Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

End of Bibblio RCM includes -->
09:30 AM
Biagio DeSimone
Biagio DeSimone
Connect Directly

How to Attract More Computer Science Grads to the Cybersecurity Field

With 465,000 cybersecurity job openings in the United States, why is recruiting so difficult? A recent college graduate offers his take.

(Image: Delphotostock)
(Image: Delphotostock)

The US Bureau of Labor Statistics predicts "information security analyst" will be the tenth-fastest-growing occupation over the next decade, with an employment growth rate of 31% (compared to the 4% average growth rate for all occupations). So why does the cybersecurity industry struggle to close the years-long gap between the number of job openings and qualified applicants? As a recent college graduate with a computer engineering degree, I know firsthand that companies and government agencies face significant challenges recruiting new grads as well as IT professionals who are considering a career change.

Related Content:

The Makings of a Better Cybersecurity Hire

7 Powerful Cybersecurity Skills the Energy Sector Needs Most

7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Computer science majors devote most of their time to learning programming languages, building applications, and figuring out how to work along the software development life cycle, while computer engineering majors focus on designing solutions for digital systems and building components. Upon graduation, their career path options may appear straightforward: software developer or engineer. They might believe the only path to a cybersecurity career lies in developing security systems and software for businesses or cybersecurity solutions vendors.

But that's a very limited perspective of the wide range of cybersecurity-related positions organizations are desperate to fill — and have been for the last several years.

Cybersecurity career and workforce resource CyberSeek reports there are 465,000 cybersecurity job openings in the United States, up from nearly 302,000 in its 2017 survey. According to (ISC)2, an international nonprofit that offers cybersecurity training and certification programs, the number of unfilled cybersecurity roles spikes to nearly 3.1 million worldwide.

New Challenges Increase the Urgency to Upskill and Fill Roles
The fact that bad actors continue to become more sophisticated and insidious in their methods exacerbates an already urgent situation. Organizations are constantly bombarded by sophisticated attacks, even as their security teams wrestle with digital transformation initiatives that call on migrating more IT systems from on-premises data centers to the cloud. Enterprises are increasingly deploying workloads across a mix of public and private cloud technologies, and these multicloud and hybrid environments create new challenges that weren't top-of-mind even a few years ago.

"Docker and Kubernetes emerged in 2013 and 2014 respectively, so they had no training or lessons in these specific cloud-native technologies," says my colleague Jake Meloche, a solutions architect with Aqua Security. "With new technologies rapidly developing and constantly changing, colleges can't keep up with the curriculum. Regardless of the type of security role you land, classes will only have taught you so much."

Training, Mentors, and Defined Career Paths Needed
A survey by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) found many factors behind the skill gap, most notably a lack of training and career-development opportunities. More than two-thirds of the cybersecurity professionals ESG and ISSA surveyed said they do not have a well-defined career path. Therefore, they struggle with completing basic career growth activities such as finding mentors, getting basic cybersecurity certifications, and taking on cybersecurity internships.

And I can tell you from personal experience that this lack of a clear career path begins early with college students.

My colleagues and I have at least two things in common: We received little (to no) exposure to the multiple cybersecurity career paths that our traditional computer science or engineering degrees opened to us, and therefore we all stumbled onto our careers in cloud security.

Consider the freshly minted computer science degree holder who comes across a job posting for a cybersecurity "solutions architect" or "presales engineer." Their first reaction might be, "That's a sales position; it doesn't match the skills I've spent the last four (or more) years of my life acquiring."

According to the ESG/ISA report, CISOs are doing little to debunk that misperception by only looking for candidates with narrow technical skill sets at the expense of other necessary qualifications.

"This may reveal that few CISOs have the blend of business, leadership, communications, and technical skills necessary for success," wrote the report's authors. "CISOs are business, not technical, leaders."

Consider the role of a solutions architect. It requires the right mix of social and interpersonal skills and technical strengths. I must be able to dive into the technical weeds with some people and also speak in non-technical terms to employees and their managers.

Forging a Path for the Cybersecurity Profession
I may be a recent college graduate, but my degree really represents the beginning of my education and training. I'm constantly working to learn about changes to how organizations are building enterprise IT architectures and the evolving threats they face to their systems and data stores. In many instances, there isn't a quick answer from product management or developers, so there's a lot of fast problem solving required to get to the solution.

So what's the path forward? For college students and midcareer professionals, explore opportunities fully rather than simply reading the title of a job description. Look at college job boards, internal job recruiting sites, and connect with alumni and cybersecurity professionals at events like Black Hat 2021.

For recruiters, look to broaden the pool of candidates. Your organizations need people with skills that range from technical to strategic to storytelling. And once you make a hire, continue investing in their education and training.

"There's a whole world of technologies that you aren't exposed to in college," adds Matt Garafalo, another solutions architect at Aqua. "Find a company that supports both a willingness to learn and an eagerness to keep up with a fast-paced environment such as cloud-native security."

"Aside from compensation, cybersecurity job satisfaction is a function of many factors such as support and encouragement for continuing cybersecurity education, business management's commitment to strong cybersecurity, and the ability to work with highly skilled and talented cybersecurity staff," the ESG/ISA report found. "Organizations with all these qualities will have a distinct advantage in recruiting and hiring as they add to their cybersecurity staff."

Biagio DeSimone is an Enterprise Solutions Architect for Aqua Security, where he helps educate customers on the importance of securing cloud-native applications from the earliest build phases through runtime for dev and production environments. Biagio is also a CNCF Certified ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/20/2021 | 5:45:25 PM
The Gatekeepers are preventing it...
I'm a grad student studying Cybersecurity GRC at DePaul University, and all the job postings are looking for someone with 5+ years of experience - even for an entry position. I feel there is a disconnect between HR and the hiring team. Or the hiring team is so far behind on cybersecurity updates and patching that they can't bring in someone without the needed experience. This means that the position(s) will go unfilled, and the team has to work even harder to mitigate the existing issues. And members of that team will more than likely leave for another company.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file