As both a CSO and CIO, I am often asked – what keeps you up at night? Undoubtedly, I, like many of my peers, have insomnia caused by the real and growing challenge facing not just my organization, but the entire global cybersecurity community: the increasingly daunting task of identifying, recruiting, and retaining top talent to fill widening demand. While the problem is pervasive in all areas of IT, cybersecurity is particularly severe.
By Jason Albuquerque, CIO & CISO, Carousel Industries, Inc.
The forecasts are big, scary, and truly staggering. (ISC)² estimates the current cybersecurity workforce is now 2.8 million professionals but more than four million professionals are needed to close the skills gap. The data indicates a necessary cybersecurity workforce increase of 145%. In the U.S. market, the current cybersecurity workforce estimate is 804,700 and the shortage of skilled professionals is 498,480, requiring an increase of just 62% to better defend U.S. organizations.
So, what is being done — or what must be done — to reverse this trend and better equip our global workforce and the organizations it services to close this gap?
As a CSO, CIO, and former member of the U.S. military, I think I bring a unique perspective on the importance of continuous training and advanced certifications. I’ve seen the tremendous advantages they deliver to IT and security professionals at every stage of their careers. I also had the good fortune of taking a slightly different path to the corporate workforce – one that gave me real on-the-job training while attending college. It is this background that shapes my beliefs and thoughts on addressing this critical need for our cyber workforce development.
Here’s my five-point plan for developing a 21st-century solution to our cybersecurity skills shortfall.
1. Build New Alliances
Throughout history, tough adversaries have been defeated when one or more organizations join forces to deliver a combined set of strengths and resources, which can deliver value and results far more powerful than if those organizations remained siloed or operated unilaterally.
Today, our nation’s higher education system and the for-profit tech industry share a somewhat curious relationship. They have common interests – the education, preparation, and utilization of our future and current tech-focused workforce – yet the somewhat harsh reality is that, with few exceptions, successful partnerships involving these two seemingly philosophically aligned entities, remain rare.
We need to change this and develop new programs that incentivize activity in research and training like those being driven by Facebook. While not having been a beacon for personal privacy and security, Facebook still understood the dire need for security talent and has invested accordingly. Through its Cyber Security University Program, Facebook is collaborating with several colleges and universities to offer cybersecurity courses and provide access to hands-on training, mentoring, and industry events. Texas A&M University-San Antonio, one of the participants, won a National Science Foundation grant to help recruit students for these positions and connect graduates with jobs. It also opened a $63 million science and technology building to house its Center for Information Technology and Cyber Security.
Facebook also launched a cyber skills development program specifically for Veterans, which I fully support and hope is replicated elsewhere. I applaud these efforts but urge more tech and IT services companies, as well as colleges and universities – especially at the state and local level – to look to follow suit.
Similarly, Fortinet, a global leader in broad, integrated, and automated cybersecurity solutions, has launched it’s Fortinet Network Security Academy (FNSA) and the Fortinet Veterans (FortiVet) program which applies training and education programs to help close the cybersecurity skills gap and address the talent shortage.
FNSA aims to shape the next generation of cybersecurity professionals by providing industry-recognized Fortinet training and certification opportunities to secondary and university students, as well as to individuals working with participating non-profit organizations. By collaborating with the FNSA program, academic institutions and nonprofit organizations gain access to Fortinet’s NSE certification curricula – ensuring that participants gain the knowledge required to become part of an elite group of skilled security professionals.
The FNSA program provides cybersecurity training and certification opportunities that were once exclusive to Fortinet customers, employees, and partners to students. With more than 200 participating academies located in more than 60 different countries, the FNSA ensures that participants from across the world graduate from this program with the skills they need to defend networks against ever-evolving cyberthreats.
2. Overhaul Cyber-Education Approaches
Despite the best efforts by colleges and universities, my experience has shown that students today are simply not learning modern skills. Surprisingly, relatively few colleges offer undergraduate or graduate cybersecurity degrees that ensure graduates have the skills that will make them successful. I am hopeful, however, that change is coming. Related to the point above, colleges are partnering with the private sector to design new programs and curricula that meet workforce needs and, in some cases, helps shoulder the cost of expensive training and simulation facilities such as cyber ranges. These schools include Augusta University, Regent University, Texas A&M, the University of Michigan, and Virginia Tech.
There is an overreliance upon the theory in many cybersecurity classrooms today. How do we change this? We need more cross-pollination among cyber practitioners and universities – lectures, real-world training, co-ops, hackathons. These are just a few vehicles that need to be adopted, promoted, and celebrated for their successes.
3. Adopt an Apprenticeship Model
Apprenticeships have their roots in the late Middle Ages when master craftsmen trained young men and women. Across Europe and in America, similar programs flourished at the turn of the 20th century for skilled trade workers in traditionally blue-collar areas such as electricians, plumbers, and other trades. So perhaps the term “apprenticeship” suffers from a dated perception and is in need of an overhaul or adaptation on its own. Regardless, it is hard to argue with the success of these programs in these industries and in IT and cybersecurity, we are long overdue for organizations to embrace and advance this model. It just makes so much sense – and not just for young men and women who have just graduated high school or college and are unsure of their career paths or who’ve change their minds. Apprenticeship programs can serve career changers at arguably every stage of life.
4. Incentivize New Skills Training
Whether part of a formalized apprenticeship program or not, there may be no workforce initiative of greater importance today than re-skilling or up-skilling workers. In cyber, this is happening but on a small scale so far.
In 2018, Federal Cybersecurity Reskilling Academy offered U.S. Federal employees the opportunity for hands-on training in cybersecurity. This reskilling effort was part of the Administration’s commitment to developing a Federal workforce of the 21st century, as outlined in the President’s Management Agenda and the recent Government Reform Plan. The inaugural class comprised current Federal employees not working in the IT field and was designed to help them build foundational skills in the field of Cyber Defense Analysis. The second class was open to all Federal employees. Although the academy’s future is unclear, demand was strong. Federal Chief Information Officer (CIO) Suzette Kent shared last year that the program received over 1,500 applications and over 20,000 social media impressions during a 50-day application window.
Last year, a program launched by my organization – the Certified Ethical Hackers Program – provided comprehensive cybersecurity training and certification to a group of employees seeking to expand their skillsets and knowledge. Based on the highly-regarded Certified Ethical Hacker (CEH) curriculum, the training covered the newest techniques in security, including footprinting and reconnaissance, scanning networks, vulnerability analysis, system hacking, social engineering, session hijacking, and evading IDS, firewalls, and honeypots.
Our efforts were focused on giving proven employees opportunities to learn and apply new skills to expand their value to fortify our own defenses and apply these skills directly to client engagements. The program was tremendously popular, and we intend to replicate it again in the future and are eager to open our playbook to other organizations interested in the concept.
5. Market Cyber Career Paths Downstream
Ultimately, for the cybersecurity field to have a sustainable pipeline of diverse talent, we need to be identifying aptitude for technology and cybersecurity as early as possible. To address this gap, we must capture the interest of a wider and more diverse set of students. We must reach down to the middle school levels. In order to be successful, we must work with K-12 educators to create cybersecurity curriculum for teachers. These efforts will bear fruit down the line for our industry.
These programs work because they benefit all. Talent-strapped employers can expand their recruitment pool while identifying a new crop of potential employees – likely with modest salary demands eager to learn new skills as they enter a brand-new field. Similarly, employees are given a tremendous opportunity to learn valuable and highly marketable new, real-world skills from tech professionals in proven corporations. Organizations such Bosch, Barclay’s Bank, IBM, and Amazon all currently or previously have implemented successful technology-driven apprenticeship programs. We need to learn from these organizations, celebrate their successes, and encourage many more programs of similar nature.
About The Author
Jason Albuquerque is responsible for Carousel’s IT Operations, Enterprise Security and Compliance, and Innovation Center of Excellence. He takes pride in leading the charge in building a culture that is secure by design for the Carousel community and its clients. Jason brings the highest levels of leadership, industry knowledge, and agility that today’s industry requires to effectively respond to the rapidly changing innovation, business, threat, and risk landscape. He is the recipient of several prestigious awards in technology and leadership, like Rhode Island’s 40 under Forty Award, Rhode Island’s Tech 10 Award, and is a seven-time National Public Technology Institute Solutions Award winner. Jason is a co-host of the Business Security Weekly Podcast and is a frequent contributor to CIO, Forbes, and several other leading IT and business publications. He currently serves on Congressman Langevin’s (D-RI) Cybersecurity Advisory Committee, Tech Collective Board of Directors, and the Rhode Island Joint Cyber Task Force.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.
This story first appeared in the July 2020 issue of CISO MAG. Get your preview here.
Get the preview of our January 2021 issue here. Subscribe now!