Senator Warner and Others Realizing the Impact of Cyber and Lack of Trained Personnel
I spent last Friday in Hampton, Virginia, at Zel Technologies where Senator Mark Warner and Secretary of Technology, Karen Jackson led a roundtable discussion on cybersecurity with representatives from the military, local government, businesses, hospitals, and education.
In general, the vibe of the meeting was that the risk of cyber attack is immense and that the government needs help from industry coming up with solutions. Senator Warner explained that cyber threats keep him up at night and that many Americans don’t understand the extent or gravity of the damage a cyber attack could do against our country. The Senator went on to say “What I’m really afraid of is that we could have an event, almost a cyber 9/11, where we shut down water systems, power systems, in a way that could be catastrophic before we really fully recognize how dramatic this threat is.” Ms. Jackson described cyber as a “broad vector, which touches everything, and despite some advancement with cyber crime, the state is still woefully behind.”
Cybersecurity job market: too many jobs, too few staff
Discussions ran the gamut from the $19B added to the federal budget for cyber, the creation of a Cyber Reserve Corp and a cyber workforce, to needing additional economic drivers to create and maintain innovation in Virginia.
We Need to Work Together to Expand the Cyber Workforce
Today, there are 200,000+ cyber jobs with an average salary of $80,000 unfilled nationwide, with Virginia having the the most vacancies. This got me wondering, what types of jobs are “cyber jobs” and what are the requirements? I think that this is an important question to ask ourselves as there are many unemployed people. Understanding what the requirements are will help us determine the opportunities to fill the position. There was also a conversation about the ability to aid veterans by cross training into these vacancies, but to effectively support that, we would need to know what the requirements are.
Dark Reading’s Rutrell Yasin is writing a series on the employment issues facing the cyber marketplace. I believe his articles to be are on target for what we are facing now and in the future.
Yasin points out that organizations today are lacking skilled people. In his article, Security Talent Gap Threatens Adoption of Analytics Tools, he states, “The recently released SANS Institute 2015 Analytics and Intelligence Survey revealed that the demand for cybersecurity tools and resources has doubled since 2014. The majority of the 476 respondents (59 percent) cited a lack of skills and dedicated resources as the main obstacles to discovering and acting on cybersecurity incidents and breaches.” He goes further to say, “Only 3% of organizations in the SANs survey say their analytics and intelligence processes for pattern recognition are fully automated, and another 6% report having a "highly automated" intelligence and analytics environment.”
Yasin continues, “By leveraging technologies and automation, organizations can better distribute their security operations teams’ workloads, putting senior staff to work on more advanced threats, and at the same time, foster the recruitment of top talent.”
In another of Yasin’s articles, How To Convince Management You Need More People, he points out that there are actually not enough people to go around. “According to The 2015 (ISC)² Global Information Security Workforce Study, 62% of the 14,000 security professionals who were surveyed globally, stated that their organizations have too few information security professionals, compared to 56% in the 2013 survey.” And, to drive the point home that this is a global situation, “According to IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, the average total cost of a data breach for companies participating in the survey increased 23 percent over the past two years to $3.79 million. Three hundred and fifty companies representing 11 countries participated in the survey, including the U.S. and U.K., Germany, Australia, France, Brazil, Japan, Italy, India, Saudi Arabia, the United Arab Emirates and, for the first time, Canada.”
Certifications and required experience are another issue affecting the cyber workforce. According to employment data analytics company BurningGlass’ Cybersecurity Jobs, 2015 report, CISSP certification is what many companies use to set the bar for their cyber workforce. In 2014, there were nearly 50,000 postings which required a CISSP. Interestingly, they say that this is three-quarters of all the people who hold that certification in the United States, and presume that most of them already have jobs. There is also a requirement for 5 years of work experience to receive your CISSP. Although this data is about 2 years old, I would imagine that this is still the case. Burningglass also states, “The fastest increases in demand for cybersecurity workers are in industries managing increasing volumes of consumer data such as Finance (+137% over the last five years), Health Care (+121%), and Retail Trade (+89%).” And further, “Some 84% of cybersecurity postings specify at least a bachelor’s degree, and 83% require at least three years of experience. Because of the high education and experience requirements for these roles, skills gaps cannot easily be resolved through short-term solutions. Employers and training providers must work together to cultivate a talent pipeline for these critical roles.”
Yasin, in Dark Reading’s How To Convince Management You Need More People, discusses communication skills as an imperative for cyber jobs. “The need for security managers to have better communication skills appears to be supported by responses in The 2015 (ISC)² Global Information Security Workforce Study, which was conducted by Frost & Sullivan. When reporting how important various skills and competencies are to career success, 77% of the respondents said communications skills ranked as the single-most important attribute. Interestingly, analytical skills, another soft skill, ranked second, ahead of more concrete competencies such as architecture; incident investigation and response; info systems and security operations management; and governance, risk management, and compliance, according to the report.”
And once you have the talent, retaining them is actually a bigger challenge. Again, Yasin, in his article, How to Retain Good Security People: Keep the Work Exciting states, “In a single year, 2014, nearly one in five security professionals changed employers or employment status. Across the 2011, 2013, and 2015 surveys, churn of nearly 20% is the highest that has been seen,” the report says. “Correspondingly, having 14% of respondents reporting that they 'changed employers while still employed' was also the highest percentage across the three surveys. Rising churn is the first sign of rising security professional scarcity,” according to the (ISC)2 report. Also from the article, “One way to help make the work environment more challenging is to automate the mundane tasks, AlienVault’s Javvad Malik says. “Every organization has boring and routine things to do, but if they [security managers] can try to automate it or give it as a project,” the security team could focus on more complex tasks, he says.
This all adds up to some troubling facts:
- There are not enough people that meet the requirements of the cybersecurity workforce, and retention is very difficult due to the need for the same group of people across the entire industry.
- The requirements for these jobs are very high end - in particular, a bachelor's degree and several years of experience. And, certifications like CISSP, although a starting point, have the same issues as they require multiple years of experience. So, while there is a great need for more people in the cyber workforce, required education and experience makes this nearly impossible to do quickly.
- Third, consider veterans, who could be a great source but unfortunately many do not have a college degree. And though some veterans will come out of the military with the right skill set for a cybersecurity job, the reality is that they will not need much help landing a job. What we need to consider are the other 240,0000 to 360,000 people that leave the US military each year. We should be thinking about how to train and get them into a cybersecurity career.
How do we solve this? Using a Threat Intelligence Platform (TIP) allows teams to work together - wherever they are. Our culture is a virtual one and thus, a Platform like ours provides a means for teams to collaborate no matter their location. By centralizing the workflow and automating tasks, the security team can prioritize capabilities and more importantly, engage analysts in the work they are trained to do. A TIP allows security teams to identify and measure success and thus realize where the gaps are - and fill them accordingly.