By John Carlin
Chair, Cyber & Technology Program, The Aspen Institute
For the past four years, the Director of National Intelligence has named cyber threats to critical infrastructure as the top national security concern. Attacks on Atlanta, Baltimore, Louisiana, Florida, and Texas show how, on the eve of the 2020 elections, cyber adversaries are broadening their reach and targeting an increasingly diverse array of victims. And the routine cyber incidents that barrage the United States every day are costing the economy tens of billions every year. Confronting this threat demands more than bigger budgets and better technology—we desperately need trained people who can spend that money wisely and use technology correctly. Yet the nation faces a critical shortage of cybersecurity skills.
Closing this skills gap is a core mission of the Aspen Cybersecurity Group, which convenes business executives, security practitioners, and former government officials to operationalize concrete recommendations that will enhance the nation’s cybersecurity in measurable ways—in other words, solving problems, not just observing them. Meeting for the first time in early 2018, the Group’s members decided to focus their collective efforts on three areas, one of which was cybersecurity workforce development. The Group embarked on a year-long process, led by IBM CEO Ginni Rometty and IBM VP of Talent Joanna Daly, to identify the most important Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce. These include changing job qualifications to elevate the importance of real-world skills, rewriting job descriptions to appeal to more diverse job applicants, and drawing a transparent career path for cybersecurity workers.
Today the Group announces the next phase of its efforts. For the first time, we have brought together a diverse coalition of fifteen major companies who have agreed to adopt and implement principles to build a more robust pipeline for cybersecurity talent. Leveraging this comprehensive support, the Group aims to expand the roster of participant organizations and scale adoption of these principles.
It should deeply concern all Americans that businesses and government agencies are struggling to find enough cybersecurity workers. President Trump has described them as “guardians of our national and economic security.” Yet unfilled cybersecurity positions have grown by 50% since 2015, underscoring that organizations are struggling to find desirable candidates. According to the Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce, there will be at least 500,000 unfilled cybersecurity jobs in the United States by 2021. Other research tells a similar story, with one study projecting 3 million cybersecurity job openings around the world by 2021.
The cyber workforce gap has multiple causes, including structural ones like the need for developing more computational thinking skills starting in K-12 schools, the integration of cybersecurity education across undergraduate degree programs, and unequal opportunity in education more generally. These are tough problems that will take time and commitment to address.
But other obstacles are ripe for resolution here and now. Companies and government agencies already have the power to narrow the cyber workforce gap simply by changing their internal processes. Many organizations are leaving large pools of skilled candidates untapped, in part because of overly complex job requirements that disqualify more than 50% of applicants. Data collected on CyberSeek shows how the vast majority of cybersecurity job openings require a bachelor’s or more advanced degree. Right now, of the 26,013 openings for a “cybersecurity analyst” nationwide, 90% require a bachelor’s degree or higher. This practice artificially restricts the pool of available cybersecurity talent. The world’s premier authority in cybersecurity—the National Security Agency—is eager to accept candidates from two-year schools that comply with its own strict educational criteria. Yet those same graduates would not qualify on paper for 90% of the openings for a cybersecurity analyst.
Industry and government must strengthen and explore new methods for cultivating, hiring, and training cybersecurity workers. Today, the Aspen Cybersecurity Group is announcing commitments from fifteen companies—AIG, Apple, Cloudflare, Cyber Threat Alliance, Duke Energy, Facebook, Google, IBM, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, Verizon, and PwC—to help lead the way in addressing the mounting shortfall in the nation’s cybersecurity workforce by:
- Widening the aperture of candidate pipelines, for example by expanding recruitment focus beyond applicants with four-year degrees or using non-gender biased job descriptions.
- Revitalizing job postings to be engaging and to focus on the core requirements; don’t “over-spec” the requirements.
- Making career paths understandable and accessible to current employees and job seekers, referencing models like the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework where applicable.
These commitments are not just aspirational—companies are already acting internally and through outside partnerships, demonstrating a path for the rest of industry to follow suit in these and other areas:
- Cloudflare is extending opportunities beyond “traditional” cybersecurity candidates to recruit from a largely untapped pool of cybersecurity talent by leveraging returnship programs like Path Forward, hosting events like OURSA to elevate diverse voices in cybersecurity, and joining the city of San Francisco’s CCSF Cyber Security Apprentice Program as a corporate partner.
- IBM has also taken a multi-pronged approach to closing the cybersecurity skills gap. In 2016, IBM founded #IBMCyberDay4Girls to raise cybersecurity awareness amongst middle school girls and promote cybersecurity careers for young women in grades 6 through 8—a period where many girls being opting out of science and math. Since launch, the program has reached more than 4,600 girls at 85 events on six continents. IBM also revitalized its hiring process, leveraging the NICE Cybersecurity Workforce Framework to better communicate how cybersecurity job postings relate to the skills that applicants possess. And in June 2018, IBM launched a Cybersecurity Analyst apprenticeship, now rotating through its third cohort of Cybersecurity apprentices, with more than 90% of apprentice graduates accepting full-time roles at IBM.
- As an industry leader in cutting-edge network technology, Verizon needs next-gen cybersecurity workers to protect its customers and its systems. To meet the need, Verizon is widening the talent aperture through targeted recruitment of underrepresented minorities, using the NICE Workforce Framework to simplify and tailor job description, and aligning internal training to the NICE Framework to develop skills that align to a standardized set of relevant knowledge, skills, and abilities.
With these commitments, some of the nation’s largest employers are demonstrating how, with relatively simple measures, private industry can help build a stronger pipeline linking demand for cybersecurity skills with the real-world supply of individuals who have them.
The Aspen Cybersecurity Group encourages other employers, including federal, state, and local government agencies, to join this effort. Interested organizations should contact David Forscey, Managing Director of the Aspen Cybersecurity Group, at [email protected].