Bridging the Cybersecurity Skills Gap
Zachary S., an 18-year-old senior at Silver Creek High School in Colorado, has career goals. He wants to be a pen tester. Short for penetration tester, this means he wants to work as an ethical hacker who finds and exposes weaknesses in cybersecurity as a way to strengthen defenses against cyberattacks.
Zachary was one of several high school students to recently compete in the Air Force Association’s CyberPatriot Student Competition, which tasks youth with finding cybersecurity weaknesses and strengthening a network’s defenses against hackers. While Zach’s team didn’t advance to the competition finals, several others did, culminating in the CyberPatriot XIV National Finals Competition, held in Maryland on March 18-20, 2022. Several high schools and students took top honors for their stellar cyber-defense skills.
“We continue to see the need for a diverse and talented cyber workforce across the United States and the world,” says Sandra Evers-Manly, president of the Northrop Grumman Foundation and vice president of global corporate responsibility, Northrop Grumman, a competition sponsor.
A Shortage of Professionals
Competitions like this have a key mission: building the cyber-skills pipeline. For years, America has been facing a critical shortage of people trained in cybersecurity, and the problem is more far-reaching. The World Economic Forum reports that governments, companies and other institutions around the world face a shortage of cybersecurity professionals estimated at more than 3 million – nearly as many as the 3.5 million currently working in the field. Organizations like the Airforce Association and the Cybersecurity Workforce Alliance (CWA) – a partnership of companies, the government and universities – have been working to address the shortage and to bridge that skills gap, as well as improve communication between industry and academia about what the needs truly are.
Leeza Garber, a cybersecurity and privacy attorney and Wharton School lecturer, this year published the book Can. Trust. Will. Hiring for the Human Element in the New Age of Cybersecurity. Garber, whose book is a guide to help executives and hiring managers build unbeatable cybersecurity teams, observes that, according to the statistics, employers are not finding the people they need to fill cybersecurity jobs.
Part of the challenge is that the need for professionals trained in a wide range of areas keeps growing. Cybersecurity complaints to the U.S. Federal Bureau of Investigation more than tripled during the pandemic. That trend continues. A March 2022 article in the University of Pennsylvania’s Penn Today features an interview with Perry World House Visiting Fellow Heli Tiirmaa-Klaar, an expert in cybersecurity and democracy, talking about how cyberattacks have shaped modern warfare.
Industry and schools are responding to the demand for trained cyberdefenders. According to the World Economic Forum, the U.S. government’s National Initiative for Cybersecurity Education has revised its framework for developing talent so schools can provide more relevant instruction and companies can be sure that graduates have the necessary skills.
And yet, it’s still not fast enough, says Jonathan Michael Smith, a professor of computer and information science at the University of Pennsylvania. He notes that while technology to manage networks is getting more sophisticated and defenders are communicating better about what works and what doesn’t, it’s hard to keep up with the fast pace of cybercriminal activity. An increasing arsenal of skills is required. “The real question is how rapidly the defenders have been making progress against the criminals and attackers,” he says. “The increase in complexity creates many more opportunities for the attackers and much more of an intellectual and logistical burden for the defenders. Essentially, the pace we need to operate at is that the progress has to be faster than the increase in system complexity.”
‘Creativity and Flexible Thinking’
Experts urge students who are interested in computer science and similar fields to seek out opportunities for hands-on experimentation and application, like the CyberPatriot competition and summer camps. Essential cybersecurity skills include networking and system administration, knowledge of operating systems (Windows, Linux, Max OS), network security control, coding, and cloud security. Dr. Smith, though admittedly old school, recommends a few classic books to pique the interest of aspiring cybersecurity professionals. These are The Cuckoo’s Egg by Cliff Stoll and books by Kevin David Mitnick, an American computer-security consultant and convicted hacker.
Cybersecurity is more than a promising career track – it’s a calling, suggests Smith. “When you’re thinking about your life’s work, I think you should ask yourself: Is this something that is important? How am I going to feel about myself when I’m ready to retire? Did I make society a better place?” he says. “When I see things like ransomware attacks [gaining access to computer systems and locking and encrypting the data stored there] on hospitals that prevent other human beings from getting the medical care they need, I think that’s appalling. Being part of the solution is a noble job.”
For one, Darin M., a student from Thomas Jefferson High School for Science and Technology in Virginia, hopes to become a vulnerability researcher to analyze software vulnerabilities and exploitation methods, track new vectors, and discover novel methods and approaches in software security. Darin was one of eight students to receive a Cyber All-American award at this year’s CyberPatriot Finals for making it to the end game all four years. “Security is different from other fields of computing because it requires more creativity and flexible thinking,” he says. “Figuring out what a system is meant to do and finding unexpected ways to break it is a lot of fun for me.”
Conversation Starters
What is cybersecurity and why does this skills gap exist?
Are you interested in the field of cybersecurity? What career track do you plan to pursue? Share your story in the comment section of this article.
High school student Darin M. says, “Security is different from other fields of computing because it requires more creativity and flexible thinking.” What does he mean by this? Why must you combine solid computer skills with creativity and agility in the face of hackers?
Wow, this article might have convinced me to do cybersecurity!
I think that there are not enough people in cybersecurity because it is not a required school subject. However, technology is now everywhere. So, I think it is time for schools to rethink having computer science classes as just an option. People must know how to act against online threats. Modernizing American public education, in general, should be a main concern. New York’s Regents tests have been mostly unchanged for around the past 15 to 20 years, exemplifying the unchanging education system. This also shows that the system has not gone through as much change as the internet has. While computer science is taught in public schools, it is not yet a main subject.
Although I grew up with technology, there is still a lot I do not know about cybersecurity. I only know the basics, like never sharing my personal information.
In elementary school, I tried coding, but it did not go well since my teachers were confused about what was going on as well. I simply could not figure out how to code for a ball to move across my iPad screen. I am a fast learner, but I sat there for an hour trying to learn coding. After that hour passed, I still could not understand it for some reason. In my frustration, I refused to learn coding for the next few years. I think my bad experience with coding was because my teachers didn’t know enough about it either. It is important to bring in qualified teachers to teach these skills. Computer science and internet skills have become more important in life, so school teachers should learn to better understand them as well.
Recently, I’ve decided to try coding again, but I know that I am not the only one who thinks it is hard. If we taught computer science as a core class then we may see more people taking on cybersecurity jobs.
However, the difficulty with cybersecurity is that the skills are not the same: there are a lot of systems, coding languages, and customizations. Every company tries to hire cybersecurity workers with skills that suit their business. Or, businesses will figure out a way to be compatible to subscribe to larger professional cybersecurity hubs.
Students who want to do cybersecurity can major in computer science at schools like Carnegie Mellon. Many people who major in computer science or plan on doing so, like my cousin, enjoy playing video games. Cybersecurity is different from video games. However, if there is a way to incorporate those game-like aspects into the job, then it may be more appealing.
A downfall of cybersecurity may be that it gives cybersecurity workers a lot of responsibility. The responsibility will only get heavier as businesses begin to go mostly online. If their website shuts down or their bank account information is exposed, then that is dangerous for the company.
Is there a way to make sure that cybersecurity workers are not always walking on eggshells with their jobs? Yes, it is probably their fault if a hacker gets the business’s private information. Still, there are such things as ineffective defenses. If there is some kind of assurance, then that may boost the number of people who take these jobs.
A new possible way of cybersecurity is by going on the offensive. Most cybersecurity is defense, but that doesn’t do much to stop criminal activity. Cybersecurity should not be about building walls that make it difficult for criminals to get through, but to also catch, tag, target, and track them.
The future of cybersecurity should be about going on the offensive and generalizing computer science education. This then ensures that basic internet skills are taught to every learner, which can be used in almost any part of life. Cybersecurity is a field that looks promising: it can guide public education in a new direction and explore new ways of protecting businesses online.