Yesterday DHS and the Commerce Department released their most recent workforce report “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce”. The report was commissioned by the Trump administration in May 2017. Having studied this issue from roles in academia, private industry and government, I thought I would share my thoughts on the report.
Overall, I thought it does a good job and provides good ideas for improvement. I have always had a bone to pick with reports of astronomical cybersecurity job shortages. The “Cybersecurity Workforce” report states that there are 299,000 active openings for US cyber-related jobs. OK, but when I search (cybersecurity + cyber security) on www.indeed.com I find a total of 53,007 jobs. Somehow 82% of the jobs are not found on Indeed. Where are they? The DHS/Commerce report does acknowledge that we really don’t know how many jobs are open and exactly what industry and government needs. What is the cybersecurity workforce and where does it need to be? This industry is changing so fast that answering that question may be difficult. I see MSSP’s and cloud security services both growing very fast; this will reduce the overall numerical demand.
The report highlights the need for cross training. I have long thought that more security roles need to move into the business. There are people in those domains that have a good security aptitude and, with some security training, can be extremely effective. 90% of their effectiveness would be just knowing the business domain. At the same time, report findings note that “employers increasingly are concerned about the relevance of cybersecurity-related education programs in meeting the needs of their organizations.” Later in the report, mention is made of educational programs that focus on technical skills without including the many nontechnical skills needed to implement a security program. That is one of the gaps being identified.
Two other good points include emphasis on the ideas of apprenticeships and certificate programs for cross disciplinary education. Every type of career training can benefit from apprenticeships or internships. Why is this more important for security education? For one thing security must be holistic. There can be only a very few people who are individual contributors. Certificate programs for individuals like project managers, business analysts and contingency planners would greatly improve the uptake of security in an organization.
Another very good point brought up relates to career paths. What is the cyber security professional career path? Especially as more workloads move to the cloud and more AI is introduced to SOC’s, what will be the career path? My recommendation is to define security education more around risk management, both information risk and technology risks. A more comprehensive definition at the beginning will permit continued specialization and redirection later. In this way, professionals can expect to be part of any business initiative, all of which will need risk management. Today, almost all business initiatives will include information risks. Since, employers also want new hires to have immediately usable skills, such education must also include specialized training in at least one security technical area.