Bridging the Cybersecurity Skills Gap

Zachary S., an 18-year-old senior at Silver Creek High School in Colorado, has career goals. He wants to be a pen tester. Short for penetration tester, this means he wants to work as an ethical hacker who finds and exposes weaknesses in cybersecurity as a way to strengthen defenses against cyberattacks.

Zachary was one of several high school students to recently compete in the Air Force Association’s CyberPatriot Student Competition, which tasks youth with finding cybersecurity weaknesses and strengthening a network’s defenses against hackers. While Zach’s team didn’t advance to the competition finals, several others did, culminating in the CyberPatriot XIV National Finals Competition, held in Maryland on March 18-20, 2022. Several high schools and students took top honors for their stellar cyber-defense skills.

“We continue to see the need for a diverse and talented cyber workforce across the United States and the world,” says Sandra Evers-Manly, president of the Northrop Grumman Foundation and vice president of global corporate responsibility, Northrop Grumman, a competition sponsor.

A Shortage of Professionals

Competitions like this have a key mission: building the cyber-skills pipeline. For years, America has been facing a critical shortage of people trained in cybersecurity, and the problem is more far-reaching. The World Economic Forum reports that governments, companies and other institutions around the world face a shortage of cybersecurity professionals estimated at more than 3 million – nearly as many as the 3.5 million currently working in the field. Organizations like the Airforce Association and the Cybersecurity Workforce Alliance (CWA) – a partnership of companies, the government and universities – have been working to address the shortage and to bridge that skills gap, as well as improve communication between industry and academia about what the needs truly are.

Leeza Garber, a cybersecurity and privacy attorney and Wharton School lecturer, this year published the book Can. Trust. Will. Hiring for the Human Element in the New Age of Cybersecurity. Garber, whose book is a guide to help executives and hiring managers build unbeatable cybersecurity teams, observes that, according to the statistics, employers are not finding the people they need to fill cybersecurity jobs.

Part of the challenge is that the need for professionals trained in a wide range of areas keeps growing. Cybersecurity complaints to the U.S. Federal Bureau of Investigation more than tripled during the pandemic. That trend continues. A March 2022 article in the University of Pennsylvania’s Penn Today features an interview with Perry World House Visiting Fellow Heli Tiirmaa-Klaar, an expert in cybersecurity and democracy, talking about how cyberattacks have shaped modern warfare.

Industry and schools are responding to the demand for trained cyberdefenders. According to the World Economic Forum, the U.S. government’s National Initiative for Cybersecurity Education has revised its framework for developing talent so schools can provide more relevant instruction and companies can be sure that graduates have the necessary skills.

And yet, it’s still not fast enough, says Jonathan Michael Smith, a professor of computer and information science at the University of Pennsylvania. He notes that while technology to manage networks is getting more sophisticated and defenders are communicating better about what works and what doesn’t, it’s hard to keep up with the fast pace of cybercriminal activity. An increasing arsenal of skills is required. “The real question is how rapidly the defenders have been making progress against the criminals and attackers,” he says. “The increase in complexity creates many more opportunities for the attackers and much more of an intellectual and logistical burden for the defenders. Essentially, the pace we need to operate at is that the progress has to be faster than the increase in system complexity.”

‘Creativity and Flexible Thinking’

Experts urge students who are interested in computer science and similar fields to seek out opportunities for hands-on experimentation and application, like the CyberPatriot competition and summer camps. Essential cybersecurity skills include networking and system administration, knowledge of operating systems (Windows, Linux, Max OS), network security control, coding, and cloud security. Dr. Smith, though admittedly old school, recommends a few classic books to pique the interest of aspiring cybersecurity professionals. These are The Cuckoo’s Egg by Cliff Stoll and books by Kevin David Mitnick, an American computer-security consultant and convicted hacker.

Cybersecurity is more than a promising career track – it’s a calling, suggests Smith. “When you’re thinking about your life’s work, I think you should ask yourself: Is this something that is important? How am I going to feel about myself when I’m ready to retire? Did I make society a better place?” he says. “When I see things like ransomware attacks [gaining access to computer systems and locking and encrypting the data stored there] on hospitals that prevent other human beings from getting the medical care they need, I think that’s appalling. Being part of the solution is a noble job.”

For one, Darin M., a student from Thomas Jefferson High School for Science and Technology in Virginia, hopes to become a vulnerability researcher to analyze software vulnerabilities and exploitation methods, track new vectors, and discover novel methods and approaches in software security. Darin was one of eight students to receive a Cyber All-American award at this year’s CyberPatriot Finals for making it to the end game all four years. “Security is different from other fields of computing because it requires more creativity and flexible thinking,” he says. “Figuring out what a system is meant to do and finding unexpected ways to break it is a lot of fun for me.”

Conversation Starters

What is cybersecurity and why does this skills gap exist?

Are you interested in the field of cybersecurity? What career track do you plan to pursue? Share your story in the comment section of this article.

High school student Darin M. says, “Security is different from other fields of computing because it requires more creativity and flexible thinking.” What does he mean by this? Why must you combine solid computer skills with creativity and agility in the face of hackers?