The Contest for Cybersecurity Professionals
People in the United States like to live in diverse communities - at least, that’s what they say. But in reality, the truth is quite different. In fact, it is much more common for people to cluster together among those who are more like themselves, especially when it comes to political affiliation. According to a Washington Post article written a number of years ago, the clustering of Democrats in Democratic areas and Republicans in Republican areas has been a growing trend for at least the last 30 years – it becomes even more granular when dealing with the far left and the right. One consequence of this polarization is that large numbers of Americans no longer have much contact with people belonging to the other party. Many feel the views of their political opponents are not just wrong, but totally incomprehensible. This trend toward such a fractured and polarized community does actually have a silver lining. Both communities do actually have something in common – no, not the truth, which too often today is in the eyes of the beholder, but rather the search for qualified and certified cybersecurity talent. They all face the challenge of recruiting and retaining qualified security talent.
Globalization is a force for both collaboration and competition. It is also proving to be a contest for resources - both natural and human. In an age during which growth is largely a product of creative and technological advancements, those companies that want to dominate their industries must be able to attract and retain talented employees. They must also engage people like never before if they want to innovate, grow, or in some cases, just survive. Only those companies that win the hearts and minds of their top talent will be able to deliver value tactically for the short-term, and strategically over the long-term.
Malicious cyber activity continues to grow at an unprecedented rate, severely threatening the nation's public and private information infrastructure. Attacks are growing in frequency, severity and complexity. Sensitive information is stolen daily from government and private-sector networks and intelligence officials often find persistent, unauthorized and sometimes unattributable presences on exploited networks. The threat ranges from the recreational hacker who thrives on the thrill and challenge of breaking into another’s computer to the national security threat of information warriors intent on achieving strategic advantage. Common across the spectrum is the insider who without proper monitoring and other security controls can wreak havoc on any system.
The two components that are identified with a threat are capability, which consists of the subcomponents: equipment, knowledge and skill, and intent. It used to be that the perpetrator needed highly technical equipment; they had to have technical knowledge and skills to launch any type of cyber attack. Today, with tens of thousands of hacker websites, one can easily download free software to launch whatever type of attack one desires. The equipment is readily available and very little technical knowledge is required. In other words, attackers can be successful now with virtually no technical skillset.
Security's Shaky State - What People in the Industry Have to Say
Despite millions of unemployed workers, there is an acute shortage of cybersecurity talent. Although resumes abound, there are companies that are still feverishly searching for the right people, the critical talent that will make the difference between succeeding and failing in today’s marketplace. Such talent is scarce and it is about to become much more so because of two looming trends: the retirement of the Baby Boom generation and a growing skills gap. A company’s critical talent possesses highly developed skills and deep knowledge—not just of the work itself but also of “how to make things happen” in the organization. Without these people, organizations could not achieve their strategies. The following are but a few of the comments from industry leaders:
- “Cyber threat growing at unprecedented rate,” intelligence chief, Dennis Blair, the former Director of National Intelligence says. - Federal Computer Week;
- “There are too few people choosing technical careers.” - Google Senior VP, Urs Holzle;
- The U.S. Cyber Command plans to boost its cybersecurity agency to nearly 5,000, but knowledgeable security professionals remain scarce;
- “The search for technical talent in the US has become fiercely competitive.” - Yahoo, Heidi Burgett;
- When it comes to security, most IT departments are underfunded, understaffed, and underrepresented, IT security pros say. – InformationWeek;
- "Without the right people to fill the job, businesses may have difficulty formulating and effecting security policies." - Sol E. Solomon, ZDNet;
- Dennis Blair, the former Director of National Intelligence, told members of the Senate Select Intelligence Committee that, “in the dynamic of cyberspace, the technology balance right now favors malicious actors rather than legal actors, and is likely to continue that way for quite some time.”
A study by JobsAhead and Nasscom also shows that in the United States alone, there will be a shortfall of around 25,000 to 50,000 Information Security professionals over the next few years. Based on skills data, less than 2,500 workers have specific Information Security skills, a number which represents a miniscule 0.5 per cent of the IT workforce.
Where is the Beef
The contest for cybersecurity professionals is evident everywhere, although the nature and significance of trends vary from organization to organization. The retirement of the baby boom generation will create large vacancies across the cybersecurity ambit. Educational trends will exacerbate this massive shift in the workplace population. In the United States, Germany, and Japan, for example, the percentage of students graduating with science and engineering degrees hovers in the single digits, far below the percentage figures for India and China. Such trends suggest a talent market unlike any that we have seen.
The game is changing in other ways as well. Jobs are no longer static. Companies must continually train and develop employees if they are to keep pace with the speed and complexity of technological innovation. Individuals need greater flexibility in their career paths, and organizations need greater flexibility from employees. People must connect across businesses, divisions and regions in ways that promote high-quality decisions and fast execution. Otherwise, organizations will no longer be able to provide the value necessary to promote the flexibility and productivity they will need to compete. There are simply not enough people to fill the gap of cybersecurity professionals we will need today and tomorrow. Thirty-nine percent of the population (2012) are baby boomers. Other generations are depicted below.
As the chart below so clearly shows, employees are the most critical factor that contributes most to an organization’s growth – and there are not enough of them to fill this gap.
In addition to the issue of not enough employees, there is the issue of the disengaged employee. Pollster Gallup has found that 80% of workers lack commitment to their jobs, with a quarter of those being “actively disengaged” because of their workplaces. This is primarily due to waves of downsizing, employer demands, job disenchantment, and the threat of unemployment. Disenchanted workers pull down productivity, increase churn, and darken the morale of the people around them, ultimately costing a whopping $350 billion in the United States. Workplace toxicity may in fact trump other factors when it comes to employee morale and performance. Moreover, the number one reason employees leave comes down to their relationships with their bosses. Studies have shown that three of four bosses were deemed incompetent.1. Source: Deloitte Research
The crux to employee engagement is all about leadership. All leaders manage but not all managers lead! The management skill level of first-line managers affects employee retention, overall productivity and even profitability. The relationship between manager and employee is critical to the success of an organization. An important part of that relationship is mutual agreement on what work needs to be done, why it is important and when it will be accomplished.
It is easy enough to talk about vision, mission, strategy and goals; however, it is also almost impossible to expect employees to perform in a way that aligns with organizational goals unless they have a well-defined and implemented process. This process will help align the employee with the performance requirements of the organization. A focus on logical processes and reasonable commitments will help even experienced managers build a more effective process for goal creation, clear work standards and better job performance.
How to Meet the Challenge
So, how can a manager cope with this situation? One approach is to make the manager the “Employer of First Choice.” This is done by improving recruitment and employment practices, by ensuring that compensation and recognition systems are in place to attract and retain cybersecurity talent; by developing and training the workforce to meet current and future needs; ensuring that managers are equipped to lead your organization to the “employer of first choice” reality; and by promoting and supporting a diverse workforce and cultural environment.
There are a host of federal efforts to assist today’s managers. These programs provide capacity-building grants to academic institutions to bolster cybersecurity education and workforce development (CSEWD), including the National Science Foundation (NSF) via the Scholarship for Service program (SFS) (2000), the Department of Defense’s Information Assurance Scholarship Program (IASP), and increased budgets for cybersecurity activities. There are also Cybersecurity Education and Training Initiatives including The National Initiative for CyberSecurity Education (NICE) with its three goals:
- Goal 1. Raise national awareness about risks in cyberspace
- Goal 2. Broaden the pool of individuals prepared to enter the cybersecurity workforce
- Goal 3. Cultivate a globally competitive cybersecurity workforce
There are the Science, Technology, Engineering, and Mathematics (STEM) Education initiatives that bolster formal cyberSecurity education programs encompassing kindergarten through 12th grade. There are also higher education and vocational programs, with a focus on the science, technology, engineering and math disciplines. Both of these initiatives will provide a pipeline of skilled workers for the private sector and government. Moreover, there are a number of universities across the nation with varied levels of BS/MS/DSc/PhDs in computer security, such as the University of Fairfax , the only online institution that is 100% focused on cybersecurity implementation across the nation. The University of Fairfax awards cybersecurity certifications, master’s degrees and doctoral degrees in cybersecurity.
Being aware of the above resources, a good manager can reduce the losses caused by an exhausted and demoralized workforce by:
- Helping employees to effectively manage information overload.
- Providing them with the tools they need to get their jobs done in the most effective way possible.
- Redesigning jobs and working conditions and ensuring that key people are effectively developed and well-deployed.
- Rather than dive headlong into technology-based solutions to ameliorate work overload and stress, organizations may want to kick off their talent strategies by first examining the deployment and development of the people tasked with leading others.
Today’s cybersecurity professionals really do not demand much from employers. Besides good leadership, all they ask for is interesting and challenging work, open, two-way communication, and opportunities for growth and development. Monetary rewards and benefits are only secondary. The manager must realize that career path diversification is a good thing for employees. Moving between technical and management roles creates a well-rounded employee capable of assuming many different cybersecurity positions.
Conversely, pigeon-holing valuable cybersecurity personnel will help contribute to their rapid departure. Cybersecurity professionals should be able to cross into both the technical and management disciplines. In many companies, they can carry the rank of a senior manager or director and are responsible for both the technical and the managerial aspects of the network information system. Employers can modify key job descriptions as required to take full advantage of a key employee’s skills and expertise. Job descriptions should be dynamic in nature and not cast in concrete. As a key employee’s skill level grows, he or she should be capable of assuming a greater role in the information system group.
What's It All About
It is all about recruiting, retaining, and training qualified and certified cybersecurity professionals. They are our biggest assets for security and that without such mission-critical skills sets, an organization will not be able to meet and sustain its mission and goals. The first step is to identify those key individuals and then take the appropriate steps to help them grow and entice them to stay. A well-defined career path with clear milestones and checkpoints for them to measure their progress is essential. Continuing education and knowledge improvement resources are a good thing. Scheduled performance management reviews let these employees know exactly how they are performing. These highly skilled personnel need to be continuously trained in this exceptionally dynamic arena. Companies and the Federal Government are increasingly requiring cybersecurity certifications according to Directive 8570.1: Information Assurance Training, Certification and Workforce Management. This directive requires that all Department of Defense (DoD) Information Assurance technicians and managers are trained and certified. The same goes for the National Security Agency (NSA) with CNSS 4011/12 certifications.
Below are some of the key certifications that all cybersecurity professionals need to consider:
- CISSP® - Certified Information Systems Security Professional - CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.
- SSCP® - Systems Security Certified Practitioner - for personnel in many other non-security disciplines that require an understanding of security but do not have information security as a primary part of their job description
- CAP® - Certification and Accreditation Professional - this credential applies to those responsible for formalizing processes used to assess risk and establish security requirements
- CSSLP - Certified Secure Software Lifecycle Professional -is the only certification in the industry that ensures that security is considered throughout the entire software lifecycle.
- Global Information Assurance Certification (GIAC) – (SANS) GIAC's purpose is to provide assurance that a certified individual has practical awareness, knowledge and skills in key areas of computer and network and software security.
- CompTIA Security+™ Certification
- The Certified Information Systems Auditor (CISA) is ISACA’s cornerstone certification - for the IS audit, control, assurance and/or security professionals
- The Certified Information Security Manager (CISM) certification is a unique management- focused certification – it is for the individual who manages, designs, oversees and assesses an enterprise's information security program.
As the Government and Industry are increasingly requiring CyberSecurity certification, nearly 33% of U.S. firms now make certification a requirement compared to only 25% in 2006 and 14% in 2005. Nearly 60% of U.S. companies require cybersecurity training; however, with a full 78% of organizations in China requiring certification, U.S. firms still have a long way to go to if they are to keep up.
Government and industry must explore innovative approaches to build and retain cybersecurity employees in the workforce. This can be accomplished by:
- Expanding internship programs.
- Establishing “apprentice-like” programs that are formalized career training programs that offer a combination of structured on-the-job training and related technical instruction to employees to train them in positions that demand a high level of skill.
- Building a stronger education/training pipeline to improve/enhance employees’ skillsets.
- Expanding opportunities for continuous learning.
- Enhancing employee’s ability to manage their careers.
- Strengthening work supports to promote employment retention and career advancement.
- Strengthening governance and accountability within the workforce system.
- Establishing a Knowledge Management System.
Moreover, explore processes and tools that allow the organization to efficiently capture, maintain, and utilize its information. These processes and tools must be in place for companies to continually train and develop their cybersecurity employees if they are to keep pace with the speed and complexity of technological innovation. Individuals need greater flexibility in their career paths, and organizations need greater flexibility from employees who must connect across businesses, divisions, and regions in ways that promote high quality decisions and fast execution. Responding to today's workplace demands means that firms must offer more than just a place to work. Record-high numbers of disaffected workers already cost organizations millions of dollars in lost productivity. In the face of such challenges, traditional approaches to managing talent fall short –recruiting, retaining, developing and monitoring the workforce becomes critical.
As far as recruiting, once the functional requirements of the workforce are determined there are many different ways to find the right person for the job: 1) staffing and classification; 2) benefits and compensation; 3) recruitment and retention strategies (i.e. recruiting, relocation bonuses, retention allowances - 3 Rs and Loan Repayment Program); 4) Competitive Service Merit Promotion; 5) Excepted Service Authority; 6) Intern, Student and Upward Mobility Programs; and 7) Executive Resources Board.
Equally as important as recruiting the right people is retaining them. Retention initiatives may involve the following: 1) Performance Management and Recognition Program; 2) benefits and compensation; 3) recruitment and retention strategies (i.e. 3 Rs and Loan Repayment Program); 4) work/life programs; 5) Flexi place; 6) alternate work schedules; 7) succession planning (i.e. organizational and individual skills assessments); and 8) career paths, rotational and detail assignments.
Part of retention is developing employees and can involve the following 1) Performance Management and Recognition Program; 2) career planning/mapping tools; 3) training and certification programs; 4) employee mentoring, learning and career development/career paths; 5) organization-specific learning and career developmental programs; 6) Individual Development Plans (IDPs), and learning achievement recognition.
Workforce transition starts with identifying impact and continues with various support and assistance such as: 1) retirement counseling; 2) buyout/early out incentives; 3) change in duty station benefits and incentives; 4) Career Transition and Assistance Plan including retraining; and 5) separation – exit interview.
Finally, continuous evaluation and assessment of the workforce is essential to evaluate and assess progress based on performance measures, revise and update as changes occur; and assess the effectiveness of the plan.
Strategic Road Map Objectives
It is important to develop a knowledgeable workforce through a combination of strategies that involve working with human resources departments to set guidelines for hiring cybersecurity professionals; assessing qualifications of existing professionals; establishing qualification requirements; and monitoring progress toward meeting these qualification requirements. Also, to provide general training to all employees to raise awareness and build on governmental and departmental training efforts.
The above chart demonstrates the objectives for obtaining a knowledgeable workforce and demonstrates how the objectives are built on the foundation of establishing senior leadership oversight. Building on existing training initiatives from federal, and/or industry, position descriptions, training qualifications, hiring guidelines and performance indicators will be identified for current and future cyberSecurity professionals. Continuous monitoring and improvement of these initiatives will be crucial to accommodate the changing environment and advances in security technology. Successful implementation of this goal will increase cybersecurity awareness, understanding, and acceptance of cybersecurity concepts and practices throughout the organization and will incorporate responsibility, awareness, and acceptance into the core work values of all employees.
It is a matter of trust. Trust breeds confidence and confidence breeds success. Qualified and certified cybersecurity professionals are trusted to be today’s and tomorrow’s vanguard to protect national networks and infrastructures against any and all cyber attacks. It is not enough to be qualified as certification is just as important. To reiterate what was mentioned earlier, based on skills data, less than 2,500 workers have specific cybersecurity skills. This number represents a miniscule 0.5 per cent of the IT workforce. To mitigate this shortfall, it is very helpful to identify key cybersecurity personnel, focusing on creative activities to retain key employees who require strong ongoing education plans to keep them abreast of changing network technology. By providing management and technical career opportunities, such cybersecurity personnel can be provided with growth opportunities and the ability to learn new skills to stay flexible to meet specific enterprise needs. It would therefore be wise to create a talent pipeline for cybersecurity personnel, where organizations would internally develop, train and retain, while simultaneously externally attract and hire, such critical cybersecurity professionals. The below chart outlines the relationships between workforce components that work to ensure the recruitment and retention of qualified security talent. To aim towards the goal of securing plenty of talented cybersecurity experts is a good thing for all of us.
published in the United States Cybersecurity Magazine
Join the Cybersecurity Elite
U of F Cybersecurity Education Path
» Download PDF or register for a