Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11/4/2019
11:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Major Employers Commit to Build a Stronger Cybersecurity Workforce Pipeline

By John Carlin
Chair, Cyber & Technology Program, The Aspen Institute

For the past four years, the Director of National Intelligence has named cyber threats to critical infrastructure as the top national security concern. Attacks on Atlanta, Baltimore, Louisiana, Florida, and Texas show how, on the eve of the 2020 elections, cyber adversaries are broadening their reach and targeting an increasingly diverse array of victims. And the routine cyber incidents that barrage the United States every day are costing the economy tens of billions every year. Confronting this threat demands more than bigger budgets and better technology—we desperately need trained people who can spend that money wisely and use technology correctly. Yet the nation faces a critical shortage of cybersecurity skills.

Closing this skills gap is a core mission of the Aspen Cybersecurity Group, which convenes business executives, security practitioners, and former government officials to operationalize concrete recommendations that will enhance the nation’s cybersecurity in measurable ways—in other words, solving problems, not just observing them. Meeting for the first time in early 2018, the Group’s members decided to focus their collective efforts on three areas, one of which was cybersecurity workforce development. The Group embarked on a year-long process, led by IBM CEO Ginni Rometty and IBM VP of Talent Joanna Daly, to identify the most important Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce. These include changing job qualifications to elevate the importance of real-world skills, rewriting job descriptions to appeal to more diverse job applicants, and drawing a transparent career path for cybersecurity workers.

Today the Group announces the next phase of its efforts. For the first time, we have brought together a diverse coalition of fifteen major companies who have agreed to adopt and implement principles to build a more robust pipeline for cybersecurity talent. Leveraging this comprehensive support, the Group aims to expand the roster of participant organizations and scale adoption of these principles.

It should deeply concern all Americans that businesses and government agencies are struggling to find enough cybersecurity workers. President Trump has described them as “guardians of our national and economic security.” Yet unfilled cybersecurity positions have grown by 50% since 2015, underscoring that organizations are struggling to find desirable candidates. According to the Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce, there will be at least 500,000 unfilled cybersecurity jobs in the United States by 2021. Other research tells a similar story, with one study projecting 3 million cybersecurity job openings around the world by 2021.

The cyber workforce gap has multiple causes, including structural ones like the need for developing more computational thinking skills starting in K-12 schools, the integration of cybersecurity education across undergraduate degree programs, and unequal opportunity in education more generally. These are tough problems that will take time and commitment to address.

But other obstacles are ripe for resolution here and now. Companies and government agencies already have the power to narrow the cyber workforce gap simply by changing their internal processes. Many organizations are leaving large pools of skilled candidates untapped, in part because of overly complex job requirements that disqualify more than 50% of applicants. Data collected on CyberSeek shows how the vast majority of cybersecurity job openings require a bachelor’s or more advanced degree. Right now, of the 26,013 openings for a “cybersecurity analyst” nationwide, 90% require a bachelor’s degree or higher. This practice artificially restricts the pool of available cybersecurity talent. The world’s premier authority in cybersecurity—the National Security Agency—is eager to accept candidates from two-year schools that comply with its own strict educational criteria. Yet those same graduates would not qualify on paper for 90% of the openings for a cybersecurity analyst.

Industry and government must strengthen and explore new methods for cultivating, hiring, and training cybersecurity workers. Today, the Aspen Cybersecurity Group is announcing commitments from fifteen companies—AIG, Apple, Cloudflare, Cyber Threat Alliance, Duke Energy, Facebook, Google, IBM, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, Verizon, and PwC—to help lead the way in addressing the mounting shortfall in the nation’s cybersecurity workforce by:

  1. Widening the aperture of candidate pipelines, for example by expanding recruitment focus beyond applicants with four-year degrees or using non-gender biased job descriptions.
  2. Revitalizing job postings to be engaging and to focus on the core requirements; don’t “over-spec” the requirements.
  3. Making career paths understandable and accessible to current employees and job seekers, referencing models like the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework where applicable.

These commitments are not just aspirational—companies are already acting internally and through outside partnerships, demonstrating a path for the rest of industry to follow suit in these and other areas:

  • Cloudflare is extending opportunities beyond “traditional” cybersecurity candidates to recruit from a largely untapped pool of cybersecurity talent by leveraging returnship programs like Path Forward, hosting events like OURSA to elevate diverse voices in cybersecurity, and joining the city of San Francisco’s CCSF Cyber Security Apprentice Program as a corporate partner.
  • IBM has also taken a multi-pronged approach to closing the cybersecurity skills gap.  In 2016, IBM founded #IBMCyberDay4Girls to raise cybersecurity awareness amongst middle school girls and promote cybersecurity careers for young women in grades 6 through 8—a period where many girls being opting out of science and math. Since launch, the program has reached more than 4,600 girls at 85 events on six continents. IBM also revitalized its hiring process, leveraging the NICE Cybersecurity Workforce Framework to better communicate how cybersecurity job postings relate to the skills that applicants possess. And in June 2018, IBM launched a Cybersecurity Analyst apprenticeship, now rotating through its third cohort of Cybersecurity apprentices, with more than 90% of apprentice graduates accepting full-time roles at IBM.
  • As an industry leader in cutting-edge network technology, Verizon needs next-gen cybersecurity workers to protect its customers and its systems.  To meet the need, Verizon is widening the talent aperture through targeted recruitment of underrepresented minorities, using the NICE Workforce Framework to simplify and tailor job description, and aligning internal training to the NICE Framework to develop skills that align to a standardized set of relevant knowledge, skills, and abilities.
    With these commitments, some of the nation’s largest employers are demonstrating how, with relatively simple measures, private industry can help build a stronger pipeline linking demand for cybersecurity skills with the real-world supply of individuals who have them.

The Aspen Cybersecurity Group encourages other employers, including federal, state, and local government agencies, to join this effort. Interested organizations should contact David Forscey, Managing Director of the Aspen Cybersecurity Group, at [email protected].

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...