Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

02:30 PM
Tom Weithman
Tom Weithman
Connect Directly
E-Mail vvv

How to Close the Critical Cybersecurity Talent Gap

If we don't change our ways, the gap will keep getting worse. Outside-the-box thinking and new techniques are required, and here are a few ways to get started.

Companies are facing an immediate and critical shortage of trained cybersecurity workers at a time when threats of all kinds are on the rise. This shortfall doesn't discriminate based on industry, company size, or geography. When it comes to not having enough cybersecurity talent to keep infrastructure safe, everyone is in the same boat.

Take the Washington, DC, metro region, for example. The area has one of the largest groups of cybersecurity startups in the country, with firms forming to serve both the private sector and government. Yet, according to a recent study conducted by CyberSeek, the area also suffers from some of the highest concentrations of unfilled cybersecurity jobs in the entire nation.

There are several steps that employers in the DC area can take to help mitigate this critical shortfall. And because the problem is not unique to Washington, though it is exaggerated there, those same lessons can be applied across the nation.

Look for Talent in New Places
In the short term, a winning strategy would involve targeting undergraduate and community colleges. Many students are unsure of what they want to do for a career. If students are still early enough into their academic paths, there would be fewer hurdles to jump in terms of taking the necessary classes to graduate with useful cybersecurity degrees. By targeting these students, it could lead to an increase in available talent for hire. While this won't completely eliminate the problem, it could slow down its progression with an infusion of new talent.

But we can go back even earlier in the talent pipeline. Promoting cybersecurity as part of the K–12 curriculum is critical because this will be a universally needed skill set well into the foreseeable future. Foundational K–12 courses could build up skills children will need to thrive in an increasingly digitally transformed world, and would be helpful regardless of their ultimate career path. For example, classes could take the form of logic and critical-thinking courses, and would shepherd talented students into either college or the often-overshadowed two-year trade schools.

And let's not forget about talented military personnel who are leaving the service. Any members of the military on their way back into civilian life would be grateful to have a good career in cybersecurity or information technology after being discharged. While the military doesn't generally train their IT professionals to do everything that their civilian counterparts do, it does offer all of the fundamentals. Between that training and the military's characteristic discipline, it makes working with and increasing the skills of veterans a much easier task in most cases. Mixing in discharged veterans with green students can yield surprisingly strong results in cybersecurity.

Think Outside the Box
Traditional thinking and approaches have not worked, and the cybersecurity talent gap is only getting bigger. It's clear that an out-of-the-box strategy is required. This includes looking at candidates who have similar skill sets and educational backgrounds but who will require some mild to modest retraining. This could include finding individuals with backgrounds in analytics, statistics, and general computer science. Some certifications and classes would likely also be needed, though the payoff would be significant.

A few state and local governments are starting to embrace this kind of thinking. Several states sponsor programs that help place recent graduates with some cybersecurity skills, though not necessarily full degrees, with companies in rural settings, where the shortage of IT professionals is even more acute than most metropolitan areas. Although those workers may need additional training, getting boots on the ground could make all the difference for places with almost no professional cybersecurity presence.

Creative ideas also could involve incorporating emerging technologies. For example, at-home and distance learning could be used to help train employees on critical cybersecurity skills. Or some of the shortfall in manpower can be mitigated by employing artificial intelligence (AI) platforms to tackle the more rudimentary cybersecurity threats. While AI technology today has a long way to go, when paired with automation and orchestration, it can do a good job eliminating lower-level threats, narrowing the cybersecurity talent gap from the other side by reducing the scope of the problem.

Finally, the use of cloud technology and software-as-a-service (SaaS) offerings for protection can reduce the scope of threats. SaaS allows cybersecurity to be used remotely and as needed, freeing up organizations to concentrate on what they do best and leaving cybersecurity to contracted professionals.

Make Something Happen
Doing the same old things won't solve the cybersecurity talent problem. If we don't change our ways, the problem will keep getting worse. It's clear that novel thinking and new techniques are required.

Bringing in talented professionals from places they are not normally recruited, looking at the problem across all demographics, being willing to spend resources on training employees who have basic cybersecurity knowledge or who seem predisposed to learning it, and tapping into emerging technology help combat threats using fewer human resources are just some of the ways this problem might be successfully confronted. This field is too important for us not to fix because it touches industry, government, and even individual citizens in increasingly large ways.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Tom Weithman formed CIT GAP Funds in 2005, which has gained national recognition as one of the nation's most active early-stage venture funds and a premier provider of capital to cybersecurity startups. CIT GAP Funds has provided early funding to early-stage cybersecurity ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/13/2019 | 2:22:23 PM
Re: K-12 to close the CyberSecurity gap
This is wonderful and should be encouraged.  Degrees should also be more accessible but that is a tough one because the subject itself is almost impossible to self manage and learn - and most of us do not have a few thousand in change in our pocket for a CIISP degree and course.  We need a better entrance ramp.  And IT itself should get more respect in the C-Suite than outsourcing here and there and hiring young and dumb.  We need to educate a new class of young and smart.  THEN we are making real progress and accept our mature and smart at the same time.  Experience counts heavy on this one. 
User Rank: Apprentice
5/9/2019 | 3:07:21 PM
K-12 to close the CyberSecurity gap
This article was music to my ears.  We have been growing the CyberPatriot program across Michigan for the last four years and truly beleive these students will fill the talent gap in Cybersec.  We went from 20 students the first year to over 700 students playing in an ethical virtual cyberdefense game from Nov-April each year!  We are doing all we can to expose these great kids to the many pathways into a cybersec career!  Many thanks for this well written article.  T
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control_task.php, control_project.php, default_user.php files failing to filter the sort parameter. Remote attackers can exploit the vulnerability to obtain database sensitive information.