The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag that many, including TechCrunch, are currently citing as an indicator that the skills gap is widening is the (ISC)2 report stating that there are now almost 3 million cybersecurity jobs unfilled worldwide. Having been a part of the skills gap conversation from multiple sides - as a cybersecurity research fellow at MIT, a Fortune 50 CSO, and collaborator on numerous NIST cybersecurity initiatives, I’ve considered the root cause of the skills shortage that our industry is facing and how this problem will be solved.
Why A Cybersecurity Skills Gap Emerged
In the early days of information security, it was seen as a niche specialty within computer science (an already niche field). For technical leaders in the late 90s and early 2000s, computer science in practice was not learned in a university setting - the skills were acquired as needed. Furthermore, the complexity of a field such as cybersecurity makes answering the question “so what do you do?” extremely complicated. As early members of the now exponentially growing field of cybersecurity, being ambassadors for the field is difficult - explaining cybersecurity to a spouse is incredibly complicated, let alone communicating it to a high school senior or college freshman. The way by which current information security leaders acquired their skillset is very different than what these new positions are seeking now. We are reaching an inflection point in the cybersecurity skills gap that I believe could already have been solved.
The Cybersecurity Skills Gap Inflection Point
The inflection point that I’m referring to is the intersection of the general public’s realization that the digital world and the physical world are far more closely connected than we realized, and the fact that to date members of industry and academia had not considered cybersecurity as a foundational principle of computer science. While many have been sounding the alarm for years, we are now seeing the cybersecurity skills gap widen even further as the demand increases and the supply is not there - yet.
Adjust Your Timeframe
Having worked in both academia and the corporate world, I have seen the juxtaposition of the timeframes of these two environments: corporations move exponentially faster and rely on the forces of public opinion and demand, both of which are moving exponentially faster given the rapid pace of technological advancement. So there you have your source of increased demand. On the supply side, we have academia. Academia, at its fastest, moves in four-year generations. One change made with one class requires fours years to see the impact of that change. What we see with the skills gap is the demand growing faster than the supply can support.
NIST’s NICE Intervention
Foreseeing the gap that many are only starting to see today, I was apart of a team assembled by NIST to solve what could be the defining skills shortage of our era. Some foresaw the supply and demand equation that I outlined above in the public and private sectors, and the solution we developed was a government program that would be able to supplement the supply generated by the academic institutions.
NICE: National Initiative for Cybersecurity Education
NICE emerged as a partnership between government, academia, and the private sector to help augment existing members of the workforce and engage students to realize how cybersecurity fits into their education. When we first began developing programs at NICE, we started at the Masters’ level - educated enough to realize the need but probably still involved in the private sector. However, as time went on, we discovered that that was not sufficient. We went further back to undergrad, then high school, and eventually built out a K-8 curriculum. The fact was and still is, that cybersecurity is as critical as physical security and future generations will probably see little difference between the two.
Back To The Skills Gap
So great, NICE has been working for years on this problem and yet we are skills seeing an increase in the skills gap - is it not working? No. The fact is that while NICE has been able to supplement the supply of cybersecurity workers delivered by academia, education cycles are some of the longest. While demand continues to skyrocket, the supply is not going down it has merely not increased at the same rate.
The Solution Is Here
The alarms that many have raised recently are not new - instead, the awareness is. While I believe we have a sustainable solution in place, sustainable initiatives take time to implement. In my next post on the skills shortage, I plan on discussing the use of “new collar” workers as a stopgap to the expansion of the cybersecurity skills gap while initiatives like NICE are implemented for the long term.