Must Go Big: Cyber Workforce Development Currently a Fade
By Larry Clinton, Skytop Contributor / March 14th, 2022
Larry Clinton is President of the Internet Security Alliance (ISA). The ISA is a multi-sector trade association that focuses on thought leadership, policy advocacy and developing best practices for cyber security. Mr. Clinton holds a certification on Cyber Risk management for Corporate Boards from Carnegie Mellon University, He is on the faculty of the Wharton School where he teaches a graduate Executive Education course in cyber security.
The National Association of Corporate Directors has twice named Mr. Clinton as one of the 100 most influential people in the field of corporate governance. He is a two term Chair of the IT Sector Coordinating Council and serves on the Cybersecurity Advisory Board for the Center for Audit Quality and the Cyber Advisory Board for the Better Business Bureau. He is widely published and has been a featured spokesman in virtually all major media outlets from WSJ, USA Today Fox News, NBC, CBS, NYT, PBS Morning Edition CNN & even MTV in India. He testifies often before Congress. He has briefed industry and governments world-wide including NATO and the OAS. ISA was also the only trade association to be part of the official cyber security briefing for the Republican National Convention in Cleveland.
ISA recently published the Cyber Social Contract (Vol. 3), which outlines 106 recommendations for the President and Congress. The previous editions of the ISA Social Contract were endorsed by the House GOP Task Force on Cyber Security and were the basis for President Obama’s Executive Order 13636 on Cyber Security. He is the industry co-chair – DHS is the government co-chair– of the Policy Leadership Working Group on Cyber Security Collective Defense featured at the National Cyber Security Summit in New York in July.
He literally “wrote the book” — the Cyber Risk Handbook for corporate boards which is the only private sector publication endorsed by both DHS and DOJ. PWC has independently evaluated the Cyber Risk Handbook and found it substantially changed how corporate director’s address cyber risk management leading to higher budgets, better risk management, closer alignment of cyber security with business goals and helping to create a culture of security. In 2017 ISA adapted the Handbook for the UK and Germany. As in the US, the German edition has been endorsed by the German government. ISA is now working with the OAS on a Latin American version of the handbook; as well as an edition for India and Japan, in partnerships with industry groups.
We Need More Cybersecurity Professionals, Yesterday
We can never create an adequately secure system unless we have enough trained people. We have known this immutable reality for decades, not only that we aren’t solving the problem, but it’s getting worse. According to a study from (ISC)2, there is a global shortage of nearly 3 million cybersecurity professionals, and although that gap has decreased in 2021, demand continues to outpace supply of talent. According to the study, the global cyber workforce will need to grow by 65 percent in order for organizations to be able to effectively defend their critical assets. Ironically, there are millions of extremely important, high-paying and professional positions, and yet we have an endemic problem. Although there are a variety of laudable cybersecurity workforce programs, it is clear our current strategy is not adequate to meet our needs. We need to create a multi-pronged effort that acknowledges the present course is inadequate and needs to be replaced by a high-profile multi-pronged effort.
Time to Acknowledge the Elephant In the Room
Nations around the world are under constant cyber-attack. However, according to an Intel Security study, 76% of global cyber professionals believe their government is not investing enough in building cybersecurity talent. Globally, we need to be making significant investments in cyber education.
How Governments Can Provide Incentives to Learn
Governments can receive a return on their investment by offering financial incentives for students to provide their services and skills to the government. Just as the U.S. “GI-bill” funded education for those who provided government service defending our country during World War II, governments globally should begin offering free or subsidized education to students who committed to government service upon completion of their training. This model resembles the service academy model being used in the United States. When the U.S. Air Force Academy was created, the United States was able to train future leaders in specialized aspects of national defense in a new domain. Cyber is a new domain of combat globally, and a similar program – a virtual service academy for cybersecurity – could accomplish similar results.
Since cyber-attacks are not limited to traditional military targets, graduates of these programs could fulfill their commitment by serving any level or department of government.
This model could be applied to programs at all accredited colleges and universities. Such an initiative could establish that cybersecurity is a national mission and therefore strengthen the cybersecurity talent pipeline. The curriculum for the program could be adapted from any of the major cybersecurity programs already in existence and then shared with any accredited institution interested in providing this training. This would substantially eliminate financial risk for colleges and universities in developing cyber programs while dramatically expanding the reach of the program on a cost-effective basis. An added benefit would be the creation of a strong network among institutions for innovation and information sharing. Upon completion of government service, graduates could continue to serve our national defense in the private sector.
Including Underserved Populations
Additionally, the government should target institutions serving underserved populations. Not only would this address global diversity challenges in STEM fields, but it would also create a much-expanded pool of cyber professionals. These programs could target underserved women and minority populations. For example, in the United States, Congress introduced legislation that would create a grant program targeted at expanding cybersecurity training at Historically Black Colleges and Universities and other institutions that serve a high proportion of students displaying exceptional financial need.
Programs for these kinds of institutions should be created, including incentives for private entities willing to underwrite these programs at the state, local and regional levels. Contributing teaching materials and techniques as well as scholarships targeted toward these underserved populations could assist in both helping to close the cyber workforce gap in addition to the socioeconomic gap.
Include Students at All Levels
Appreciating that workforce needs must be addressed well before the collegiate level, we need to develop a cyber education program that spans all levels of education. We should integrate cyber into primary and secondary education with classroom initiatives, expanded teacher education, and after-school competitions to develop an interest in the field. These programs should offer hands-on experiences in building operating systems so students are prepared for and confident enough to think several steps ahead of attackers. Education programs should blend technical training with humanities, business, and policy to prepare cyber professionals for privacy and human-computer interaction challenges.
Making Cybersecurity Cool
We also need to expand the target audience for these positions. We must eliminate the stereotype that cybersecurity is just a “techy” or “nerdy” profession. Leading organizations are already re-conceiving cybersecurity as less tech-centric and more like an enterprise-wide issue with major cybersecurity-related roles in areas like H.R., contracting, supply chain, risk management, and even P.R. A successful cyber recruitment program would expand the pool of interested people and make cyber “cool.”
The accounting sector encountered a similar challenge with a shortage of people entering the profession, which was perceived as boring and technical. The industry responded by developing a creative marketing program that created a new “face” for their profession to make accounting jobs more enticing to a younger demographic. The cybersecurity recruitment effort could adapt the accounting model. For example, creating a personified representative for cybersecurity.
These marketing techniques create a young, attractive, energetic, and approachable vision of what working in cybersecurity is like (think less Smokey the Bear and more Jessie, the DraftKings spokesperson). Moreover, we can leverage pre-existing interests in youthful demographics to make careers in cybersecurity more attractive. For example, we should be accessing younger audiences through gaming events demonstrating how gaming skills can be used to develop a lucrative career in cybersecurity. Media can also be leveraged. Just as ESPN turned niche activities, like poker and fantasy football into prominent portions of their lineup, expanding their reach, the same can be done with gaming with a cyber component.