At Black Hat in Las Vegas last week, Trend Micro’s Kevin Simzer spoke about the global, dire need for cybersecurity talent. The number of open jobs in cybersecurity continues to increase dramatically. A report from Cisco stated that there were over one million unfilled positions globally in 2016. Symantec’s CEO said the shortfall will rise to 1.5 million by 2019. A study by ISC2 projects 1.8 million open positions by 2022.
Enterprises need information security talent for a set of tasks. The US Department of Commerce established NICE (the National Initiative for Cybersecurity Education, see https://www.nist.gov/nice for details) to support training in cybersecurity. This initiative, documented in NIST SP 800-181, lists seven workforce categories:
The scale and urgency of the issue exceeds the response time of conventional market mechanisms. In the US, National Institute of Standards and Technology (NIST) has partnered with CompTIA (the Computing Technology Industry Association) and Burning Glass (a consultancy) to produce a heat map showing open jobs by region within the US. See http://cyberseek.org/ for details.
Professional certification can open doors for job seekers. As of this writing, CyberSeek shows 108,874 people in the US holding CISSP (from ISC2, see https://www.isc2.org/Certifications/CISSP), CISA, or CISM (both from ISACA, see http://www.isaca.org/certification/cisa-certified-information-systems-auditor/pages/default.aspx) designations, while there are 140,855 open jobs requiring one of these.
Open competitions such as Capture-the-Flag can excite and reward new cybersecurity talent. Trend Micro runs an annual competition, described at http://www.trendmicro.com/tmctf, designed to “target young professionals in the cybersecurity industry to enhance their practical skills in areas such as cybercrimes, targeted attacks, Internet of Things (IoT) and Industrial Control Systems (ICS).”
Beyond conventional state-sponsored and higher-level education, enterprises can ramp up training programs to meet their individual requirements. During the 1970’s many industries rapidly automated conventional back-office processes, creating demand for skilled programmers. Since there were few degree-granting programs in computer science or software engineering then, certain leading firms trained programmers themselves. This business process created three unforeseen benefits.
As of this writing (Aug 2, 2017), Amazon has 89 open cyber security jobs in the US. IBM has 98. Trend Micro trains skilled individuals in many geographies globally. In the first half of 2017, 50 people completed the training program. Nine have joined Trend Micro, and the rest have joined partner firms in their regions. There is no cost. Students receive a small stipend during the seven-week program. That program will scale up to meet some of Trend Micro’s global cybersecurity skill requirements in parallel with conventional experienced hiring. While some organizations (or consortiums) may not be able to justify a training program, those that do will reap substantial benefits for themselves and their communities.