A recent ISC² Cybersecurity Workforce Study placed the resource gap worldwide at 4.07 million professionals. The challenges we face when grappling with that gap are myriad and are exacerbated by the security paradigm to which we may have historically pledged allegiance. The dominant paradigm over the last two decades has been that of Reactive Detection. Much of its associated resource demands are the result of a “Defense in Depth Architecture,”— the result of a failure, high in the kill chain, on the part of signature-based anti-virus solutions which then necessitated the construction of elaborate downstream structures that were costly, complex, resource intensive and, ultimately, ineffective.
The arrival of artificial intelligence (AI) and machine-language-supported, proactively preventative solutions, with the levels of efficiency and effectiveness they bring with them, now mean that much of that downstream demand should dissipate, liberating resources which can now be applied to such critical areas as insider threat. To that end, the selection of those with the proper skills and abilities is evolving and will be a different activity, free of the General Attribution Error that has often characterized historic searches, and will tilt now more toward those who possess AI and data management skills.
Recognizing and attracting talent from this rising digital generation requires new partnerships and thinking. In addition to building awareness of this career field, offering more opportunities for internships and apprenticeships, and entry-level pathways for students’ post-education, we need to consider additional sources of talent and improve our ability to assess such talent.
All-Girl Cybersecurity Summer camps, such as those at Brigham Young University, are an example of recent efforts to think outside the conventional box when it comes future talent, mitigating historical instances of discrimination, and priming the pump when it comes to a group that has been historically under-represented in our cybersecurity ranks.
In their MBA curriculum, many business schools of America have begun to reflect an appreciation that security is no longer the exclusive purview of the “guns, gates, guards and geeks” over there, but a duty and responsibility owned by all. They appreciate that if they are sending out into the world our next class of business executives with that historically narrow view of security, they’ve positioned them to fail. Beyond that new baseline, some MBA programs are even offering Information Security as a specialization. At the end of the day, that means a certain level of training and awareness of the threats poised out there to strike at our collective interests must be had by all.
Measured in that manner, the “gap” may be even larger and reflected in terms that often go ignored except perhaps once a year during October’s National Cybersecurity Awareness Month. Overcoming that gap is a challenge of a different order and magnitude.
Another bright spot reflected in our efforts to address the skills gap is the number of college cybersecurity programs seeking the distinction of being named a National Center of Academic Excellence in Cybersecurity, a program managed by the National Cryptologic School at the National Security Agency. Federal Partners include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Institute of Standards and Technology (NIST)/National Initiative on Cybersecurity Education (NICE), the National Science Foundation (NSF), the Department of Defense Office of the Chief Information Officer (DoD-CIO), and U.S. Cyber Command (CYBERCOM).
Finally, one of the functional areas hardest hit by the resource gap is our Security Operations Centers (SOC). The 24/7/365 nature of these centers make staffing a particular challenge. Having one’s talent poached is not an infrequent occurrence. One of the emerging and viable responses to that challenge has been to outsource security operations center (SOC) operations or to augment one’s force with a virtual CISO [vCISO]. Necessity once again proves to be the Mother of Invention. All these factors combine in a way that should give us hope in meeting the challenge of the future.