Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

7/16/2021
09:30 AM
Biagio DeSimone
Biagio DeSimone
Edge-DRsplash-10-edge-articles
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

How to Attract More Computer Science Grads to the Cybersecurity Field

With 465,000 cybersecurity job openings in the United States, why is recruiting so difficult? A recent college graduate offers his take.

(Image: Delphotostock)
(Image: Delphotostock)

The US Bureau of Labor Statistics predicts "information security analyst" will be the tenth-fastest-growing occupation over the next decade, with an employment growth rate of 31% (compared to the 4% average growth rate for all occupations). So why does the cybersecurity industry struggle to close the years-long gap between the number of job openings and qualified applicants? As a recent college graduate with a computer engineering degree, I know firsthand that companies and government agencies face significant challenges recruiting new grads as well as IT professionals who are considering a career change.

Related Content:

The Makings of a Better Cybersecurity Hire

7 Powerful Cybersecurity Skills the Energy Sector Needs Most

7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Computer science majors devote most of their time to learning programming languages, building applications, and figuring out how to work along the software development life cycle, while computer engineering majors focus on designing solutions for digital systems and building components. Upon graduation, their career path options may appear straightforward: software developer or engineer. They might believe the only path to a cybersecurity career lies in developing security systems and software for businesses or cybersecurity solutions vendors.

But that's a very limited perspective of the wide range of cybersecurity-related positions organizations are desperate to fill — and have been for the last several years.

Cybersecurity career and workforce resource CyberSeek reports there are 465,000 cybersecurity job openings in the United States, up from nearly 302,000 in its 2017 survey. According to (ISC)2, an international nonprofit that offers cybersecurity training and certification programs, the number of unfilled cybersecurity roles spikes to nearly 3.1 million worldwide.

New Challenges Increase the Urgency to Upskill and Fill Roles
The fact that bad actors continue to become more sophisticated and insidious in their methods exacerbates an already urgent situation. Organizations are constantly bombarded by sophisticated attacks, even as their security teams wrestle with digital transformation initiatives that call on migrating more IT systems from on-premises data centers to the cloud. Enterprises are increasingly deploying workloads across a mix of public and private cloud technologies, and these multicloud and hybrid environments create new challenges that weren't top-of-mind even a few years ago.

"Docker and Kubernetes emerged in 2013 and 2014 respectively, so they had no training or lessons in these specific cloud-native technologies," says my colleague Jake Meloche, a solutions architect with Aqua Security. "With new technologies rapidly developing and constantly changing, colleges can't keep up with the curriculum. Regardless of the type of security role you land, classes will only have taught you so much."

Training, Mentors, and Defined Career Paths Needed
A survey by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) found many factors behind the skill gap, most notably a lack of training and career-development opportunities. More than two-thirds of the cybersecurity professionals ESG and ISSA surveyed said they do not have a well-defined career path. Therefore, they struggle with completing basic career growth activities such as finding mentors, getting basic cybersecurity certifications, and taking on cybersecurity internships.

And I can tell you from personal experience that this lack of a clear career path begins early with college students.

My colleagues and I have at least two things in common: We received little (to no) exposure to the multiple cybersecurity career paths that our traditional computer science or engineering degrees opened to us, and therefore we all stumbled onto our careers in cloud security.

Consider the freshly minted computer science degree holder who comes across a job posting for a cybersecurity "solutions architect" or "presales engineer." Their first reaction might be, "That's a sales position; it doesn't match the skills I've spent the last four (or more) years of my life acquiring."

According to the ESG/ISA report, CISOs are doing little to debunk that misperception by only looking for candidates with narrow technical skill sets at the expense of other necessary qualifications.

"This may reveal that few CISOs have the blend of business, leadership, communications, and technical skills necessary for success," wrote the report's authors. "CISOs are business, not technical, leaders."

Consider the role of a solutions architect. It requires the right mix of social and interpersonal skills and technical strengths. I must be able to dive into the technical weeds with some people and also speak in non-technical terms to employees and their managers.

Forging a Path for the Cybersecurity Profession
I may be a recent college graduate, but my degree really represents the beginning of my education and training. I'm constantly working to learn about changes to how organizations are building enterprise IT architectures and the evolving threats they face to their systems and data stores. In many instances, there isn't a quick answer from product management or developers, so there's a lot of fast problem solving required to get to the solution.

So what's the path forward? For college students and midcareer professionals, explore opportunities fully rather than simply reading the title of a job description. Look at college job boards, internal job recruiting sites, and connect with alumni and cybersecurity professionals at events like Black Hat 2021.

For recruiters, look to broaden the pool of candidates. Your organizations need people with skills that range from technical to strategic to storytelling. And once you make a hire, continue investing in their education and training.

"There's a whole world of technologies that you aren't exposed to in college," adds Matt Garafalo, another solutions architect at Aqua. "Find a company that supports both a willingness to learn and an eagerness to keep up with a fast-paced environment such as cloud-native security."

"Aside from compensation, cybersecurity job satisfaction is a function of many factors such as support and encouragement for continuing cybersecurity education, business management's commitment to strong cybersecurity, and the ability to work with highly skilled and talented cybersecurity staff," the ESG/ISA report found. "Organizations with all these qualities will have a distinct advantage in recruiting and hiring as they add to their cybersecurity staff."

Biagio DeSimone is an Enterprise Solutions Architect for Aqua Security, where he helps educate customers on the importance of securing cloud-native applications from the earliest build phases through runtime for dev and production environments. Biagio is also a CNCF Certified ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whouse4
50%
50%
Whouse4,
User Rank: Apprentice
7/20/2021 | 5:45:25 PM
The Gatekeepers are preventing it...
I'm a grad student studying Cybersecurity GRC at DePaul University, and all the job postings are looking for someone with 5+ years of experience - even for an entry position. I feel there is a disconnect between HR and the hiring team. Or the hiring team is so far behind on cybersecurity updates and patching that they can't bring in someone without the needed experience. This means that the position(s) will go unfilled, and the team has to work even harder to mitigate the existing issues. And members of that team will more than likely leave for another company.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
CVE-2020-28968
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
CVE-2020-28969
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
CVE-2020-36485
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
CVE-2020-36486
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.