Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11/4/2019
11:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Major Employers Commit to Build a Stronger Cybersecurity Workforce Pipeline

By John Carlin
Chair, Cyber & Technology Program, The Aspen Institute

For the past four years, the Director of National Intelligence has named cyber threats to critical infrastructure as the top national security concern. Attacks on Atlanta, Baltimore, Louisiana, Florida, and Texas show how, on the eve of the 2020 elections, cyber adversaries are broadening their reach and targeting an increasingly diverse array of victims. And the routine cyber incidents that barrage the United States every day are costing the economy tens of billions every year. Confronting this threat demands more than bigger budgets and better technology—we desperately need trained people who can spend that money wisely and use technology correctly. Yet the nation faces a critical shortage of cybersecurity skills.

Closing this skills gap is a core mission of the Aspen Cybersecurity Group, which convenes business executives, security practitioners, and former government officials to operationalize concrete recommendations that will enhance the nation’s cybersecurity in measurable ways—in other words, solving problems, not just observing them. Meeting for the first time in early 2018, the Group’s members decided to focus their collective efforts on three areas, one of which was cybersecurity workforce development. The Group embarked on a year-long process, led by IBM CEO Ginni Rometty and IBM VP of Talent Joanna Daly, to identify the most important Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce. These include changing job qualifications to elevate the importance of real-world skills, rewriting job descriptions to appeal to more diverse job applicants, and drawing a transparent career path for cybersecurity workers.

Today the Group announces the next phase of its efforts. For the first time, we have brought together a diverse coalition of fifteen major companies who have agreed to adopt and implement principles to build a more robust pipeline for cybersecurity talent. Leveraging this comprehensive support, the Group aims to expand the roster of participant organizations and scale adoption of these principles.

It should deeply concern all Americans that businesses and government agencies are struggling to find enough cybersecurity workers. President Trump has described them as “guardians of our national and economic security.” Yet unfilled cybersecurity positions have grown by 50% since 2015, underscoring that organizations are struggling to find desirable candidates. According to the Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce, there will be at least 500,000 unfilled cybersecurity jobs in the United States by 2021. Other research tells a similar story, with one study projecting 3 million cybersecurity job openings around the world by 2021.

The cyber workforce gap has multiple causes, including structural ones like the need for developing more computational thinking skills starting in K-12 schools, the integration of cybersecurity education across undergraduate degree programs, and unequal opportunity in education more generally. These are tough problems that will take time and commitment to address.

But other obstacles are ripe for resolution here and now. Companies and government agencies already have the power to narrow the cyber workforce gap simply by changing their internal processes. Many organizations are leaving large pools of skilled candidates untapped, in part because of overly complex job requirements that disqualify more than 50% of applicants. Data collected on CyberSeek shows how the vast majority of cybersecurity job openings require a bachelor’s or more advanced degree. Right now, of the 26,013 openings for a “cybersecurity analyst” nationwide, 90% require a bachelor’s degree or higher. This practice artificially restricts the pool of available cybersecurity talent. The world’s premier authority in cybersecurity—the National Security Agency—is eager to accept candidates from two-year schools that comply with its own strict educational criteria. Yet those same graduates would not qualify on paper for 90% of the openings for a cybersecurity analyst.

Industry and government must strengthen and explore new methods for cultivating, hiring, and training cybersecurity workers. Today, the Aspen Cybersecurity Group is announcing commitments from fifteen companies—AIG, Apple, Cloudflare, Cyber Threat Alliance, Duke Energy, Facebook, Google, IBM, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, Verizon, and PwC—to help lead the way in addressing the mounting shortfall in the nation’s cybersecurity workforce by:

  1. Widening the aperture of candidate pipelines, for example by expanding recruitment focus beyond applicants with four-year degrees or using non-gender biased job descriptions.
  2. Revitalizing job postings to be engaging and to focus on the core requirements; don’t “over-spec” the requirements.
  3. Making career paths understandable and accessible to current employees and job seekers, referencing models like the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework where applicable.

These commitments are not just aspirational—companies are already acting internally and through outside partnerships, demonstrating a path for the rest of industry to follow suit in these and other areas:

  • Cloudflare is extending opportunities beyond “traditional” cybersecurity candidates to recruit from a largely untapped pool of cybersecurity talent by leveraging returnship programs like Path Forward, hosting events like OURSA to elevate diverse voices in cybersecurity, and joining the city of San Francisco’s CCSF Cyber Security Apprentice Program as a corporate partner.
  • IBM has also taken a multi-pronged approach to closing the cybersecurity skills gap.  In 2016, IBM founded #IBMCyberDay4Girls to raise cybersecurity awareness amongst middle school girls and promote cybersecurity careers for young women in grades 6 through 8—a period where many girls being opting out of science and math. Since launch, the program has reached more than 4,600 girls at 85 events on six continents. IBM also revitalized its hiring process, leveraging the NICE Cybersecurity Workforce Framework to better communicate how cybersecurity job postings relate to the skills that applicants possess. And in June 2018, IBM launched a Cybersecurity Analyst apprenticeship, now rotating through its third cohort of Cybersecurity apprentices, with more than 90% of apprentice graduates accepting full-time roles at IBM.
  • As an industry leader in cutting-edge network technology, Verizon needs next-gen cybersecurity workers to protect its customers and its systems.  To meet the need, Verizon is widening the talent aperture through targeted recruitment of underrepresented minorities, using the NICE Workforce Framework to simplify and tailor job description, and aligning internal training to the NICE Framework to develop skills that align to a standardized set of relevant knowledge, skills, and abilities.
    With these commitments, some of the nation’s largest employers are demonstrating how, with relatively simple measures, private industry can help build a stronger pipeline linking demand for cybersecurity skills with the real-world supply of individuals who have them.

The Aspen Cybersecurity Group encourages other employers, including federal, state, and local government agencies, to join this effort. Interested organizations should contact David Forscey, Managing Director of the Aspen Cybersecurity Group, at [email protected].

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10766
PUBLISHED: 2019-11-19
Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit() function due to improper sanitization.
CVE-2019-11289
PUBLISHED: 2019-11-19
Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthorized malicious user could forge a route service request using an invalid nonce that will cause the Gorouter to crash.
CVE-2011-2922
PUBLISHED: 2019-11-19
ktsuss versions 1.4 and prior spawns the GTK interface to run as root. This can allow a local attacker to escalate privileges to root and use the "GTK_MODULES" environment variable to possibly execute arbitrary code.
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.