To solve the most complex security challenges that organizations face today, industry, government, and academia must substantially increase the number of cybersecurity professionals in the workforce. Barriers to entering the field must be eliminated, and educational opportunities must be increased to ensure that talented people from diverse backgrounds have the opportunity to fill the growing IT and cybersecurity talent deficit. To help compensate for the lack of skilled professionals, automated solutions must become more sophisticated.
It is well-documented that the shortage in the cybersecurity workforce is affecting organizations’ abilities to manage the security of their increasingly complex information networks. A 2016 study by McAfee and the Center for Strategic and International Studies (CSIS), "Hacking the Skills Shortage," found that the cyber skills shortage is not just a regional or even a national problem—it’s global. Around the world, 82% of respondents reported a lack of cybersecurity skills within their organization and 71% acknowledged that the talent shortfall makes organizations more vulnerable to attackers.
This problem is expected to worsen in the coming years. According to a February 2017 Global Information Security Workforce Study from (ISC)2, the workforce shortage is projected to reach 1.8 million by 2022. To remediate this shortage, policymakers must work to encourage a larger segment of the population to become involved in technical vocations, specifically in cybersecurity.
The cybersecurity skills shortage is particularly acute in the federal government. According to former U.S. Chief Information Officer Tony Scott, there were an estimated 10,000 openings in the federal government for cyber professionals, but there were not enough qualified people to fill them. Given the vital role that government agencies like the Department of Defense (DoD) and Department of Homeland Security (DHS) as well as intelligence agencies play in protecting the United States, this skills gap is disquieting and merits attention from policymakers.
In May 2017, President Donald Trump issued a cybersecurity executive order requiring the secretary of commerce and secretary of homeland security to assess the scope and sufficiency of the administration’s efforts to educate and train an American cybersecurity workforce of the future. This includes education curricula and training and apprenticeship programs, from primary to higher education.
Importance to McAfee
Ensuring that there is a growing supply of talented cybersecurity professionals, at every level, is one of our top corporate initiatives. We are committed to working with public and private sector stakeholders to close the long-term, systemic cybersecurity skills gap through policy advocacy and partnerships with schools and universities. Our active engagement in closing the skills gap also enables us to build strong bonds in the communities in which we operate, which in turn helps us recruit and retain the type of talent we need to grow our company and prosper.
As a leading cybersecurity company, McAfee is committed to doing what we can to not only alleviate the skills shortage but compensate for it. We believe that intelligent automation provided in an integrated environment should be used to replace human resources that have been required to perform mundane tasks. This will help improve the defense of organizations and can be accomplished via organizationally configured policy that drives intelligent, context-driven automation, allowing humans to do what they do best—think and act.
Public-private sector cross pollination
We must develop creative approaches to enabling the public and private sectors to share talent, particularly during significant cybersecurity events. Cybersecurity is a rapidly changing area, and what’s valid today might well be superseded tomorrow. We know that the adversary is constantly innovating and changing course, often reacting to new defensive capabilities the private sector develops. It’s unrealistic to think that government cyber practitioners would be able to keep up with such a rapidly evolving environment without private sector assistance. We should design a mechanism for cyber professionals—particularly analysts or those who are training to become analysts—to move back and forth between the public and private sector so that government organizations would have a continual refresh of expertise.
One way to accomplish this would be for DHS to partner with companies and other organizations such as universities to staff a cadre of cybersecurity professionals—operators, analysts, and researchers—who are credentialed to move freely between public and private sector service. These professionals, particularly those in the private sector, could be on call to help an impacted entity and the government respond to a major hack in a timely way. Both government and private sector cybersecurity professionals would benefit from regular job rotations of possibly two to three weeks each year. This type of cross-pollination would help everyone share best practices on technology, business processes, and people management. DHS should include a flexible, public-private pool of certified professionals in its plan to rewrite its cybersecurity hiring and retention plan. If DHS is not ready to act, Congress should establish a blue-ribbon panel of public and private sector experts to study how a flexible cadre of cybersecurity professionals could be started and managed. Much like the National Guard, a flexible staffing approach to closing the skills could become a model of excellence.
Expand the CyberCorps program
The National Science Foundation (NSF) CyberCorps Scholarship for Service (SFS) program is designed to increase and strengthen the cadre of federal information assurance specialists that protect government systems and networks. To date, the federal government has made a solid commitment to supporting the SFS program, having spent $45 million in 2015, $50 million in 2016, $70 million in 2017, and $40 million in the administration’s FY18 budget request. An investment of $40 million pays for roughly 1,500+ students to complete the scholarship program. Given the size and scale of the cyber skills deficit, policymakers should significantly increase the size of the program. An investment of $180 million could support roughly 6,400 scholarships, providing short-term relief for the cyber skills gap.
Create a community college program
Community colleges tend to attract a variety of students, from recent high school graduates to returning veterans and other adult students with professional experience seeking to change career paths. Through public and private investments, community colleges could establish funded courses of study focusing on IT and cybersecurity. Interested students would be taught both by college faculty and private sector practitioners resulting in a two-year certificate in cybersecurity that would be transferrable to a four-year school or equips students to enter the workforce immediately. Like the CyberCorps program, graduates would be placed in a federal position and spend the same amount of time as their scholarship period, working in a guaranteed government job. Such a program should not replace, but rather complement, the existing, highly valued CyberCorps SFS program.
It is crucial to spread the word to students in grades K-12 that cybersecurity is an exciting career that can have a major positive impact on society. Recent data from Microsoft shows that European girls become interested in STEM around age 11, but this starts to wane by age 15, illustrating a need for us to both engage and inspire young women during this critical time.
We must increase teacher recruitment, but it’s important to remember that cybersecurity is a unique field of study and thus requires a unique approach to teaching. Industry practitioners have rich and varied experiences that enhance the conversation of how to be an effective cybersecurity professional, and extraordinary insight can be gained from practical, hands-on experience in the field.
Greatly increase diversity
The cybersecurity profession stands to profit greatly from diversity across many sectors. The number of women in the field is only 11% globally, according to the Women in Cybersecurity report by the Center for Cyber Safety and Education and Executive Women’s Forum on Information Security, Risk Management and Privacy. In North America, women constitute only 14% of cybersecurity professionals. The percentage is even lower for African Americans, who comprise 3% of information security analysts in the U.S., per Bureau of Labor Statistics figures. Training and recruiting more women and people of color could help alleviate the skills gap. Interestingly, many of what society traditionally considers “feminine” traits are highly valuable in cybersecurity—collaboration, teamwork, and creativity, to name a few.
Additionally, we can both appeal to more women and attract more philanthropy-minded individuals by better explaining how cybersecurity work helps people. For example, among women engineering graduates, the numbers are highest in biomedical engineering and environmental engineering—fields where students can draw a direct correlation to helping humanity. Cybersecurity is clearly a field that helps protect and empower people. If we brand the domain effectively, there’s a target-rich environment of highly capable girls and women who could be joining the ranks to fill that 1.5 million and growing deficit.
Automate routine functions
A final and more long-term strategy to address the cybersecurity skills deficit is to support increasingly automated systems—particularly advanced technologies incorporating machine learning and artificial intelligence. Automated architecture helps address the skills gap by reducing the mundane work for cybersecurity and IT staff and helping them focus solely on determining remediation that requires human intervention and analysis. Relying on increasingly sophisticated automated solutions will be both efficient and necessary. We are not close to filling the cyber skills gap, though our technology is rapidly improving. We must work on both imperatives simultaneously: training more cybersecurity professionals and making their roles more sophisticated by automating routine tasks.