How should cyber security professionals be educated and trained? It’s an important question, especially at a time when many enterprises perceive a shortage of skilled professionals capable of keeping their corporate networks secure. For example, a 2014 study by the Enterprise Strategy Group discovered that one-quarter of firms felt they lacked sufficient numbers of personnel with infosec skills.
Cyber security skills in demand as threat environment becomes more complex
While cyber security experts seem to be in short supply at the moment, malware and cyber attacks do not. Organizations like the U.S. Department of Defense and the National Nuclear Security Administration must withstand millions of attempted intrusions each day. The U.S. federal government, realizing the scope of the current threat, recently passed the Federal Information Security Modernization Act of 2014 to introduce real-time monitoring of public sector networks and better delineate the responsibilities of securing .gov domains.
At the same time, the private sectors faces its own cyber security pressures, as demonstrated by the recent and high-profile breaches of everyone from Target to JPMorgan Chase. There is clearly incentive to train more cyber security professionals and streamline how security software and practices are implemented. Fortunately, many postsecondary institutions in the U.S. are stepping to the plate to satisfy this demand.
“The demand is very high,” observed Kenneth Knapp, professor and head of the cyber security program at the University of Tampa, according to The Tampa Tribune. “I’ve had students get into cyber space companies with just one security class, never mind an entire major.”
The changing shape of cyber security education: Colleges, government attempt to address industry shortage
What’s driving such enormous demand? For starters, there is intense competition for cyber security talent as corporations and government offices look to shore up their defenses against a wide range of threats:
- The Global Information Security Workforce has predicted that over the next three years, demand for personnel with relevant security skills may rise 13 percent each year.
- The White House’s cyber security czar, Michael Daniel, has stated that the government will be adding 6,000 professionals across its cyber defense teams over the next 18 months, maintaining the public sector’s position as the leading employer of cyber security experts.
- McKinsey predicted in 2011 that by 2018 there would be approximately 150,000 unfilled positions for data analytics expert, who specialize in making sense of, and identifying anomalies in, the growing amounts of activity on enterprise networks.
- Overall, the market for cyber security professionals may be growing 12 times faster than the U.S. job market as a whole.
Both the public and private sectors are fervently seeking cyber security expertise, but instilling it in college students and employees seeking additional training can take time. The gold standard Certified Information Systems Security Professional, for instance, requires four years of experience to obtain, and many firms cannot afford to wait that long to fill the gaps in their ranks.
A 2015 ESG survey of 591 IT and infosec professionals found that 28 percent reported a shortage of security skills and 23 percent admitted to not having enough general IT skills. ESG’s Jon Oltsik, commenting on these results, pointed out that IT has been a problematic area for survey respondents for four years in a row, even as the surrounding threat environment has evolved to include advanced persistent threats, high-bandwidth distributed denial-of-service attacks and innovative malware like CryptoLocker.
To close this gap, both colleges and government agencies have looked to funnel fresh resources into building a bigger cyber security workforce. Florida is good encapsulation of this emerging approach to broad cyber security education and training, with the state legislature having recently allocated $5 million for the Florida Cybersecurity Center on the campus of the University of South Florida. Meanwhile, some of the state’s universities have also begun offering undergraduate or graduate degree programs in cyber security.
The stakes for cyber security education and training: Data protection as well as national security
Cyber security has become a priority at both the state and federal levels in the U.S., underscoring its centrality to national security. Hypothesizing about a “digital Pearl Harbor” may be one of the biggest cliches in cybersecurity (and one that conjures up strange imagery), but it’s still worth paying adequate attention to endpoint security so as to prevent a nation’s critical infrastructure from being compromised. The new wave of cyber security initiatives has been driven as much by government priorities as by competition for talent and labor.
The late 2014 hack of Sony Pictures was apparently related to the studio’s production of “The Interview,” a film with contents pertaining to the current North Korean regime, and hints at the type of targeted attacks that can now simultaneously harm corporations and national interests (in this case, the vast U.S. entertainment industry). Incidents further back, such as the Stuxnet infection of Iran’s nuclear facilities, may also foreshadow a time when governments will need even greater wherewithal to deal with advanced malware.
Like the colleges and state government in Florida, the U.S. federal government is also becoming more involved in training cyber security workers who can handle the challenges of today and tomorrow. In a recent visit to Norfolk State University, Vice President Joseph Biden announced that the Department of Energy (itself the victim of a major breach a few years back) would be providing $25 million for cyber security education. The proposed Cybersecurity Workforce Pipeline Consortium will enlist several colleges, national labs and one K-12 school district in the education and training of professionals with top-notch cyber security skills.
Getting the best possible personnel is only part of the solution, however. Public and private sectors organizations also need security software, from endpoint tools to network monitoring, for identifying and containing threats in real-time. Modern malware and targeted attacks require a multi-faceted defense strategy that must extend beyond blacklist-based antivirus and manual security processes. A combination of highly skilled experts and network security solutions can ensure that enterprises stay ahead of the curve.