The quickly changing cybersecurity landscape begs the question: is the current cybersecurity training being offered adequate to address the chronic shortage of trained professionals? Knowing there is a talent shortage, we’re looking at the steps colleges and universities (and others) across the country are taking to help close the skills gap, and what help they are receiving from the government and private sector.
There’s no question that there is a global talent gap and a shortage of cybersecurity workers. As we were in attendance at the recent Billington Summit for local and state governments, a speaker (also a computer science instructor at a well-known university) remarked that of the 100 or so undergraduate students in computer science, IT, and data science he had met last semester, only two had taken courses in cybersecurity. Another speaker at the same summit joked that anyone in this room who has any experience and any training in cyber, is “not in danger” of losing their job.
According to the Future of Jobs 2023 report, cybersecurity is among the top strategically emphasized skills for the workforce, and yet there is a shortage of 3.4 million cybersecurity experts to support today’s global economy. This number is only expected to grow as the impact of emerging technologies is felt across organizations, public and private. Rapid technology growth means a greater need for trained professionals; for example, while the rise of large AI language models has its benefits, it also heightens cyber threats such as phishing and identity fraud which add to the workload of overstretched cyber teams.
In addition, the cybersecurity industry suffers from the misperception that professionals require a technical background in IT security or engineering, discouraging non-traditional candidates from pursuing a career in the field. However, many technical skills required for cybersecurity roles can be acquired on-the-job with proper training and development. Apprenticeships have a clear role in bringing people into the cybersecurity field. The explosion in demand for cybersecurity professionals is a clear opportunity to create skilled and long-term careers for people who have fallen outside of the formal education system or whose education was not in a technical subject, or people who are looking for a career change and almost certain guaranteed job security.
In testimony before Congress last year, Will Markow, vice president of applied research at labor market analytics firm Lightcast, told members that the cybersecurity talent pipeline is severely broken. He added that even if every single computer and information science graduate pursued cybersecurity, the workforce would still need at least 200,000 more people. “We're going to have to find ways to redeploy and reskill existing workers if we're going to close that talent gap within any human timescale.”
According to Marine Colonel Chris Starling (ret.), executive director of NPower in California, one resource is the under-tapped pool of former service members with cyber skills. NPower is a nonprofit organization that provides training and job placement services to veterans and young adults from underserved communities.
According to Starling, “Capitalizing on the talent pool of military-connected individuals and families, including transitioning military service members is easy. It's natural to retrain people from defending the nation to defending the network.” Currently, the program operates in nine states across the country. Starling recommended to the Congressional committee that they establish a similar, permanent program, which would focus on providing sustainable funding for individuals like those served by NPower.
Pressure and burnout are frequently listed as reasons why cybersecurity professionals leave their jobs, and this must change to facilitate efforts to build and maintain a skilled cybersecurity workforce. Research shows that 70% of cybersecurity professionals feel overworked, and a Gartner study predicts that 25% of cybersecurity leaders will change jobs as a result of multiple work-related stressors. To improve retention, public and private organizations must pay special attention to managing the underlying factors that contribute to high attrition rates and provide incentives, including flexible work arrangements, as well as employee wellbeing solutions.
Many people think of the “typical coder” when they think of cybersecurity jobs and computer science. This notion of a reclusive coder in a hoodie is so pervasive that it clouds our vision about what the world of cybersecurity is like for trained professionals. It’s also a stereotype that can be combatted by taking a new approach to teaching cybersecurity.
By moving beyond the traditional way of teaching and switching to a more project-based approach, educators can challenge students to solve real problems that exist in their communities and the world at large. This tactic ensures learning is purposeful and engaging. It also gives students hands-on experience solving real-life problems and working as part of a team.
Cybersecurity is a field that welcomes people from diverse, nontraditional backgrounds who are curious and ready to learn. Whether it’s through a boot camp, community college, or degree program, cybersecurity training allows a wide array of people to become highly trained professionals.
There’s evidence that America’s college and university system is starting to step up. New facilities have been built such as RIT’s ESL Global Cybersecurity Institute, and the Air Force academy is building a brand-new facility called the Madera Cyber Innovation Center that cadets are expected to be using by January 2025. More importantly colleges are starting to adapt and offer online courses, more often and with more variety.
Large state schools such as Penn State, through their world campus programs, are offering degree and certificate programs online to as many as 20,000 students with the same quality of instruction as those who attend the physical school. This allows students who may not be able to attend the campus or work full-time a way to pursue flexible online courses and opportunities. Penn State is not alone, now there are literally hundreds of schools offering some kind of degree or certification in cybersecurity through online courses and training.
There will also need to be greater flexibility in hiring that focuses on capabilities over certifications, although certifications are one step that universities have taken to help address the shortage of skilled workers.
Large state systems, like Penn State, could be the nucleus of an ongoing feeder network. The University of California System, for example, has more than 280,000 students and 227,000 faculty and staff, with 2.0 million alumni living and working around the world. UC-Irvine’s Division of Continuing Education offers “bootcamps” to train cybersecurity professionals, promising skill development for success “in this rapidly expanding, dynamic field.” Through their extension school, UC-Riverside offers professional certificates in cybersecurity, as well as a “gateway” program, a Professional Achievement Award in Applied Cybersecurity Fundamentals that can lead to the full program, which is taught in a hybrid format and can be completed in 6-12 months. Many of these educational modules are online, or in hybrid form.
For a long time, the National Security Agency (NSA), in collaboration with other Federal agencies, has stepped up with its National Centers of Academic Excellence in Cybersecurity (NCAE-C) program, managed by NSA's National Cryptologic School. Federal partners include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Institute of Standards and Technology (NIST)/National Initiative on Cybersecurity Education (NICE), the National Science Foundation (NSF), the Department of Defense Office of the Chief Information Officer (DoD-CIO), and U.S. Cyber Command (USCYBERCOM).
There are three designations that schools may vie for depending on the type of school and type of study offered and these include CAE-CD (cyber defense) CAE-R (cyber research) and CAE-CO (cyber operations). Many schools have vied for this CAE-CD designation which is awarded to regionally accredited academic institutions offering cybersecurity degrees and/or certificates at the associate, bachelor’s, and graduate levels. CAE-designated institutions must complete validation of a Program of Study, which is a series of courses and experiences that a student can reasonably accomplish while attaining a degree or completing a certificate.
The program has done a good job of spreading this training nationally, both to four-year and community colleges.
The private sector is looking to boost its impact in this important area. In late 2021, Microsoft announced a program to effectively work with community colleges across the US to help skill and recruit into the cybersecurity workforce 250,000 people by 2025.
In 2023, the White House unveiled a comprehensive plan to address a yearslong shortage of qualified workers in the IT security industry. The National Cyber Workforce and Education Strategy (NCWES) calls for government officials to work with the private sector and other key stakeholders to open foundational cyber skills to all Americans. Officials also plan to expand the number of training programs available for professional training and help develop a more diverse workforce.
In June of 2023, Google committed $20 million to help train thousands of students under a partnership with the Consortium of Cybersecurity Clinics. There are several specific programs designed to increase the number of federal workers, as key agencies have also been trying to fill needed technology and information security roles.
Some of the other programs noted in the Cybersecurity Dive article include:
Many universities, such as Wilkes University in Pennsylvania, are becoming increasingly flexible and creative, offering a variety of classes, from face-to-face, to hybrid, to online, to hybrid flexible, even synchronously online. More colleges have begun to adopt these multi-tiered systems to relate to the changing dynamics of education and workforce requirements. A click on the link above will give you a visual representation of the Wilkes system.
At CYRIN our goal is to maximize hands-on training and education. We’d be happy to show you how CYRIN has worked with many institutions, particularly in an online or hybrid capacity for government, education, industry, students, learners to become part of the solution. For the education market, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.
For industry we continue to work with our partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.
We also work with all our users to create new content which will fit into this rapidly changing cyber landscape. In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.
Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!