Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

7/16/2021
09:30 AM
Biagio DeSimone
Biagio DeSimone
Edge-DRsplash-10-edge-articles
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

How to Attract More Computer Science Grads to the Cybersecurity Field

With 465,000 cybersecurity job openings in the United States, why is recruiting so difficult? A recent college graduate offers his take.

(Image: Delphotostock)
(Image: Delphotostock)

The US Bureau of Labor Statistics predicts "information security analyst" will be the tenth-fastest-growing occupation over the next decade, with an employment growth rate of 31% (compared to the 4% average growth rate for all occupations). So why does the cybersecurity industry struggle to close the years-long gap between the number of job openings and qualified applicants? As a recent college graduate with a computer engineering degree, I know firsthand that companies and government agencies face significant challenges recruiting new grads as well as IT professionals who are considering a career change.

Related Content:

The Makings of a Better Cybersecurity Hire

7 Powerful Cybersecurity Skills the Energy Sector Needs Most

7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Computer science majors devote most of their time to learning programming languages, building applications, and figuring out how to work along the software development life cycle, while computer engineering majors focus on designing solutions for digital systems and building components. Upon graduation, their career path options may appear straightforward: software developer or engineer. They might believe the only path to a cybersecurity career lies in developing security systems and software for businesses or cybersecurity solutions vendors.

But that's a very limited perspective of the wide range of cybersecurity-related positions organizations are desperate to fill — and have been for the last several years.

Cybersecurity career and workforce resource CyberSeek reports there are 465,000 cybersecurity job openings in the United States, up from nearly 302,000 in its 2017 survey. According to (ISC)2, an international nonprofit that offers cybersecurity training and certification programs, the number of unfilled cybersecurity roles spikes to nearly 3.1 million worldwide.

New Challenges Increase the Urgency to Upskill and Fill Roles
The fact that bad actors continue to become more sophisticated and insidious in their methods exacerbates an already urgent situation. Organizations are constantly bombarded by sophisticated attacks, even as their security teams wrestle with digital transformation initiatives that call on migrating more IT systems from on-premises data centers to the cloud. Enterprises are increasingly deploying workloads across a mix of public and private cloud technologies, and these multicloud and hybrid environments create new challenges that weren't top-of-mind even a few years ago.

"Docker and Kubernetes emerged in 2013 and 2014 respectively, so they had no training or lessons in these specific cloud-native technologies," says my colleague Jake Meloche, a solutions architect with Aqua Security. "With new technologies rapidly developing and constantly changing, colleges can't keep up with the curriculum. Regardless of the type of security role you land, classes will only have taught you so much."

Training, Mentors, and Defined Career Paths Needed
A survey by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) found many factors behind the skill gap, most notably a lack of training and career-development opportunities. More than two-thirds of the cybersecurity professionals ESG and ISSA surveyed said they do not have a well-defined career path. Therefore, they struggle with completing basic career growth activities such as finding mentors, getting basic cybersecurity certifications, and taking on cybersecurity internships.

And I can tell you from personal experience that this lack of a clear career path begins early with college students.

My colleagues and I have at least two things in common: We received little (to no) exposure to the multiple cybersecurity career paths that our traditional computer science or engineering degrees opened to us, and therefore we all stumbled onto our careers in cloud security.

Consider the freshly minted computer science degree holder who comes across a job posting for a cybersecurity "solutions architect" or "presales engineer." Their first reaction might be, "That's a sales position; it doesn't match the skills I've spent the last four (or more) years of my life acquiring."

According to the ESG/ISA report, CISOs are doing little to debunk that misperception by only looking for candidates with narrow technical skill sets at the expense of other necessary qualifications.

"This may reveal that few CISOs have the blend of business, leadership, communications, and technical skills necessary for success," wrote the report's authors. "CISOs are business, not technical, leaders."

Consider the role of a solutions architect. It requires the right mix of social and interpersonal skills and technical strengths. I must be able to dive into the technical weeds with some people and also speak in non-technical terms to employees and their managers.

Forging a Path for the Cybersecurity Profession
I may be a recent college graduate, but my degree really represents the beginning of my education and training. I'm constantly working to learn about changes to how organizations are building enterprise IT architectures and the evolving threats they face to their systems and data stores. In many instances, there isn't a quick answer from product management or developers, so there's a lot of fast problem solving required to get to the solution.

So what's the path forward? For college students and midcareer professionals, explore opportunities fully rather than simply reading the title of a job description. Look at college job boards, internal job recruiting sites, and connect with alumni and cybersecurity professionals at events like Black Hat 2021.

For recruiters, look to broaden the pool of candidates. Your organizations need people with skills that range from technical to strategic to storytelling. And once you make a hire, continue investing in their education and training.

"There's a whole world of technologies that you aren't exposed to in college," adds Matt Garafalo, another solutions architect at Aqua. "Find a company that supports both a willingness to learn and an eagerness to keep up with a fast-paced environment such as cloud-native security."

"Aside from compensation, cybersecurity job satisfaction is a function of many factors such as support and encouragement for continuing cybersecurity education, business management's commitment to strong cybersecurity, and the ability to work with highly skilled and talented cybersecurity staff," the ESG/ISA report found. "Organizations with all these qualities will have a distinct advantage in recruiting and hiring as they add to their cybersecurity staff."

Biagio DeSimone is an Enterprise Solutions Architect for Aqua Security, where he helps educate customers on the importance of securing cloud-native applications from the earliest build phases through runtime for dev and production environments. Biagio is also a CNCF Certified ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whouse4
50%
50%
Whouse4,
User Rank: Apprentice
7/20/2021 | 5:45:25 PM
The Gatekeepers are preventing it...
I'm a grad student studying Cybersecurity GRC at DePaul University, and all the job postings are looking for someone with 5+ years of experience - even for an entry position. I feel there is a disconnect between HR and the hiring team. Or the hiring team is so far behind on cybersecurity updates and patching that they can't bring in someone without the needed experience. This means that the position(s) will go unfilled, and the team has to work even harder to mitigate the existing issues. And members of that team will more than likely leave for another company.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.
CVE-2020-21547
PUBLISHED: 2021-09-17
Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.
CVE-2020-21548
PUBLISHED: 2021-09-17
Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c.
CVE-2021-39218
PUBLISHED: 2021-09-17
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger ...
CVE-2021-41387
PUBLISHED: 2021-09-17
seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation because it uses execlp and may be installed setuid root.