BLOG

As both the public and private sectors continue to struggle with the growing cybersecurity skills gap, on Aug. 25, 2021, the White House announced a sweeping set of initiatives to shore up the nation’s cyber defense workforce. 

“Cybersecurity is a national security and economic security imperative,” the White House announcement stated. “We are prioritizing and elevating cybersecurity like never before.”

The announcement couldn’t have come any sooner. A 2017 Global Information Security Workforce Study (GISWS) estimated a worldwide cybersecurity workforce gap of nearly 1.8 million by 2022. However, a 2020 cybersecurity workforce study by (ISC)² found the shortage had already grown to an estimated 3.1 million. (So, let’s split the difference. Either way, it’s in the millions, folks.)

COVID-19’s impact on business and the need to secure a growing remote workforce – coupled with high-profile ransomware attacks this year against Colonial Pipeline, the nation’s largest fuel pipeline, and IT management solutions provider Kaseya – makes the need for a large, skilled pool of cybersecurity defenders more apparent than ever.

The White House announcement outlined commitments from tech giants Apple, Google, Microsoft, Amazon, IBM, and others for investments and partnerships to help grow and strengthen the cyber workforce. In addition, Google, IBM, and Microsoft announced commitments to train, recertify and diversify the cybersecurity talent pool. This includes partnerships with community colleges and HBCUs to offer programs leading to industry-recognized certificates and, hopefully, high-paying jobs.

What the Industry Says it Needs

According to a report jointly published by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), the largest skills shortage in cybersecurity are, not surprisingly, in new and emerging fields. So, what skills need to be addressed most critically within an academic institution’s cybersecurity program to better position students for these careers? The report, based on a survey of nearly 500 cybersecurity professionals around the world, identified several critical areas where the needs are most significant:

CLOUD COMPUTING

Nearly 40 percent of those surveyed listed cloud computing security as the area with the greatest skills shortage. The (ISC)² report echoed this sentiment. Identically, 40 percent of those surveyed for the 2020 study identified cloud security as the skill they needed to develop over the next two years. 

Though the cloud isn’t exactly new, the push to secure it has become critical in recent years—even more so during the pandemic—as large and small companies have moved systems and applications to the cloud. 

APPLICATION SECURITY

An estimated 30 percent of those surveyed by ESG/ISSA identified application security as a necessary skill. And 25 percent of those surveyed by (ISC)² identified application security as a top cybersecurity skill needed.

SECURITY ANALYSIS AND INVESTIGATIONS

Rounding out the top three, 30 percent of the ESG/ISSA survey respondents listed security analysis and investigations. The results were almost identical in the (ISC)² survey, with 28 percent listing security analysis.

SECURITY ENGINEERING

For the 2020 survey, 24 percent of the (ISC)² respondents identified security engineering as a needed skill, and it was also high on the list for those surveyed by ESG/ISSA (22 percent).

PEN-TESTING/RED TEAMING

Though not at the top of either list, pen-testing was listed in both surveys as a critical skill needed in cybersecurity. The ESG/ISSA survey recorded pen-testing 10 (out of 10) with 22 percent. Not far behind (18 percent), the (ISC)² survey also listed pen-testing as a critical skill for cybersecurity professionals.

As higher education tries to keep pace with these industry needs, employers often find they must look for employees with IT-related skills that can then be leveraged within cyber. An employee with those complementary skills can then be given on-the-job training for higher-level duties. Other stopgap measures include leveraging skills such as DevOps for application security and server virtualization for security engineering roles.

The Challenge for Higher Ed

A January 2019 report, “The Cybersecurity Workforce Gap,” by the Center for Strategic and International Studies, found that cybersecurity education should focus on three key areas: IT fundamentals, hands-on learning, and soft skills. 

• Computing fundamentals such as basic networking concepts, Linux systems, cryptography principles, and secure coding would provide students with a baseline set of skills that could be used to develop job-specific cybersecurity qualifications.
• Less theory and more practical skills were common complaints heard among those surveyed in the report. Hands-on learning through student competitions and cyber ranges provide real-world scenarios, team-based environments, and the time-sensitive demanded in most operations centers.
• Soft skills include written and verbal communication when collaborating with a team and analytical and problem-solving skills. 

Words from an Expert

According to Tony Coulson, Ph.D., professor at California State University, San Bernardino, and executive director of the Cybersecurity Center at Jack H. Brown College, many of these soft skills can be equally or even more critical than many hard skills. 

Dr. Coulson outlines his own top five cybersecurity skills:

Be able to communicate with people with both technical and non-technical backgrounds.

Verbal and written skills are critical within a cybersecurity team, but they also extend beyond when working with other departments in an organization. Effective cybersecurity staff must be able to translate technical solutions into business value.

Understand how an organization works beyond computer systems.

Effective employees must connect the role of cyber with how an organization’s information systems operate. Team-based assignments and labs based on real-world scenarios can help form contextualized hard and soft skills for students to take into the workplace.

Be curious.

It may seem obvious enough, but it could be said that the only thing constant about cyber is that it is always changing. “Know the trends,” Dr. Coulson added. “Find out how things work [and] discover the world around you.”

Think like the adversary.

“Try to understand those who are against you. The strategies, motivation, vulnerabilities,” Dr. Coulson advises. “It is the only way to play a strong defense.”

Have a broad perspective of the vast array of technologies used within an organization.

“It is ok to understand one vendor’s technology very well,” he said. “But understand the greater eco-system.”

Industry Connections

Much of the data points to establishing internships and mentoring programs with industry partners. Joining a professional industry organization was identified as critical by 42 percent of the ESG/ISSA survey respondents and 36 percent who recommended finding a mentor willing to help develop skills and career plans.

Obtaining a cybersecurity certification was also identified as a high priority, particularly for those seeking entry-level positions in the field. Both the ESG/ISSA and (ISC)² studies identified industry certifications as a top priority. Both surveys listed the Certified Information Systems Security Professional (CISSP) as the top cybersecurity certification. Other certifications identified include Certified Information Security Manager (CISM), CompTIA Security+ and EC-Councils’ Certified Ethical Hacker. 

Conclusion

Let’s distill this down a bit, if possible, to the official “Top Five Big Buckets Of Skills”: 

1. Hard Skills: While it’s tempting to emphasize cloud security and pen-testing, employers want qualified candidates with a firm foundation of networking and security principles.
2. Soft Skills: Give students opportunities to include verbal and written assignments and encourage teamwork whenever possible.
3. Hands-On Experience: Competitions, capture-the-flag tournaments, and cyber range activities will help hone and refine the hard and soft skills introduced in the classroom with the challenges of a real-world scenario.
4. Industry Certifications: Resist the urge to overload certifications; instead, have students select a few of the most relevant vendor and vendor-neutral cybersecurity certifications.
5. Mentorships/Internships: Partner with a local industry organization and develop partnerships with local businesses to incubate those students who are close to completing their degrees.

One final note Dr. Coulson added is that the only constant with cybersecurity is that it changes: “When it comes to cyber, the field is always changing,” he said. “And you should be willing to change with it.” 

Chris Kinnaird is an associate professor at Miami Dade College’s School of Engineering & Technology, where he teaches courses in networking and cybersecurity. He holds certifications in Network+, Linux+, and Security+.