This is going to be a read that could find its way on a long, complex continuum of what may be interpreted as self-serving. It is true that I spend my workaday (and then some) in the industry known as higher education. As much as I explain to others in a sort of self-deprecating way that I lean toward being an idealist, I am equally reminded that no matter how noble or avocational teaching may be, higher education includes a healthy dose of business treatment. Without students and their tuition … no nobility found because no teaching can occur.
Because of the truism that business accompanies my idealist’s goal to provide and impart education, the risk of coming off as marketing my selfish ends seems clear because I am advising anyone reading this to go and get educated in the field of cybersecurity. The phrase “cyber workforce shortage” seems as well-worn as “the internet era.” After teaching and researching in the field for going on eight years, that shortage is one of the few unchanged pieces of the cybersecurity puzzle. The tools and tactics changed. The budgets and defenses have grown. Still, the cops continue to be the chasers of the speedy bad guys, and the workforce shortage, as another constant, has lent to the ongoing arrears of law enforcement.
During conferences and symposiums, always inclusive of both the private cyber companies as well as state and especially federal government contingencies, the numbers are always impressive. Regularly, the open cybersecurity positions that need to be filled add up to the hundreds of thousands. It’s another thing that has barely changed, and not in security’s favor, during my eight years of tracking these things; it has grown, frankly. If everyone reading this, and everyone that you know, and their children all committed to studying cybersecurity defenses and then landed positions, there would still be a need for talent.
The crux of my weekly palaver, here, is not so focused merely on encouraging you to attain or advance your formal academic makeup. Sure, part of my interest, the numbers-bolstering part, would love to have those hundreds of thousands of prospectively minted cyber smarties enroll in my institution to gather the knowledge, skills, and abilities to fill the void. That’s impractical. And, to be honest, neither the federal government—with over 40,000 cybersecurity seats to fill, itself—nor private industry would want every security expert to have trekked along the same educative path. Only the hackers would prefer to see that homogeneity. It would behoove the system to have my school and many others train up the future leaders of cybersecurity.
There is more for you than the conventional degree-seeking pathway, too. This is where I can attest to the fact that this column is not meant to recruit university students, or at least not exclusively. There are many professional certifications and other alternatives to earning a degree as a means to the ends of filling the vacancies. You might start with basic, essential technological certifications that assure future employers that you have a sound understanding of the hardware and software that get attacked. Then, you could enhance those lessons with very focused certifications on security topics, forensic investigation techniques, and a whole bevvy of complementary skills. Many subject matter experts that I encounter, even atop their numerous degrees, bear so many letters after their names representing all the various certs. and degrees that their actual names are forgotten by the time you get to the right edge of their business cards.
Now, don’t take my direction and go willy and nilly with it. You would never enroll in a degree program without doing extensive research on the right school. You need to understand the institution’s mission, its faculty chops, costs, career assistance. All sorts of components make up the university experience, and you need to understand them for any institution that you may end up earing a degree in. Same goes with professional certificates. If you go online to seek these out, and do so carelessly, that Chuck’s Cyber-Star “certificate” you earn in four hours of online tutelage for, say, $600 no less, could be worth bupkis. Look for testimonials. Scan the job boards to see what hiring officials are seeking out as “preferred” job qualifications.
The openings are ripe for the picking. The scofflaws are currently unstoppable, so the flow of work seems to be available also without stoppage. The rewards are also evident.
Those 40,000 federal positions unfulfilled, and as reported by Federal Cyber Workforce Management and Coordinating Working Group this past Fall, actually represent some of the lower salary ranges in the field. However, becoming a govvie has its own compensation well beyond the salary posted, which incidentally includes an inherent perquisite in that government salaries are entirely transparent and known. Job security with the fed is nearly second to none. I cannot recall the specifics, but I read a piece years ago that among the millions of civil servants there were something like fewer than hundreds each year that lose their positions involuntarily. Retirement benefits are well advertised and well known, too. Plus, so far as a sense of worth, who better could you work for than the people?
In the private sector, it’s an embellishment but some would say you can write your own ticket if you’re a cyber expert. The risks are excessive, so the rewards bestowed on those who protect firms from those risks are balanced, accordingly. Think six figures.
Consider it. Think about whether you could handle the learning curve, and whether you want to help. Of the few things acutely known about the whole gamut of cybersecurity, the fact that anyone can learn about it, and then fill one of the many, many open seats to practice it is a good kernel of inspiration.
Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.