Changes Needed to Meet Growing Cybersecurity Job Demand
Posted By Terri Williams on March 29, 2016 at 9:10 am
Just recently, Hollywood Presbyterian Hospital paid approximately $17,000 to hackers holding its computer network hostage. This was just the latest in a long line of data breaches.
According to PrivacyRights.com, some of the other high-profile victims – just in 2016 – include the IRS (101,000 taxpayers), Washington State Health Authority (91,000 Medicaid patients), and Time Warner Cable (320,000 customers). The first quarter of 2016 has also seen data breaches at Hyatt Hotels, Neiman-Marcus, Wendy’s and too many other companies to list in this paragraph.
These data breaches highlight the need for cybersecurity experts, but according to a recent report by Experis Manpower Group, there is a global security talent shortage, including policy writers, ethical hackers, and technical security solutions engineers. In fact, by 2019, there will be 1.5 million fewer information security workers than needed.
What’s contributing to this problem, what are the implications, and what can be done to close the gap? GoodCall spoke with several experts who offer a variety of thought-provoking responses.
Andrew Hacker, cyber security expert in residence at Harrisburg University of Science and Technology
A shortage of cybersecurity personnel can have a profound impact on each of us. “Since our everyday personal and business lives are becoming more and more ingrained and dependent on digital systems and processes, the importance of cybersecurity to the normal and correct functioning of everything we do becomes increasingly more important and even in some cases, critical,” according to Hacker.
We often take for granted the security of our networks, but without enough people who understand and can guard against attacks, our lives could easily become disrupted. “Regular activities such as communicating with others, performing our banking, keeping our homes safe, driving our cars and traveling via airplane or rail, and even transmitting and receiving electricity are now even more highly dependent on digital systems than ever before,” warns Hacker, who adds that these disruptions could range from a nuisance to a life-threatening situation.
The need to change perceptions
David Brumley, director of CyLab and associate professor at Carnegie Mellon’s College of Engineering
Brumley, who tells GoodCall that he’s a hacker first, and an engineer second, believes the gap between supply and demand for cybersecurity professionals is a result of perception. He says our culture doesn’t think of cybersecurity as a meaningful profession, and says we need to make three specific changes to encourage students to pursue this career choice:
- Stop stigmatizing hackers. “While a handful of people who have these skills go rogue, that isn’t at all representative of the field as a whole.”
- Recognize cybersecurity as a uniquely skilled profession. “Cybersecurity requires a highly strategic way of thinking, where we are in constant competition with adversaries who are also intelligent, potentially powerful, and always looking for the open window when the door is locked. Further, its constantly changing nature means that cybersecurity must be approached as ‘practice sport.’”
- Practice basic cybersecurity. “It’s imperative that everyone – from the 7-year old playing games on the iPad to the utilities technician controlling a power grid – understand and practice basic cybersecurity and privacy hygiene.” And Brumley says he’s not just talking about computers in K-12 classrooms. “Cyber skills are a necessity, and hacking is more than just a hobby – some element of hacking skills and thinking should become part of everyone’s daily activities.”
Relax the requirements
Albert Goldson, executive director of Indo-Brazilian Associates LLC, member of the Association of Former Intelligence Officers (AFIO)
Perhaps, we also need to accept that the most skilled information security experts may not come from traditional channels. According to Goldson, “The best of the best of these candidates are eccentrics and non-conformists who are more likely not to come from prestigious educational institutions, since these institutions are the antithesis to their personalities.”
And unfortunately, many of these individuals can’t get security clearances to get employed where we need them the most: working for the government. “These candidates have a high tendency for disobedience, which can result in non-violent, petty, often white collar crimes that, nonetheless, result in a criminal record,” explains Goldson.
In addition, they tend to prefer working with start-ups or starting their own companies, because they hate being micromanaged, adds Goldson, who also says, “Yet surprisingly there are numerous types like these who are fervent patriots willing to forgo a higher private industry salary for a unique opportunity to serve in cyber-warfare – but need the government to relax hiring requirements.”
Provide clear educational and career paths
Jason Payne, Alert Logic’s senior director, ActiveWatch Services
Payne feels that companies must do a better job of identifying specific hiring needs. “There is a wide maturity and diversity gap among companies in the cybersecurity industry, so it’s been hard to present a clear picture of skillsets required to break into the field.” And Payne says these organizations need to define a consistent model of skills to adequately fill hiring gaps.
“Today’s education system can be murky for students seeking job opportunities, and many aren’t prepared with clear career paths or the right training for the first jobs out of school.” And while it’s important for companies to hire candidates with system or network experience, Payne, says insisting on direct security experience can severely limit the hiring pool. “Once hired, security companies can supplement their learning by helping employees earn in-depth technical security certifications and giving them opportunities to grow and further excel in their careers.”
He says it’s not about what a job candidate knows, but what they are willing to learn.
“Inquisitive and analytical candidates who are hungry to learn and willing to share knowledge make for the best employees, problem solvers and team players,” concludes Payne.
Michael R. Wright, computer and information sciences faculty at Harrisburg University of Science and Technology
So if you’re considering a career in cybersecurity, this is what you need to know. “A truly effective cybersecurity professional will have a diverse ‘tool chest’ of skills,” according to Wright.
This includes a strong math and analytical background, “in addition to practical skills such as programming and scripting, communications skills, project management and the ability to quickly adapt and change based on an evolving environment,” Wright tells GoodCall. “You’ll generally need a bachelor’s degree with a concentration in cybersecurity, a professional certification (like CISSP or Security+), hands-on experience in the information technology field (not just cybersecurity) and ongoing professional education.”
Wright says there’s a broad salary range: $65,000 to $175,000, depending on a lot of other factors like the geographic location, the position, and whether the employee is performing other functions as well.
And Hacker adds that salaries in cybersecurity have increased sharply in the past few years and he provides specific examples: “An entry-level Information Security Analyst can average $64K. Overall, average salaries nationally are $91K, and higher in metropolitan areas. Director-level and above salaries are $178K+ and executive cybersecurity salaries at large corporations can reach $250K and above.”