The Center for Strategic and International Studies (CSIS) recently published a report on “The Cybersecurity Workforce Gap.” One of the authors, Jim Lewis, is regarded as one of the Washington, D.C. area’s preeminent authorities on all things related to cybersecurity, so the report’s commentary and recommendations are especially noteworthy.
The report contains a number of well-documented statements describing the challenges organizations face in hiring enough cybersecurity professionals with the needed skillsets. But what stood out was how Lewis, and his co-author, William Crumpler, accurately broke down the workforce problem beyond this initial observation. They point out that employers today are looking to hire individuals who (a) are properly trained in information security fundamentals; (b) can hit the ground running; and (c) are well-rounded with important professional (“soft”) skills. From an employer’s perspective, all three points are correct.
As the report notes, prospective employers want people with “practical experience,” even if they are just graduating from college. New graduates have long complained that jobs requiring experience were automatically off-limits to them. But that’s no longer necessarily true in cybersecurity and other technical fields, as many employers have created internship or apprenticeship programs, often working with nearby educational institutions, to give students opportunities for real “hands-on” practical experience while they learn.
For a number of years, Telos Corporation has offered internships designed to give students meaningful work experiences that not only provide real value to our company but will better prepare these students for the workforce after graduation. And we know many other technology companies are doing the same. Some students also gain practical experience because their schools are now baking such opportunities into the curricula, such as through cybersecurity competitions.
This need for experience is not limited to hiring cybersecurity professionals. Technology companies also look to hire individuals with marketing, financial, and other skills, and if they have received such hands-on experience before graduating, that means they need less training once they become full-time hires. This combines what we used to call “book learning” with real-world learning.
As Lewis and Crumpler also point out, schools need to do more to enable students to further develop the professional/soft skills needed in today’s cybersecurity work environment. The ability to communicate and to work in a team environment to solve problems is important to employers. It’s not enough for an individual to be technically proficient; the enterprise-wide cybersecurity challenges are often too great for a single employee. Cyber warriors need to work well with others and to capably communicate (orally and in writing) with colleagues, many of whom may not be as technically conversant.
But there are some additional important points that the report’s authors did not get into. They imply that teaching more computing fundamentals is the silver bullet needed for new hires. While it may be true that training in the fundamentals of computing and information security is, as they note, more in demand than cyber policy planning or compliance assessment, it needs to be emphasized that the majority of breaches occur from phishing attacks. Students entering the workforce need to be savvy enough to have the analytical (and not just technical) skills to avoid falling for such social-engineering schemes and to help others in their organizations avoid them too.
Looking at security control frameworks such as NIST SP 800-53 and ISO as general guidance for cybersecurity reveals that many, if not most, security issues and concerns are administrative or procedural in nature. This again points out that cybersecurity is broader than just technical/computer operations.
The trend toward risk-based cybersecurity management doesn’t just require a deep understanding of computer fundamentals. It also requires more traditional business skills and knowledge of non-technical information security requirements to better evaluate threats, vulnerability, risk, likelihood, impact, and prioritization, and to then determine an appropriate risk mitigation strategy.
Individuals who are hard-core technical types are often good at recognizing threats, but not at recognizing their likelihood and prioritizing them, which is at the heart of effective risk management — to these technical types, at times, everything is a priority. In addition to learning computer fundamentals, the future cybersecurity workforce needs to be able to make objective observations and analysis, and work within the team environment to feed the appropriate data to people who can use it to drive a real cyber risk and compliance management process.
The CSIS report is an excellent primer on the problems employers face with respect to the cybersecurity workforce and some of the steps needed to address them. But educational professionals should also understand that real-world cybersecurity challenges are complex, and that they need to teach other skill sets in addition to technical ones to their students (our future workforce) in order to help organizations address the threats we face.
Telos CEO John Wood blogs about business, education, and the values that guide us.