The future of cybersecurity in America is in the hands of current and future cybersecurity officers.
Chief security officer is now one of the fastest-growing careers in the cybersecurity space, and colleges and training programs cannot keep up with the growing demand. There are about one million job openings today, and the Bureau of Labor Statistics projects an even greater shortage in the information technology (IT) workforce by 2020. It’s expected that there will be 1.4 million openings, but only 400,000 computer science graduates with the necessary skills to fill the positions.
But hiring managers are already feeling the effects of the lack of qualified cybersecurity candidates. According to a recent 451 Research study, slightly more than a third – 34.5 percent – of security managers cited lack of security expertise as a reason to why they could not fill open positions.
To meet the growing demand and better equip those who are seeking careers in cybersecurity, more colleges and professional organizations are beginning to add degree courses and certificates to their course offerings. The industry is also seeing new certifications available to security practitioners. For example, the Cloud Security Alliance announced in April that it is offering the certified cloud security professional designation.
The Professional Drought
The number of data breaches tracked in the U.S. by the Identity Theft Resource Center (ITRC) has jumped from 157 in 2005 to 783 breaches last year, a 200-percent increase over 10 years. The ITRC defines a data breach as “an incident in which an individual’s name plus a Social Security number, driver’s license number and medical or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format.”
There have already been 450 breaches and 135,257,677 records exposed this year, according to the ITRC. Between 2005 and July, 28, 2015, the number of breaches total 5,377 and records exposed equal 786,098,214.
While the surge in breaches has been incredibly steady over the last decade, a large number of CEOs and other executives seemed to have only realized within the last few years the value in hiring a senior cybersecurity expert to lead their security programs, thus creating a drought in job pool that was already small.
PwC found a rising concern in cybersecurity threats among the 500 U.S. executives, security experts and others from the public and private sectors who participated in the “2015 U.S. State of Cybercrime Survey.” Of those polled, 76 percent said they are more concerned about cybersecurity threats this year than in the previous 12 months, up from 59 percent in 2014.
And the concern matches an increased investment. Of the U.S. CEOs surveyed in March by the accounting firm BDO USA, LLP, 67 percent said they’ve dedicated more money to cybersecurity measures in the past 12 months. Of the CFOs who upped spending, 90 percent implemented new software security tools and 72 percent created a formal response plan to deal with breaches. Almost half of them turned to external security consultants, while 30 percent hired a chief security officer.
Gartner, a technology research advisory firm, has seen an uptick in spending over the last few years. Businesses and governments around the world spent $71.1 billion safeguarding their data in 2014, up 7.9 percent from a year prior. The IT research firm sees that rate accelerating this year to 8.1 percent, for a total of $76.9 billion. That number is expected to grow to $155 billion by 2019, according to research firm MarketsandMarkets.
Addressing the Demand
The job growth rate for information security analysts is higher than the average for other occupations. Over the last five years, there’s been a 90 percent increase in demand for cybersecurity professionals, which is three times the field’s growth, according to Burning Glass Technologies. The high job growth rate, in turn, is driving a sudden boom in the demand for cybersecurity education, which has higher education institutions studying how to address this demand. According to the Center for Homeland Security and Defense, there are 744 higher institutions that offer programs awarding certificates to doctoral degrees in the industry. The Center for Systems Security and Information Assurance, which provides students with real-world learning experiences in information assurance and network security, has instructed more than 2,000 teachers and college faculty in cybersecurity-related areas since 2004.
As higher education leaders are increasing their program offerings in cybersecurity, some can look to breaches at their own institutions to test their students’ training.
In July, Harvard University discovered “an intrusion” on its computer networks which was made June 19 and affected two IT systems that impacted eight colleges and administrations. Officials with Pennsylvania State University’s College of Engineering said it suffered years-long data breaches traced to China. In December 2010, Ohio State University notified thousands of students and faculty members that their personal information was compromised by hackers who broke into a campus server. Also in 2010, thieves stole $1 million from the University of Virginia after compromising the computer belonging to the university’s controller.
With cyberattacks on the rise at colleges and universities some of the unfilled jobs are right on campuses. But with nearly one million unfilled jobs in the industry, students graduating with a degree in cybersecurity can almost write their ticket to gainful employment. U.S. News and World Reportranked a career in information security analysis eighth on its list of the 100 best jobs for 2015. Editors state the profession is expected to grow at a rate of 36.5 percent through 2022. Average salaries nationally are $91,210, and significantly higher in big cities including San Francisco at $112,320, New York City at $120,460 and Sacramento at $142,200. Founders of successful cybersecurity firms and chief information security officers at large corporations can make as much as $500,000 a year.
While the choices in programs are vast, Ponemon Institute, a research center dedicated to privacy, data protection and information security policy, ranked the top-rated schools for cybersecurity in the “2014 Best Schools for Cybersecurity” report. IT professionals took a deep dive into programs and looked at more than 400 schools, ranging from two-year colleges to doctoral programs, determining the best programs based on: academic excellence; practical relevance; program faculty's experience and expertise; experience and background of students and alumni; and professional reputation in the cybersecurity community.
The following 12 schools ranked the highest:
1. University of Texas, San Antonio
2. Norwich University
3. Mississippi State University
4. Syracuse University
5. Carnegie Mellon University
6. Purdue University
7. University of Southern California
8. University of Pittsburgh
9. George Mason University
10. West Chester University of Pennsylvania
11. U.S. Military Academy at West Point
12. University of Washington
Ideally, the end goal for college students and professionals seeking cybersecurity degrees and certificates should be to pass the Certified Information Systems Security Professional (CISSP) exam. The CISSP credential is a common denominator among most security professionals. It is often the ticket that opens the door from a security opportunity, particularly if the practitioner is relatively new to the profession.
A curriculum for college students and professionals seeking cybersecurity degrees and certificates varies by school. For example, at the University of Tampa, where students can either major or minor in cybersecurity, the course load focuses on both the fundamentals of information systems, as well as, advanced topics in areas, such as network security, cryptography, risk management, security governance, business continuity, security architecture, physical security and critical infrastructures. The program also specifically states it prepares students for the CISSP exam.
Utah Valley University’s new cybersecurity program features five stackable tracks with varying employment level goals in mind. The “stackability” depends upon a student’s desired education and career choices.
And a number of four-year institutions, including Georgia Tech, Georgetown, Drexel and Villanova universities and NYU Polytechnic School of Engineering, are offering cybersecurity certificates rather than degrees.
The United Kingdom mandated in June that any student majoring in computer science or IT must also take cybersecurity courses to address a critical skills shortage in cybersecurity by ensuring more than 20,000 computer science graduates a year study the subject. The directive went into effect in September with a two-year “grace period” for universities to comply with the new teaching criteria.
Realizing the need for cybersecurity experts will not wane anytime soon, the National Security Agency (NSA) and the National Science Foundation (NSF), are trying to get ahead of the demand. The NSA and NSF allocated $4 million this year to run 43 GenCyber summer programs for 1,300 middle and high school students. Students enrolled in GenCyber at universities in 18 states learn about online threats, basic cyber defenses and the ethics of operating in the virtual world.
Funding a Secure Future
The majority of cybersecurity education funding comes from the federal government, through various organizations and agencies. Leading the funding charge is the NSF, an independent federal agency that supports fundamental research and education across all fields of science and engineering. In 2014, the NSF awarded $74.5 million in Frontier grants for more than 225 new projects in 39 states. The cybersecurity research and education projects are aimed at minimizing the misuses of cyber-technology, bolstering education and training in cybersecurity, establishing the science of security and transitioning promising cybersecurity research into practice.
In January, the U.S. Department of Energy provided a $25 million, five-year grant to support the creation of cybersecurity education at 13 historically black colleges and universities, two national labs and a K-12 school district.
Some private foundations are supporting cybersecurity education programs. For example, in 2014, The William and Flora Hewlett Foundation announced the distribution of $45 million in grant funding to develop a “marketplace of ideas” for the study of cybersecurity.
The future of cybersecurity in America is in the hands of current and future cybersecurity officers. But until we figure out how to stay one step ahead of hackers, the demand for the best and brightest in the field will continue to increase, resulting in more dollars pumped into the industry. Unfortunately, faith is slim when it comes to a belief that we can keep cyberterrorists at bay if we cannot bring an increasing number of qualified security professionals into our programs. Sixty-one percent of 1,642 people surveyed by The Pew Research Center and Elon University’s Imagining the Internet Center believe a major cyberattack will happen by 2025, causing widespread harm to a nation’s security and capacity to defend itself and its people. Only a swift increase in the number cybersecurity professionals and a corresponding swift reduction in the number of attacks will restore faith in our ability to effectively fight cybercrime.