Cyberskills shortage:Where is the cyber workforce of tomorrow

Stephen Cobb, CISSPSecurity Researcher, ESET NA

What is on the agenda?

• Numerous studies show a serious shortage of qualified people to fill IT jobs of all kinds today

• Shortage even more dire for jobs requiring cyber security skills

• Discuss implications, look at ways to cope, while improving cyber security education & training

Cyber security skills

• Cyber security is the realm of problems arising from the use of digital technology

• Cyber security skills tackle those problems

Notes on language

• We take “cyber security” to mean all aspects of information system security

• We will be using “cyber” as short for “cyber security”

Question #1Is your organization experiencing a cyber skills shortage?

Yes No I’m not sure I don’t work for an

organization

What’s the problem?

• Cybersecurity jobs now represent nearly 10% of all IT jobs

• 209,749 postings for cybersecurity-related jobs in the U.S in 2013

• Burning Glass Technologies

Many of those cyber security postings are going unfilled

What’s the problem?

• Cybersecurity postings have grown 74% from 2007 - 2013.

• 2x faster than all IT jobs• Cybersecurity job postings took

24% longer to fill than all IT job postings 36% longer than all job postings

Burning Glass

Demand is outstripping supply

• In US, employers posted 50,000 jobs requesting CISSP, recruiting from a pool of 60,000 CISSP holders

Cyber security shortfall

• By 2014, the industry will still be short more than a million security professionals across the globe– Cisco 2014 Annual Security Report

• In my research/conversations:– Estimates of the shortfall of

qualified cybersecurity workers in the U.S. alone range from 50,000 well into six figures

What’s driving demand?

• Huge surge in demand across both private and public sectors

• Pentagon to triple cybersecurity personnel over next several years to bolster US national security

• Will have 1,800 cyber professionals end of 2014 but 6,000 by 2016– Defense Secretary Chuck Hagel

– Reuters, March 29, 2014

Organized cybercrime rolls on

• Organized crime and petty criminals diversifying into cyber

• Risks and barriers to entry are low• Lack of leadership hampers the

law enforcement response

Supply-side factors

• Not enough people have cyber security skills and many skilled cyber folks nearing retirement

• DHS reports– 80% of those currently working in

cybersecurity are 40 or older – Less than 6% are 30 or younger– 32% eligible for retirement now or

within the next three years

Improve supply

• We are not training enough (young) people in cyber security

• We are not good at hiring good cyber security people– I feel your pain!

How to increase cyber workforce

• Nurture• Educate• Train• Hire• Rent• Import• Rationalize• Go outside the

box

Nurture

• Get kids excited about cyber early • Not enough kids are “interested” • 82% of millennials (born between

early 1980s and early 2000s) say:– Careers in cybersecurity were

never presented

Nurture: STEM education

• Schools not offering compelling computer science classes

• Computer science courses often lack security component

• Only 9 statescount comp-scifor high school graduation

Nurture: going beyond

• Project Lead The Way• PLTW.org

Nurture: Partnerships

• Life Journey• LifeJourney.us

Nurture: Community

• Securing Our eCity• SecuringOureCity.org

Train

• Not all cyber security jobs require degrees (even though some firms do)

• Training and certification is a viable path to building knowledge and skillset

The training dilemma

• Company objects to training because “sometimes employees leave after training”

• But which is worse:– You train them and they leave– You don’t train them and they stay

Hiring

• You can train existing employees for cyber roles or hire fresh talent

• Hiring the right people is not as easy as you might think

• Many job postings are ridiculously long and demanding

• Many “requirements” are not really required

You need experts to hire experts

• Be honest, are your HR and managers capable of properly assessing cyber talent?

• If not, enlist help• Do not use degrees and massive

requirements to CYA• Because they won’t CYA if you

make a bad hire who has all the right paper requirements

Question #2Does your organization have “in-house” cyber security talent on staff or do you use outside experts?

Yes No I don't know I don’t work for an

organization

Rent

• Outsourcing your IT security is a viable option– All of cyber security – Or select functions

• Certified consultants• Managed Service Providers

You can’t outsource

• Your responsibility to protect data• And you still need all employees to

understand their roles in maintaining security of company data and systems

Import

• The H-1B visa problem

• More than half of science doctoralgraduates from U.S. schools have to leave the country

• Hostage to largerimmigration reform

Rationalize

• Are your security staff employed efficiently?

• Can you outsource or automate some of the busy work, like network monitoring or log file review?

• Be realistic and factor skills shortage into business plans

Question #3Does your organization offer internships in IT and/or IT security?

Yes No Not sure I don’t work for an

organization

Think outside the box

• Women!• Students!• Interns!• Sponsorship!• Community!

Resources

• CODE > code.org• STEM > ed.gov/stem• SOeC > securingourecity.org• ISSA > issa.org• CompTIA > comptia.org• (ISC)2 > isc2.org

The bigger picture

• What is driving demand?• Cyber crime and cyber conflict• Arrest more of the real cyber

criminals and give them harsher sentences

• Rein in nation state cyber forces

To recap

• The country needs more workers who “get” cyber security

• Multi-pronged strategy is required– Get better at identifying cyber

talent– Better training of more people,

across all age ranges, genders – Get tough on cyber crime– De-escalate cyber conflicts

Thank you!

• stephen.cobb@eset.com• www.eset.com• WeLiveSecurity.com

Polling Question: I would like access to the following:

Request access to the Passmark Competitive Analysis Report

Request a custom business trial Subscribe to ESET’s global threat

report All of the above None of the above

Q&A Discussion