The next national security crisis may not be a terrorist attack on a commercial airplane, or our nation’s water supply, or even one that shuts down the critical infrastructure. The next national security crisis, instead, may be a lack of ability to mitigate or respond to such an attack because frankly, there’s no one available to mitigate the attack or respond to it.
There is an IT security skills shortage that’s occurring right as the volume and sophistication of cyber and physical attacks continues to rise. The sophistication of the technology and tactics used by online criminals – and their nonstop attempts to breach network security and steal data – have outstripped the ability of IT and security professionals to address threats. Most organizations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.
The battle means that companies might be in danger of losing simply because they lack the manpower to deal with it. The battle means that companies looking for more security staff aren’t going to find them – they’re going to have to create them.
The Internet of Things
There are several reasons for this problem. One is the changing nature of cyber attacks. It used to be emails that were most commonly targeted, such as bogus messages from banks telling people they needed to email their account details to help reboot their online access due to maintenance work. Others involved scams where people were told they were to receive a large sum of money, but needed to send some cash first. The sophistication of the technology and methods used by online criminals – and their nonstop attempts to breach networks and steal data – have outpaced the ability of IT and security professionals to address these threats.
Second, says Jeanne Beliveau Dunn, VP & GM of Learning@Cisco, is the Internet of Things. More things are connecting to the Internet than people – last year there were more than 5 billion cellphones, 2 billion broadband connections and 1 billion people who are on Facebook and Twitter. With those devices comes a shortage of resources to support them. “So the surface of the attack has become increasingly greater,” she says. “The challenge of a security team has gotten significantly greater and will continue to. By 2020 there will be 50 billion devices that will be connected to some network.”
The security talent shortage makes this problem worse: even when budgets are generous, CISOs are struggling to hire people with up-to-date security skills. This year, says John Stewart, chief security officer and SVP at Cisco, the industry is short more than 1 million security professionals across the globe. Also in short supply are security professionals with data science skills – as understanding and analyzing security data can help improve alignment with business objectives.
Closing the Security Gap
Cisco, (ISC)2, the University of Phoenix, the SANS Institute and others are establishing programs and partnerships with universities to try to solve the staffing problem, which is global in nature.
It can be done. For example, Ireland is attracting American businesses and European workers because among other factors, it’s English speaking, it uses the Euro, and it’s located within the time zone that’s nearest to the United States. European governments have also lowered barriers to entry, making it easy for workers from Eastern Europe to take jobs in Ireland. After years of investment, McAfee and Symantec opened operations in Ireland, and now there are major security clusters in Dublin and Cork that include a variety of security companies. According to Symantec, the country’s security sector employs more than 6,000 people. Symantec, along with FireEye, McAfee and Mandiant, created more than 700 jobs in Ireland last year.
If the rest of the world is going to solve its security skills shortage it will need to create similar clusters in other parts of the world.
(ISC)2 is trying to create educational awareness, including working to connect with children in primary and secondary school, as well as expand partnerships with universities. In addition to providing more mentoring, internships and apprenticeships, (ISC)2 believes that the security industry as a whole needs to work with universities to create curricula that can to respond to a rapidly changing industry.
In addition to attracting more non-techies, the security industry needs to attract more women. Currently only 11 percent of the security workforce consists of women. (ISC)2 is in the process of creating a Women in Security initiative to address that problem.
In addition, the (ISC)2 Global Academic Program offers products and services for colleges and universities that can be tailored for both undergraduate and post-graduate requirements. Classroom materials, which range from domain-specific modules and practice assessments to faculty handbooks and student textbooks are drawn from the certification CBKs. The program is open to accredited institutions interested in enhancing cyber content within their security, computing, IT or other relevant course offerings.
“We believe it’s critical to recognize and support the role of the academic community in the development of much-needed cybersecurity talent for now and in the future,” says W. Hord Tipton, CISSP, executive director for (ISC)². “With the global skills gap in this sector increasingly acknowledged by companies and governments around the world, industry and academia must come together to address this challenge. (ISC)2 is in a unique position to offer its educational content, which is regularly updated and vetted by experts, to colleges and universities around the world as part of this collaborative development effort required for our now digitally-dependent society.”
The program is being launched as governments around the world seek to improve university curricula as part of their national cybersecurity strategies. Objectives outlined by governments include the improvement of employability for students after graduation, with cybersecurity considered a high-demand area.
“University of Phoenix is committed to providing degree programs and curriculum that reflect real industry needs and was one of the first universities to join the (ISC)2 Global Academic Program,” adds Dr. Tim Welsh, senior vice president - Industry Strategy, at Apollo Education Group, the parent company of University of Phoenix. “There is a clear demand for information security professionals, and the University is pleased to collaborate by working to align our education programs with industry talent development priorities.”
At Cisco, Stewart and his staff believe that in addition to working with universities and schools, the people working in IT security need to be reskilled. Learning@Cisco provides network security engineers, analysts and product specialists with development opportunities to ensure on-the-job readiness. For example, a redesigned CCNP Security Certification focuses on enabling Network Security Engineers who are required to design, deploy, maintain and manage end-to-end network security solutions. A Cisco Cybersecurity Specialist Certification offers Network Security Analysts the latest threat detection and mitigation skills using the most advanced security solutions currently available. The Cisco Cybersecurity Specialist Certification recognizes security professionals that have attained specialist in-depth expertise and proven knowledge in the essential areas of proactive cyber threat detection and mitigation. And for network security engineers looking to gain expertise on specific Cisco network security products, Cisco has training with new courses.
Cisco is also networking with universities to engage them before they enter the workforce, by sponsoring “Hackathons” and other security contests, which Mashable calls the “new career fairs.” Hackathons are ideal hunting grounds for companies looking to score top talent straight out of school. They are often more appealing than a traditional career fair, as companies can send their staff to an event and get a first-hand glimpse at potential candidates and their skills. A recent hackathon event at the University of Illinois drew about 700 students from 21 universities. Students competed for $170,000 in prizes from corporate sponsors from Groupon, Goldman Sachs, Yahoo, Google and more.
While Stewart and his team are working to help solve the security shortage, Stewart believes that educating current and future students and working with universities won’t be enough. “We wanted to call attention to this security shortage because it’s not a quick fix,” Stewart says. “This won’t be solved in a year. It will be a four- to eight-year cycle in order to close that gap.”
"We are getting ahead of our skis,” to just educate alone, Stewart says. “Despite all of the hard work that we do, there’s still work to be done to get consumer technology easier to use. There’s work to be done on simplicity and working smarter, not harder, so we may not need as many people to secure our businesses. That would help to close some of that gap.”
What will happen in the meantime, Stewart says, is that managed security services will be needed more than ever. “If don’t have the skills yourself in house, you will need to buy it, whether it’s a generic service, or cloud service provider,” he says. “There is not a shortage of security providers, and that’s good and bad news. One size does not fit all. Just because a provider understands privacy regulation in Europe doesn’t mean they protect oil and gas in Australia. There is a certain localization and understanding that needs to be there. Second, security executives need to fully vet the service they are getting and constantly know what they are buying.”
Another result of the security staffing shortage, Stewart says, is that allbusinesses need to think about security as their mainstream business. “Every company is a security company,” he says. “You might provide water to the city of LA, but you are really involving technology and security. There’s a natural revolution to rely on IT systems to do your core security. But that trend is going away, as breaches of companies and the consequences of those breaches are changing and liability and regulation increases.”
Yet another trend that is showing signs of life as the result of the gap, Stewart says, is that “We have to stop solving the same problem ourselves. I’m always amazed when a peer and I get together and learn that we solved the same problem. Why are we working the same problem individually when we could have gotten together and shared the solution and not duplicate it? It’s called sponsored and completely acceptable cheating. There is more power in numbers. The energy community has been more progressive in this area. They tend to divide and conquer.”
Large-scale breaches may push that trend. For example, in April the National Retail Federation announced the establishment of an Information Sharing and Analysis Center, or ISAC, for the retail industry, in response to the Target data breach from late last year. “ISACs are industry groups that typically run security operations centers that operate around the clock,” said Reuters, providing alerts about emerging threats to their members and sharing information provided by law enforcement and other government agencies. “They are set up under terms of a 1998 U.S. presidential directive to foster sharing of security information between the public and private sector.” Retailers have been under pressure from Congress and consumers to bolster security since the attack on Target. After the breach was uncovered, according to a Reutersreport, retailers complained that they had difficulty obtaining information from law enforcement about what had happened and how to thwart follow-on attacks.
At the SANS Institute, Alan Paller, director of research, says that the organization is looking to create a pipeline of professionals with deep technical skills. “The last time that the United States had a shortage of this type was in 1940, when it needed 300,000 pilots. The nation built pilot training programs. It didn’t happen overnight, but it solved the problem,” he says.
“Universities and colleges are not graduating students with deep technical talent and security,” Paller adds. “They are either teaching the theoretical security or they are teaching security basics, but they are not teaching the advanced hands-on skills that the nation needs.”
The other issue with most colleges and universities that is fueling the staffing shortage, Paller says, is that they don’t have the faculty with the skills to educate their students on cybersecurity techniques. “Nobody is doing anything wrong; professors are doing what they know how to do, but it’s created this radical staffing shortage in advanced technical skills. When you seek to develop pilots, you don’t want them trained by someone who has never flown a plane. Similarly you don’t want surgeons to be taught by people who have not done surgery. One possible path forward that is enabling colleges to become part of the solution is the creation and support of cyber clubs where students learn and practice hands-on skills. Sadly the club often competes with academic work for student time and interest. One school that has done well with security education is West Point, which has a hands-on cybersecurity program that culminates into a competition, but it’s not separate from their academic work.” And while it’s positive that some states, such as Maryland, are creating cybersecurity job opportunities, Paller says that’s not enough. “It’s wonderful for the economic viability of Maryland, but it doesn’t solve the manpower problem,”
In addition to the many education and training programs that it offers, SANS recently established a VetSuccess program, where it partners with the U.S. military to connect service men and women who will soon leave the military for civilian life with high-paying IT security jobs. “Because of military cutbacks, there are 6,000 IT people that are soon leaving the armed services,” Paller explains. “They are generally given a six-month notice. During that time when they are out of active battle, we are giving them some intense training and aptitude testing, and then connecting them with employers. We are creating a pipeline that we hope will eventually help solve this security staffing crisis.”