-expanding field of cybersecurity.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.