A US presidential commission on cybersecurity recently made 16 urgent recommendations to improve the nation’s cybersecurity. It urged steps such as getting rid of traditional passwords, ending the threat of identity theft by 2021 and suggested that Donald Trump’s new administration should train 100,000 new cybersecurity workers by 2020.
It was this last point that got my attention. Partly because gearing an educational system to train workers at a rate ten times the current levels currently achieved by colleges and universities, and in just three years, does seem a massive challenge!
Secondly, I cannot find any references pointing to where the number of 100,000 came from. Perhaps this is just an extrapolation, where it is estimated that US institutions train around 10,000 per year currently, and ten times that amount sounds bigger and safer. The idiom that Americans always think big comes to mind.
Back on home base, the UK Government has also been talking about cybersecurity workforce needs, but has been carefully circumspect about hard numbers. The National Cybersecurity Strategy, published in November 2016, talks about acquiring and strengthening the tools and capabilities that the UK needs to protect itself from cyber threats. It elaborates that: “The UK requires more talented and qualified cybersecurity professionals,” and adds that, “the Government will act now to plug the growing gap between demand and supply for key cybersecurity roles and inject renewed vigor into this area of education and training.”
As a key objective in the National Strategy, this seems to be a long-term, transformative aim and will need to continue well into the next decade, especially if predictions on the future of technology and the role of cybersecurity come to pass.
Is any of this new? Over the past five years several studies have pointed out the necessity to grow and retain a pool of highly skilled cyber professionals. Reports by the Centre for Strategic and International Studies, the Department of Homeland Security’s Homeland Security Advisory Council, RAND Corporation and Booz Allen Hamilton, to name a few, have outlined the difficulty of meeting cybersecurity manpower needs.
Not just a numbers game
The problem is that while the critical shortage of skilled cybersecurity professionals has been widely recognized and several initiatives attempting to address the issues of cyber workforce development have been advanced, none of these efforts have yielded comprehensive results. Indeed, there has been no significant attempt to create a unifying strategy to priorities existing and planned cybersecurity initiatives.
Neither has efforts succeeded in establishing accreditation standards for cybersecurity curricula and certifications, nor elevating and standardizing the competencies of the cyber workforce.
In addition, efforts have failed to address the lack of an overall, integrated approach to fill the lower and middle-void of adequately skilled workers, let alone address “professionalization” of the cybersecurity industry.
Simply talking up the numbers may make sense, but there are clearly underlying systemic issues at the heart of the cyber skills shortage, which are the real concern and need to be dealt with. These issues result in the shortage of cybersecurity specialists, but are compounded by important factors including the lack of young people entering the profession; the insufficient exposure to cyber and information security concepts in computing courses; a shortage of suitably qualified teachers; the absence of established career and training pathways into the profession; and importantly, a career framework for those established within the profession.
The way forward
Ironically, the discussion and actions around the need to grow the numbers of those in the workforce will exacerbate a bigger problem for the profession. This is the need for an alternative to the ad hoc, decentralized approach to enhancing cybersecurity that marks today’s cybersecurity profession.
There is no doubt that our cybersecurity issues and needs are complex and widespread, and being given serious attention by government and industry; yet a comprehensive cybersecurity professional development plan and career path to reward and retain cyber talent have yet to emerge.
Given the importance of cyber to our national security and standard of living, we need a professional workforce with common knowledge, skills and abilities (KSAs) within a professional framework and several specializations, just as the medical, legal and other critical professions do.
There must be consistency of expectation of the specific cyber KSAs from any given educational delivery method and source. To do this as effectively and transparently as possible in a global environment, the cyber community must professionalize its craft.
There is a compelling need for the establishment of a nationally recognized, professional body to serve as a clearing house for the cybersecurity profession and additional member professional associations, with the mandate to plan, direct and oversee the implementation of the public and private sector strategic objectives. Such a body would go a long way to mitigate and potentially eliminate the current fog of competing requirements, disjointed development programs, conflicting definitions of security roles and functions, and highly fragmented and inadequate professional certifications, resulting in reduced risk and increased competitive advantage for all.
While high level government-driven strategic initiatives are to be welcomed, there is the sober reality that most public and private organizations are dealing with the day-to-day threat that is growing and ever more sophisticated. It is the practical problem of finding the resources with the right skills and capabilities to counter these threats that is the real manifestation of the skills shortage.
While being ‘in-demand’ feels a great place to be in any profession, the scale of the resourcing problem is such that the profession simply will not meet growing expectations of organizations needing to strengthen their capability in cybersecurity. A comprehensive and well thought through cybersecurity strategy for the profession can address these issues and help to achieve the goal over the next ten years!