Organizations in every industry have begun to grasp the vital need to protect their systems and data from hackers – but may face difficulty in finding qualified cybersecurity professionals to effectively combat increasingly sophisticated threats.
To effectively lead a cybersecurity program, professionals need to have not only a technical understanding of all the “bits and bytes” of an organization, but also the risk management, communication, and leadership skills to convince executives to protect every form of data and critical infrastructure inherent to a company. The rarity of these qualities is evident as information security professionals are in high demand in both the public and private sector.
Many of today’s top information security professionals developed from the network administrator side of businesses. It wasn’t a separate discipline, it was just part of the job. In 2005, a major data breach at Choicepoint, a Georgia-based data aggregation service, brought the need for dedicated information security professionals into the spotlight.
Joyce Brocaglia, CEO of Alta Associates in New Jersey, commented, “There is basically negative unemployment” in information security. Founded 30 years ago, her firm works with clients to recruit top talent for high-profile information security executive searches.
“We have never seen the demand so high,” Brocaglia told Advisen. “But the role of the CISO (chief information security officer) is evolving. As the role is evolving, it’s becoming much more complex and requiring much broader knowledge.”
Need by the numbers
A recent study from the Ponemon Institute found that the information security sector is seriously understaffed, with 58 percent of senior IT security staff positions going unfilled in 2013. Thirty-six percent of IT security staff positions remained unfilled in 2013. And the need is expected to grow, with the average number of IT security staffers slated to rise to 29 in 2014, from 22 in 2013. There’s also a fair amount of turnover in the field, with many chief information security officers moving on after 2.5 years. Lower-level technical information security personnel stay for an average of four years.
The National Initiative for Cybersecurity Careers and Studies aims to broadcast ways organizations can approach the problem with a diagnostic tool to more clearly identify their needs.
“As the demands of global business, computing, and society revolve around information technology, the cybersecurity workload is increasing faster than cybersecurity professionals can meet the demand. As such, an emerging priority in cybersecurity is how organizations can attract, assess, and develop this specialized workforce,” states the NICCS on its website. “Effective workforce planning enables organizations to build processes that not only identify where major cybersecurity gaps reside, but also pinpoint where an organization should proactively grow and shape its cybersecurity workforce to achieve mission priorities.”
The program also works with schools to integrate cybersecurity awareness in kindergarten through high school in existing science, technology, engineering and math (STEM) programs, as well as teaching kids to be safe online.
A 2013 study conducted by Raytheon illustrated some of the challenges in drawing young people to the world of cybersecurity. In a survey of Millennials in the United States, 82 percent said that their high school teachers and guidance counselors never suggested a career in cybersecurity, while 86 percent said that cybersecurity awareness programs should be a formal part of educational curriculum. Young men (35 percent) were found to be far more interested than young women (14 percent) in a career in cybersecurity.
Broadcasting the options
Larry Whiteside, chief information security officer for the Lower Colorado River Authority (LCRA) in Austin, Texas, and a 20-year veteran of the information security field, told Advisen that there is a “serious shortage” in the field of information security, primarily because young people aren’t aware enough of the career options.
“I think there’s really not a strong enough curriculum around at a young enough age to get people interested,” he said. While there are information security tracks within larger computer sciences or information technology college programs, “it’s not nearly as wide as it could be,” Whiteside added. “We’re lagging behind.”
Whiteside explained that successful security professionals need a particular mindset and it’s necessary to develop critical thinking skills early.
“Being very analytical is the key to getting into the cybersecurity space,” he said. “That’s why the STEM curriculum is so important. It builds an aspect of analytical thinking.”
Cybersecurity professionals frequently come from the network and infrastructure field, as well as programming, which helps in interpreting the technical side of the business and bringing the information in a relatable way to executives.
“Jumping into cybersecurity from a risk standpoint is important, but you have to have that technological understanding,” Whiteside said. “You can not only understand what they’re saying, but then translate that into business risk-speak that you can take to your executive team.”
Whiteside explained that CISOs need to “be the bridge” between company leadership and the IT department to elucidate the risks to the organization’s information and systems – and how executives will be held accountable for any losses.
“You have to identify risk and put it in front of them to help them make better decisions,” he said. “For the first time, organizations are recognizing that they may have had security people in-house, but they have not had people in-house that can sit at the executive level.”
Highly publicized data breaches at major organizations have helped make boards more receptive to the message of their information security personnel. The result has been to make the role of a CISO “much more business strategic and less focused on technology,” according to Whiteside.
For Brocaglia, information security executives have “a lot of leadership skills, a lot of business acumen and a really holistic understanding of risk.” To that end, in 2002, she founded the Executive Women’s Forum, an organization dedicated to developing leaders in the information security and privacy field. The program, called Leadership Journey, promotes the development of self-assurance, self-awareness, and the ability to influence others in information security professionals.
“The technical aspects are the easy part,” said Brocaglia. EWF also offers a full scholarship to women interested in completing a master’s degree at Carnegie Mellon’s cybersecurity program, she noted.
Continuing education and training options for cybersecurity professionals continue to grow. According Center for Internet Security CEO William Pelgrin, the CIS saw a 35 percent increase in its training options from 2012 to 2013. CIS works with several public and private sector groups to develop technical and end user cybersecurity training solutions. He also explained that to boost the workforce, the industry needs to “to shift our mindset in terms of how we solicit the workforce, and not just look at traditional candidates.”
“Addressing cyber security is not solely about technology – it’s about people and processes. We need individuals with managerial and professional skills who can understand the threats and make informed decisions based on the business risk analysis,” said Pelgrin in an email to Advisen. “We also can’t lose sight of the impact the entire workforce has on an entity’s cyber security. Many of the recent high-profile breaches have highlighted the role human behavior—such as falling prey to phishing scams or using weak passwords—plays in cyber defense. All users, not just the cyber security professionals, have an impact on an organization’s security posture and awareness training across the board is a critical part of a defense-in-depth strategy.”
Industry conferences targeted at the cybersecurity and privacy world continue to expand, with Black Hat and RSA among the most well-attended events in the world. Information security professionals say conferences offer opportunities to network and keep up to date on the threats to data that develop. On a day to day basis, Whiteside and other professionals say that social media provides a great way to interact with others in the field and share information.
Hope for the future
According to William McBorrough, managing principal at Mission Critical Global Technology Group and a professor of cybersecurity, there’s reason to expect the talent shortage to be addressed. Many colleges have both undergraduate and graduate programs in cybersecurity now, offering both technical skills and a more policy-based research approach.
McBorrough, who teaches at the University of Maryland, explained that cybersecurity studies have attracted the attention of both younger people and adults looking for a career change and “following the opportunities into the cyber world.”
However, with variations in focus and quality in programs, students must know what they want to get out of a cybersecurity course of study. Someone looking to obtain practical skills and quickly get into the workforce could earn an associate’s degree and be on the job in two years. Another student hoping to become a CISO at a financial services firm might find a management-based program more useful.
“Cybersecurity is a very broad area and students that are looking to get into a program somewhere really has to do their research and understand what they want to get out of the program,” said McBorrough, who has worked with a variety of clients in both the public and private sector over the years, as well as teaching.
The best programs are those that couple practical skills with theoretical knowledge. And McBorrough asserted that the business world should expect an infusion of cybersecurity grads in the coming years, shifting the trend of jobs going unfilled. In every situation, companies need to be willing to hire graduates, who get out of school and find they have a job and no experience.
“I certainly expect the tide to change. These folks will eventually get in the workforce and they’ll get more experience. The business community has made the need well-known and academic institutions have responded to that need. It just takes time for the talent to catch up,” he said.