This article is part of the monthly CSI5x5 series by the Cyber Statecraft Initiative, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the CSI5x5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at [email protected].
Defending against threats in cyberspace is hard enough, but severe cybersecurity talent deficiencies have consistently made the challenge harder for both public and private sector organizations.
The field of cybersecurity continues to expand rapidly—so much so that the number of available jobs has outpaced the pool of available talent. A 2017 report by the National Academies estimated that by 2022, the United States will face a shortage of 3.4 million skilled technical workers, on top of an existing global dearth of 2.93 million workers in just the field of cybersecurity, per a study by the International Information System Security Certification Consortium, or (ISC)2. Furthermore, when it comes to top talent, the pool is small and there are many organizations looking to tap into it. While this issue is not particularly new, it is one with which government and industry continue to grapple, with no one clear-cut solution on the horizon.
Our Cyber Statecraft Initiative experts go CSI5x5 to dig into the people problem of cybersecurity, its implications, and possible solutions.
#1 What is the most significant real-world example of the cybersecurity talent gap you’ve observed?
Pete Cooper, nonresident senior fellow, Cyber Statecraft Initiative; CEO, Pavisade: “First, we have to be sure of what we mean by ‘cybersecurity talent gap.’ The latest report and survey from the UK Department of Culture Media and Sport highlighted that ‘approximately 653,000 businesses (48 percent) have a basic skills gap’ and lacked the confidence to carry out basic cybersecurity measures. But additionally, they highlighted that there are a wide range of relevant cybersecurity skills ranging from deep technical to policy, strategy, and leadership. When we talk about the talent gap, we have to look at the whole arc of what skills are needed, not just technical which tends to be the focus and headline. The real-world example that stands out to me when looking across organizations is how they are positioned to manage cyber security risk; there are often pockets of great cybersecurity skills or knowledge of risk, but often, this isn’t translated well into the board and decisionmakers. So, they aren’t getting the best value out of the technical skills they have because it isn’t woven together with policy, strategy, and leadership across the whole organization. At its worst, this means that those with technical skills in the organization have a much better understanding of actual risk than the board, who may be making decisions based on inaccurate assumptions.”
Emily Frye, director, cyber integration, MITRE/Public Sector: “For the most part, the cybersecurity field has been unable to massively or uniformly deploy elements of progress and best practice as they become clear. This is because there aren’t enough people to actually move the ecosystem to the new baseline. One example is threat-informed cyber defense. We don’t see enough organizations with enough personnel and expertise to ensure that the bulk of organizations are already covering basics. So, they can’t, in turn, move to what we know is better: threat-informed cyber defense.”
Kurt John,chief cybersecurity officer, Siemens USA:“It’s impossible to overstate our need for human talent. The latest research I’ve seen, from Cybersecurity Ventures, puts open cybersecurity jobs worldwide at 3.5 million by next year. And that might seem like a daunting figure, but think of it like this: there are approximately 174 million unemployed people worldwide. Say one percent are in the pool of potential candidates; that fills fifty percent of the need. Now, clearly there are a host of variables that makes such a comparison complicated. My point is that what we really need is a mindset change for how we recruit that taps into the full range of talent across society and enables us to address the needs of industry.”
Ronald A. Marks III, president, ZPN National Security and Cyber Strategies; former Central Intelligence Agency and Capitol Hill official:“It is less a gap that affected a specific event than the long-term fundamental gap between policymakers—both public and private—and the guys who understand technology. The continued lack of this mutual understanding in the third decade of the world wide web—and its creation, cyber world—on both sides is troubling and potentially dangerous. And, it does not appear to be closing.”
Jacquelyn Schneider, Hoover fellow, Hoover Institution, Stanford University; nonresident fellow, Cyber and Innovation Policy Institute, Naval War College: “When I was an active duty Air Force officer, I was struck by how many talented airmen we were losing not because they lacked technical skills for the mission, but instead because we were inflexible about family issues, promotion, and even health/fitness. What has surprised me since leaving the active duty is how many similar problems the US government has in recruiting and retaining talent in our civilian sector.”
#2 What aspects of organizational culture are most influential on the gap, and does the private sector really have an advantage recruiting talent?
Cooper: “Organizational culture is the most important aspect of cybersecurity and also the most underrated; it appreciates in value over time, unlike a lot of other measures, and is incredibly cost effective. If the leadership of an organization can instil a great culture, it makes attracting and retaining talent considerably easier, and you have an incredibly proactive workforce that actively look for ways to minimize risk, innovate, and develop effective solutions. If the leadership has the right culture to hiring, it opens up access to talent. As an example, a comment from a job seeker was that she had dismissed herself from taking up an internship because she was a working mother. In discussing this case with a chief information security officer (CISO) friend, they absolutely wanted to speak to her because if they could find a way to make it work for the candidate, they improved and strengthened as a business. It’s this sort of culture, thinking, and leadership that closes the skills gap and gets people into work. Having been in both worlds, early in your career, the public sector is a great place to learn and develop skills, but the private sector has such breadth of roles, organizations, and locations. There is no clear-cut answer to advantages of one over the other, it really depends on the individual and what they are looking for.”
Frye: “Flexible policies on issues like working hours and telework, continuing education, and a combination of healthy teams plus individual autonomy are the most influential. Also, flat organizational structures and a non-rigid approach to authority are key. Strictly hierarchical organizations appear to turn off the smart creative professionals that solve problems.”
John: “Collaboration is the most influential aspect of organizational culture on the talent gap. Gone are the days when server patching or vulnerability management were the primary means of managing cyber risk. What’s the implication of the new California Internet of Things Security Law on our supply chain logistics? Have our suppliers outsourced critical aspects of their product to a fourth party? Do our contracts make the required standard of cybersecurity clear to our business partners? How many of our employees have purchased cloud services from Amazon and Microsoft? Our technology supplier is being purchased, but what’s the track record of the purchaser? How do we respond to public inquiry about vulnerabilities in one of our products? In those cybersecurity questions, which by no means are exhaustive, I have drawn in Legal, Compliance, IT, Supply Chain Management, Procurement, Government Affairs, Communications, and Sales. Cybersecurity now permeates practically all aspects of an organization, and that’s both diversifying skills and creating new roles.”
Marks: “Cybersecurity requires a looseness and flexibility that most public or private organizational structure find nearly impossible to deal with as they are tied to 20th century norms of management and bureaucratic order. With the exception of Silicon Valley-like firms who have learned this less, few others have come to grips with it. In that, the private sector has a much better shot at acquiring talent more quickly than a relatively ossified government structure.”
Schneider: “The private sector definitely has an advantage over the government; first, their talent pool is larger (includes foreigners, individuals who might have security clearance problems); secondly, they have more flexibility in how they reward and incentivize their force. Because the government is a large bureaucratic organization, it rewards standardization and mitigation of risk (the ‘cya’ factor); our personnel processes—from recruiting, to hiring, and to promotion—reflect that risk mitigation culture instead of fostering innovative approaches towards personnel reform, whether that be through IT, personnel policies, or organizational reform.”
More from the Cyber Statecraft Initiative:
#3 Finish this sentence. The entity most responsible for closing the cybersecurity talent gap is…
Cooper: “…all of us. Large scale, long term challenges cannot be ‘fixed’ by one group or entity. It will take collaboration and leadership across public and private sectors and academia to drive the change we need. How we think about cybersecurity education and who we think of as potential cybersecurity talent needs also needs to change. There are those that are technical and have amazing skills, but there are also those with great cybersecurity policy, strategy, and ‘translation’ skills that are just as important but can be drawn from multiple disciplines. If we can draw from different disciplines, we will also discover that this increases overall diversity. At the UK Cyber 9/12 Strategy Competition, we encourage students of any discipline to take part and we consistently get a fifty-fifty gender balance across the competitors. That level of diversity is available to organizations if they change how they hire and think about cybersecurity talent.”
Frye: “I don’t think there is one entity who is responsible—that’s another reason this is so hard! The entire village has to pick up and change. That said, there is good evidence right now that well-resourced organizations with a cyber-emphatic leader—and, often, some level of regulatory scrutiny—are the ones making the most headway.”
John: “…the organizations seeking that talent both in the public and private sectors. Business, in particular, needs to play a leading role. That said, we can’t do it without educators. There need to be strong public-private partnerships. Industry needs to help educators understand what the jobs of the future look like and educators should help prepare people to take advantage of those opportunities. Key to this is having employers redefine what it means to be qualified for a cybersecurity role. While still valuable, a traditional four-year degree should not be the primary path to success in the cybersecurity field. We should also be recruiting talent coming from career technical education programs in high school, two-year technical schools, and apprenticeships.”
Marks: “…education, hands down. Despite the lip service provided to science, technology, engineering, and mathematics (STEM) education in the United States, we are still fumbling with a comprehensive solution to get all kids involved in understanding STEM issues. For instance, a simple a thing as promoting learning basic coding in grade school would go a far way to helping understand the complexities of cyber world. Neither has the educational system really tackled the gap of understanding between the poli-sci/business guys and the technical engineer types. College departments, in search of students and consequent revenue, don’t like to mix ‘stream.’ Thus, classic stove piping.”
Schneider: “…government. It can do this by providing incentives to K-12 to build the domestic talent pool, by investing in researchers and educators at universities, by fixing its own hiring and promotion processes, and by thinking about creative ways that people can come in and out of government and private sector.”
#4 What kind of talent chases money over mission? What about mission over money?
Cooper: “The challenge is that there is such a number of different roles, responsibilities, regions, and terminologies across all of the different sectors that it can be difficult to translate salary comparisons, so there will always be a delicate conversation. As for money over mission or vice versa, I’m more concerned with manufacturers that design products or services focused on profit over security and resiliency. If we could get that fixed, we would have less of a challenge…”
Frye: “My impression is that the early career/new grads and the late-career/post-children-in-college group can focus on mission over money. Midlife professionals have to focus on money. Homes, college funds, childcare—these things drive your priorities in midlife.”
John: “The Siemens Foundation supported research by Advance CTE that surveyed the parents and students of current and potential career technical education students. That’s a group we really need to tap into to solve the cybersecurity skills gap. And there was one really powerful takeaway from the study: those surveyed wanted both financial security and the ability to make a positive impact; they weren’t willing to sacrifice either one. Still, over ninety percent of those surveyed also said that purpose and the opportunity to make a difference was more important to them than anything else. Well, cybersecurity clearly offers both sides of the coin. The median salary in the Cybersecurity field is $116,000, and you get to be solving tough problems and on the frontlines of securing the world’s critical infrastructure.”
Marks: “Cyber gunslingers always bother me. When you’re in it for the money alone, you represent a potential problem for any group. How much time and effort for new training, for example, are you going to waste on someone who could head out the door in a year for a ‘better paying’ gig. I like mission people. They are in it for the fun of doing it and the success you achieve. That ‘psychic income’ is hard to measure, but invaluable to everyone involved.”
Schneider: “Money always matters. People need to make enough money to feel comfortable, so there is a baseline level of compensation that government needs to pay to be competitive for talent. However, above that base line there is a lot of variance about what motivates people. The problem that government has is not that they don’t pay enough, it’s that they don’t always value their personnel’s time and so you dilute the power of the mission to recruit people when the government asks their talent to spend an inordinate amount of time on old IT, laborious admin processes, or undynamic tasks.”
Cyber Statecraft Initiative Updates
#5 As the field continues to grow, will the problem solve itself?
Cooper: “It has taken a long time for the cyber security talent gap to develop, it will also take a long time for it to improve; it will absolutely not solve itself. With the increasing digitalization and connectivity that we now so depend on, cybersecurity still feels like it is in lag of where it needs to be. It has evolved from securing technology to include securing trust and resiliency in critical national and international systems. We need to develop the diverse cybersecurity talent that are able to not just respond to the challenges but are empowered to pro-actively get ahead of them in a whole of organization, national, and international approach. Our cybersecurity challenges are a ‘forever’ problem, we need ‘forever solutions’ to developing the required workforce, and we should be bold in our ideas and efforts to achieve it.”
Frye: “It eventually will, but the natural evolution of progress in both workforce and technology is not moving at the pace that the threat mandates.”
John: “No. It will not. Cybersecurity is a relatively immature discipline that is still figuring itself out. Yet it has to keep up with the exponential growth of technology and future-facing topics such as artificial intelligence and post-quantum cryptography. And while there’s something to be said for using new machine learning tools to detect threats, even those tools still need more human experts who know how to use them. So, it really does come down to people: talent. And in order to define what talent is, and to prepare and leverage that talent, we all need to be proactive. We need to continue to refine our school curriculums; help our students see the full picture of a cybersecurity career; give students access to cutting-edge technology; establish strong connections between educational institutions, government, and industry; prioritize gender and cognitive diversity; redefine what it means to be qualified and where talent exists; provide a clear vision and mission; and commit to continuous education, up-skilling, and re-skilling. Talent exists everywhere. We just need to make sure everyone has a path to the available opportunities in our industry.”
Marks: “Sadly, no in the short term. No matter what kind of incentives or training you provide, the problems and organizations experiencing them will outstrip the population available to deal with them. Also, despite it all, only a self-selected group of people will want to participate no matter what you do. In the long term, artificial intelligence and other forms of machine learning are ‘force multipliers,’ as the military says. That will ameliorate, but not stop the problem.”
Schneider: “We will grow more cybersecurity talent in the United States because the demand will be there, but we also need to have more flexible ways to bring foreign talent into the United States and pathways to citizenship that keep the talent here. Government’s problems recruiting that talent will not solve itself (the bias in government is almost always for status quo) and so the United States needs to make big changes if they expect to compete for cybersecurity talent.”
Simon Handler is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.