In this Help Net Security interview, Dr. Lindsey Polley de Lopez, Director of Cyber & Space Intelligence at MACH37, proposes strategies for companies, educational institutions, and governments on how to address the ongoing shortage of cybersecurity talent through the introduction of upskilling initiatives.
She also discusses creating a more diverse and inclusive talent pool capable of addressing complex problems in unconventional ways due to differing experiences.
We hear a lot about the need for upskilling initiatives. Can you discuss some initiatives that have successfully upskilled workers for cybersecurity roles?
Absolutely. I think the reality of the workforce gap within the cybersecurity field really began hitting industry within the past 10 years, and during that same timeframe we’ve see several executive orders in the United States come out that echo the importance of building up the cybersecurity workforce in order to meet the future commercial demand and protect critical infrastructure (EO 13718 and EO 13800). As a result, we’ve begun to see both industry and government entities kick-off different initiatives ranging from free training to mentorship programs to start addressing this issue of cybersecurity workforce shortages.
Let’s start with government sponsored initiatives. In the US, several state and local governments have launched their own cyber upskilling initiatives, so I always recommend people look into what special programs might be available that are unique to their specific city or state. At the federal level, the Cybersecurity and Infrastructure Security Agency’s (CISA) has a “Cybersecurity Workforce Training Guide” that helps early-career professionals plan a career pathway in cybersecurity, as well as a Cybersecurity Education and Training Assistance Program (CETAP) that helps teachers bring cybersecurity education into K–12 classrooms by providing worksheets, lesson plans, and notes that cover foundational concepts. And for government employees, federal contractors, and US military service members, check out the Department of Homeland Security’s (DHS) FedVTE Program (which offers free online courses on topics like on topics such as ethical hacking and surveillance, risk management and malware analysis), as well as the USO & Skillsoft Partnership (which offers active duty members, spouses, and veterans unlimited access to a library of training and certification tools; sign-up via the USO Pathfinder Transition Program).
When looking at the commercial sector, there are far too many initiatives to list, but a few key ones to be aware of include Microsoft’s national upskilling campaign (which includes free curriculum for community colleges – as well as free training for their professors – and Microsoft’s Cybersecurity Scholarship Program), the new Cyber Million Program launched this month by Accenture and Immersive Labs (which aims to fill 1 million entry-level cybersecurity jobs by offering free online courses), and free cybersecurity courses provided through Palo Alto Network’s Beacon platform.
One particular area where we’ve seen considerable movement in the past years are initiatives geared specifically towards women in an effort to close the cybersecurity workforce gender gap. There are many efforts worldwide, including WOMCY (a nonprofit focused on growing opportunity for women in cybersecurity in Latin America), Women4Cyber (a foundation working to promote and support the participation of women in cybersecurity in Europe), Women in Cyber Mentorship Program (a program under the United Nations International
When it comes to the consequences of the cybersecurity labor shortage, how does it impact company growth? Can you share some examples or scenarios to illustrate this point?
There are a myriad of ways the cybersecurity labor shortage is impacting company growth. The first impacts all companies fairly equally, and that is the extended period of time companies have to wait to attract initial applicants to open positions; with more cybersecurity job openings than available applicants, this is the first challenge companies will encounter.
After applicants have applied to an opening and it’s time to extend an offer, companies will often find themselves in a “bidding war” with other companies to win over the prospective candidate; again, this is due to there being more cybersecurity job openings than professionals able to fill the roles.
Companies looking to win over these candidates will need to offer a competitive salary along with other benefits and incentives, which can ultimately have unintended consequences on other aspects of their cybersecurity posture (such as decreasing the amount of available budget for tools or upgrades). Companies who do not have the available budget to win these bidding wars are often forced to operate longer with vacant cybersecurity positions, which stall growth, strain the existing teams, and may leave the company in a more vulnerable position than their counterparts.
There’s often a discussion about the need for structured educational pathways to cultivate a skilled workforce in cybersecurity. How important do you think a formalized educational path is in this industry?
While there is a place for traditional formalized education pathways in this field (i.e., college programs focused on aspects of cybersecurity), I believe that we need to be treating cybersecurity much more like a trade when it comes to the education pathway and requirements. What I mean by this is that instead of requiring an entry-level applicant to have a 4-year college degree, it makes much more sense to look for certifications that are relevant to the specific job opening, as well as offer on the job training when possible to fill skill gaps in an applicant’s background rather than skipping them over completely.
This means that instead of the stringent formalized education pathways that have become the norm in the US, the cybersecurity education and career pathway should really be a modular and flexible one that can be tailored and expanded on throughout an individual’s career. Not only will this help the labor shortage in the near-term, but it will also develop a more resilient and adaptable cybersecurity workforce in the future.
What actionable steps can companies, educational institutions, and governments take to address the talent shortage in the cybersecurity industry?
Educational institutions – particularly K-12 – play a crucial role in addressing the cybersecurity talent shortage by getting kids interested in the topic at an early age. One key factor that prevents new entrants into the cybersecurity field is that the topic seems intimidating; by introducing cybersecurity and other STEM related topics (e.g., computer science and coding) early in the education pipeline, we can build confidence and remove the “fear” sentiment that is holding some people back.
Another step that educational institutions can take is to form bridge partnerships providing summer programs that connect the high school-to-college transition for students. This transition is often overwhelming (from both a curricular and social perspective) and is a key point in the pipeline where students lose interest in cybersecurity and STEM due to the combination of (1) difficulty in course work, and (2) not feeling a sense of community or inclusion. Summer bridge programs, however, can significantly help reduce the stress associated with this transition and can increase retention rates for cybersecurity and STEM pipelines.
Industry plays a two-fold role in addressing the cybersecurity talent shortage. First, when looking to fill a cybersecurity vacancy, companies should be more flexible on their hiring requirements (when possible). Instead of requiring a 4-year college degree and 3 years of experience for an entry-level position, consider applicants with a key certification in a relevant subject matter area or applicants with on the job experience instead (these skills can easily be verified via a quick interview with a current team member of your cybersecurity team). Second, companies with the ability to provide fundamental cybersecurity training and / or certifications for free or affordable prices should do so; the positive impact that this would have on the near-term cybersecurity talent shortage can not be overstated.
The key actions government entities can do is to (1) facilitate partnerships between educational institutions and industry, and (2) provide funding or alternative forms of support for cybersecurity initiatives to fill the gaps that cannot be easily addressed by either educational institutions or industry.
Ultimately though, we need to develop more pipelines spanning educational institutions and industry / government that attract, develop, and retain cybersecurity talent in order to solve the workforce shortage issues. This is a problem spanning both the private and public sectors to a significant degree, and a more systemic approach is the only true solution. Partnerships are key; we need these three stakeholder categories to identify partners and align their actions in order to maximize positive impact.
What do you see as the future of the cybersecurity field, particularly in light of the current skills shortage? What innovations or changes might we see in response to this challenge?
Machine-learning (ML) enhanced tools have been on the market for a while now, but expect to see a new wave of offerings that claim to be “AI-enhanced.” Will they be truly AI-enhanced though? That is hard to say. Some probably will, but the majority will likely offer advanced ML capabilities – and that may be better in the near-term while industry further investigates the security implications of connecting increasingly intelligent systems to their internal architectures and sensitive data.
This availability of new ML/AI tools, however, will likely help bridge some of the cybersecurity talent gap in the near-term while talent pipelines / partnerships continue to be built out and new talent is cultivated. For companies who can afford them and can have clean integration with existing environments, these tools will be able to partially fill roles by taking on redundant or threshold / trigger-based tasks, such as identifying abnormal behaviors, unauthorized system access, and performing log reviews. More complex tasks or higher level reviews of items flagged by these ML / AI tools, however, will still require trained cybersecurity personnel.
Finally, could you share your thoughts on the role of diversity in the cybersecurity workforce? How can we ensure that initiatives addressing the skills shortage promote inclusivity in this sector?
A more diverse workforce will always result in a talent pool that is capable of addressing complex problems in unconventional ways due to differing (and shared) experiences / perspectives that allow for viewing said problems through new and unique lenses. This ability for teams to quickly address and solve complex problems in unique ways is particularly valuable in the field of cybersecurity. Traditional means of recruitment into the field, however, have often posed challenges for underserved populations. These challenges, however, can be easily addressed by several of the initiatives we spoke about prior in the article.
Aside from the overall need for more cybersecurity exposure during early education, specific programs geared towards attracting, developing, and retaining student interest in cybersecurity and STEM within underserved communities is key. These programs should be tuned to particular sensitivities of the community being served, such as language, transportation, and leadership / teacher background considerations. Similar programs bridging the high school to college transition for underserved communities are key to maintaining student confidence and retention in cybersecurity related fields – which will ultimately help drive diversity in the workforce.
Industry can promote diversity in the workforce in several ways, but the most impactful is during the hiring process. Some educational and time-related application requirements inadvertently disqualify applicants from underserved groups due to financial constraints or childcare responsibilities.
Companies can easily address this, however, by being flexible when possible. Instead of requiring a 4-year college degree, consider a certification in specific area – or better yet, offer a short test or interview with a member of your cybersecurity team as an alternate mean of gauging an applicant’s proficiency.
For entry-level positions, also consider identifying applicant’s with strong work ethics and drive who have demonstrated a desire to enter the field, and offer on the job training or certification programs; this will greatly increase your applicant pool by opening the door for those who may not have had the financial means of completing certain requirements. A different set of benefits – such as flexible work hours, remote work options, childcare benefits, and diverse cultural holidays – will also help attract a more inclusive and satisfied talent pool.