Estimates show that by 2021, there will be some 3.5 million unfilled jobs in cybersecurity. That's worrisome for a field under more pressure than ever to protect enterprises adjusting to a new and unsecure world of remote work.
With an eye toward the skills shortage and addressing security staffing deficits it cited from a Cybersecurity Ventures data forecast, online learning platform Udacity recently launched what it calls an Introduction to Cybersecurity Nanodegree program. The course, taught by security pros, is intended for those just starting out or transitioning fields, to get a leg up on a career. The course is made up of four sections: Cybersecurity Foundations; Defending and Securing Systems; Threats, Vulnerabilities, and Incident Response; and Governance, Risk, and Compliance.
Christine Izuakor, founder and CEO of Cyber Pop-up, and instructor for the Threats, Vulnerabilities, and Incident Response portion, says one of the program's benefits is its project-based nature. "It's an opportunity for students to go through some real-world projects," she says. In one vulnerability management module, for example, students use a vulnerability scanner to search the server for flaws.
"As we're trying to build the next-generation talent pipeline, it's very important we not only give them the fundamentals but also that we're giving them hands-on experience," she says. Overall her segment will examine threat assessments, threat actors, threat motivations, finding and fixing vulnerabilities, and what to do when a hacker inevitably gets in, despite your best efforts.
A Black woman in a white-male dominated field, Izuakor also hopes that this type of course offering will help more underrepresented people get involved. "The industry is missing such a huge opportunity by not embracing the full scope of potential talent out there," she says.
Izuakor, meanwhile, recently published the Ultimate Guide to a Career in Cybersecurity for individuals interested in learning how to break into the industry.
The next-generation talent pipeline will be key to closing the skills gap, particularly because, as Izuakor notes, the harder roles to fill tend to be in cloud security, AI, and other emerging areas of security.
There are other programs that aim to fill those gaps: The SANS Institute runs the CyberStart program in the US, which creates an onramp for students in community college to simultaneously learn cybersecurity skills and emerge from school in two years ready to enter the workforce.
But of course at the same time that new security skillsets are in dire need, companies are also bogged down by hiring constraints brought on by the COVID-19 crisis. According to a recent SANS survey, 40% of organizations don't know if they will hire new security staff in the next year.
John Pescatore, director of emerging security trends at SANS, says that number is usually around 15-20%, and the sharp rise reflects widespread economic uncertainty and discomfort with hiring new security employees to work remotely.
Indeed, the survey shows that 30% of organizations are considering bringing on consultants. The implication being, for example, that a company that was considering hiring a penetration tester may now opt for a consultant to perform a pen test instead, Pescatore says.
Security pros say when organizations do start making new hires, they need to broaden their parameters in order to address the growing skills gap.
"Recession aside, we are still looking at a skills shortage when it comes to cybersecurity professionals and such a situation is only set to become more challenging with demand set to outstrip supply over the coming 18-24 months," says Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management. "But when we say there is a skills shortage, what do we actually mean? Yes, there will be a shortage of individuals skilled in the practical aspects of cybersecurity good practice, but a more imaginative approach to providing the necessary skills is needed."
Some security experts, like Megan Bradley, vice president of operations at application security provider nVisium, think security teams could consider overlooking a college degree requirement in favor of those who take cybersecurity courses including Udacity's that provide hands-on experience.
"I can't speak for the entire industry, but we would certainly consider a candidate who participates in an immersive, hands-on cybersecurity program, with or without a college degree," she says, adding that college curriculum tends to be "antiquated" anyway, teaching older technologies and cyber security practices.
Terence Jackson, CISO at Thycotic, argues that while cybersecurity degrees serve an important purpose in providing soft skills, they're not "a great predictor of success in cybersecurity."
"I do believe training and continuous learning are beneficial in our field, but nothing beats hands-on experience, a curious mindset, and the inner will to push through," he says.
Dr. Casey Marks, chief product officer and vice president at (ISC)², says it's important for hiring practices to be realistic. "Make sure experience requirements, responsibilities, salary, and titles all align. Avoid a 'kitchen sink' mentality in terms of job skills," he says. "We'd be the first organization to agree with the statement that holding a CISSP certification isn't necessary for an entry-level position."
And according to Thomas Hatch, CTO and co-founder at SaltStack, a provider of intelligent IT automation software, while he values a formal degree, candidates who complete special courses like Udacity's Nanodegree program should also be considered if they can demonstrate their abilities. "This is all about looking beyond the degree and understanding the many ways that people can gain an education," he says.
Registration for Udacity's training program runs through August 11 and costs $1,436 (with discounts for those students suffering hardships). The self-paced program takes about four months to complete at about 10 hours per week.