In the United States, hundreds of thousands of cybersecurity positions remain unfilled because there are not enough experienced candidates. That’s a problem—especially when cybersecurity is more important to organizations than ever before. With ransomware, malware, data breaches, sophisticated phishing attacks, and the relentless efforts of cybercriminals growing more sophisticated each day, we need people skilled enough to help organizations fight back.
VC3’s Chief Information Security Officer, Joe Howland, recently offered a few thoughts about addressing the cybersecurity talent shortage and how organizations can best adapt considering these challenges.
A talent shortage has existed around cybersecurity for quite some time. What do you feel are the root causes?
First, we’ve seen an absolute explosion in the requirement for security professionals. Ten years ago, you could pretty much throw a firewall on the edge of your network and call yourself secure. Ransomware attacks were not common, and you didn’t have to worry so much about a variety of security nuances like we see today. Once in a while, a few security vulnerabilities would get exploited like they do today, but the cybersecurity landscape looked very different for the most part.
Developments over the last 10 years have shattered that model. Today, so many different avenues have opened up where we can be attacked, and there are so many different ways that malicious actors are trying to take advantage of security weaknesses in our organizations—including socially engineering people within our organizations to commit a data breach. As a result, we’ve seen an explosion in the demand for people to understand this new cybersecurity world. The landscape shifted so quickly that there hasn’t been enough time for engineers to be formally trained in four-year degree programs, certification programs, and years of work experience.
Compounding that problem, many educational programs are trying to accelerate the teaching of our modern security mindset and required skillset, but many organizations are still nervous about hiring people who don’t have extensive experience in cybersecurity roles. If something goes wrong with cybersecurity, the consequences can be very dramatic to your organization. You don’t want to hire someone out of school with no real experience, even if they have security certifications or some education. They don’t have the hard experience that gives organizations a comfort level that these people truly understand how to adequately protect them.
What are some ways we can increase the supply of cybersecurity talent?
In the long-term, we’ve got to get people interested in the field and get them trained. But we also need ways to give them real experience so they can have an impact when they enter the workforce. That’s difficult, but I’ve seen some compelling models over the past several years that may help. For example, Clemson created a Cybersecurity Operations Center staffed by students. They are not only educating students about cybersecurity but also giving them some valuable real world experience that they can apply on Day 1 of a job in the real world. Programs like these are extremely helpful, and we need more of them.
In the short-term, we need to find people within our organizations who are already technical—with skills such as networking or managing server infrastructure—and shift some of those people toward cybersecurity. Many people already have a significant portion of a cybersecurity foundation, making it a much faster shift for them into cybersecurity and a higher likelihood of immediately providing real value in the cybersecurity world.
For small organizations, the likelihood that you’re going to find a qualified security candidate, hire them, pay them enough, and retain them is low. These organizations need to consider managed services providers (MSPs) that can provide a fractional CISO, someone who can help part-time without needing to pay for a fully salaried cybersecurity professional. And instead of trying to build your own security apparatus, look for a third-party security operations center where they’re staffed to monitor and manage security alerts. Because of the low supply of cybersecurity professionals and the expense in hiring them, we’re seeing a lot of cybersecurity services consolidation in the short-term where organizations are leveraging third parties to help manage security.
A debate exists around what experience is important when hiring cybersecurity professionals—educational experience, work experience, certifications, etc. What experiences do you feel are the most important for a cybersecurity professional?
It’s a hard question with no clear answer. Certainly, one can go through school, get an education and some certifications, and gather some base knowledge that’s going to allow you to contribute in some form or fashion to the cybersecurity world. In some cases, you need someone who understands business. Security isn’t all about managing technology. The field requires knowledge about areas such as policies, procedures, regulations, and risk management that all play into cybersecurity. In the end, it’s about what skills they have that really help bring more cybersecurity into an organization.
Over the years, I’ve seen some candidates fresh out of a four-year college with high-end theoretical knowledge but who didn’t have a lot of practical knowledge to bring to the table. But then I’ve seen other candidates from a technical college or a two-year college who had more hands-on training, and they came into an organization ready to work. People who go through the higher end universities may fit somewhere into a bigger organization where there is more structure in place. In the long-term, they may turn into VCIOs, CIOs, or higher-level senior management. But at the entry level, they often don’t have the skills to immediately make an impact, which is what organizations want. I definitely think experience of some kind matters, but I’m not going to discount education and certifications. Those are certainly important as well because they bring formality to cybersecurity processes learned through experience.
What attracted you to cybersecurity, and why is it an appealing career?
One of my very first professional jobs out of college was working for a major defense contractor. We worked in the aerospace industry supporting government contacts. Even though it was 25 years ago, they already put a lot of stock in security. They did not look at security as just throwing a firewall on the edge—and so I really got indoctrinated into cybersecurity seeing it at this level.
Once, I was working at a plant where they had a black network completely caged off and disconnected from the main network. I walked into an office on my first day with a new client, somebody told me where I was going to sit, and I plugged in my laptop. Within 30 seconds, an armed guard stood behind me saying, “Who are you and why are you plugging an unknown device into our network?” That really struck me as cool. A little alarming, but cool!
These early experiences led to me managing data centers, and security was always a part of this role. When I arrived at VC3, they had hosted solutions and security needed to be part of those solutions. I took on the role of Chief Information Security Officer to help VC3 focus more on cybersecurity and I’ve found it to be an interesting role. What’s compelling to me about cybersecurity is that it mixes a need to be nerdy and technical with process-oriented, higher-level, strategic thinking. These skill sets go together well and offers plenty of variety in my day to day work.
Need help addressing your cybersecurity challenges but don’t have the resources to hire a professional. Contact us through the form below and we’ll talk to you about some options that may work for your organization.