The cybersecurity worker shortage is already massive, and it’s growing rapidly. While many employers are looking for workers with bachelor’s degrees or special tech training, a surprising number are looking for workers with non-traditional backgrounds. The problem is job-seekers don’t know they could be prime candidates for these highly-sought-after and highly-paid jobs.
Cracking the Code: A WorkingNation Town Hall on Closing the Cybersecurity Skills Gap, held at the Bloomberg Center at Cornell Tech on Roosevelt Island on Tuesday, brought together cybersecurity, industry and workforce development experts to discuss the challenges and opportunities for creating a dynamic workforce.
Our moderator, CNBC and MSNBC contributor Ron Insana set the stage, painting a vivid picture of just how urgent the need for trained cybersecurity experts is. “Most organizations are not asking if they will be a target of a data breach, but when,” said Insana. “There will be a global shortage of two million cybersecurity professionals by 2019. Other projections only show that number growing.”
There are 40,000 unfilled jobs this year. According to business and education leaders gathered for our latest WorkingNation Town Hall, the quickest and most effective solutions to filling the gap will come from innovative collaborations between employers and educators, and from thinking outside the box.
“It’s not just about educating cybersecurity professionals but educating professionals in cybersecurity,” according to Ari Juels, a professor at the Jacobs Technion-Cornell Institute at Cornell Tech. Dr. Juels explained to the audience that what cybersecurity workers are doing is “not as romantic as the movies would have you believe and they’re essentially doing work that is largely mechanistic.” What they’re doing is detecting and fixing cybersecurity issues through skills that they’ve gained through education, but not necessarily tech skills. These skills are so-called soft skills such as critical thinking and problem-solving.
When looking to fill vacancies, “we need to think more broadly,” Juels suggested. Understanding and overcoming cyber threats don’t just fall into the domain of individuals with advanced training in technology. Viewing things through a “cybersecurity lens” is part of understanding the implications of how all technology-enabled products are vulnerable to exploitation by hackers who refuse to play by the rules. This security mindset is something that Juels said can be understood by all decision-makers in all industries if they have the training or hire capable “translators” to communicate this concept.
The tight labor market and low unemployment rate have exacerbated the problem that employers have in sourcing professionals, said Will Markow, Manager of Client Strategy and Analytics for Burning Glass Technologies. “The employed cybersecurity workforce would have to almost double overnight just to have a supply and demand ratio that is in line with the market average,” Markow said.
And it’s not just tech companies and the government causing this demand. The fastest growth in demand is happening in finance, retail and healthcare. It is resulting in a 70 percent growth in job postings for cybersecurity since 2012 compared to 13 percent in all other IT postings, according to Burning Glass Technologies’ research.
Markow agreed that employers are focused more on hiring workers with bachelor’s degrees and extensive cybersecurity experience rather than bringing in entry-level workers with non-traditional educational backgrounds. “[Employers are] effectively chopping off the entry-level rung of the career ladder in cybersecurity,” Markow said. He argued that employers are using certifications as proxies for skills, thus shutting out applicants who haven’t picked up certification but could actually do the jobs.
Markow said it’s a matter of raising awareness of opportunities and how to get there. There are millions of potential workers with the necessary skills, he said, that need to be shown the pathway to the short-term certifications that employers want.
Meanwhile, some employers are opting to create their own IT workforce through in-house training programs or by partnering with their local educators to develop curricula aligned with their needs.
For example, panelist Andy Ellis, Chief Security Officer for Akamai Technologies, explained how a librarian has the core skills needed to be responsible for massive amounts of data, but need additional training to transform his or her analog skills into digital ones in the area of cybersecurity.
RELATED STORY: The urgent demand for cybersecurity workers
The Akamai Technical Academy, featured in WorkingNation’s Do Something Awesome mini-documentary and screened at the Town Hall, capitalizes on these skills and offers students with non-tech backgrounds the training to enter careers with the company. “We look for people who have a skill set that can translate. And instead of thinking of it as an entry-level job, it’s really an insertion level job,” Ellis said.
The Chief Information Security Officer for insurer RenaisanceRE, Kelly Isikoff, offered another example of finding a good cybersecurity worker in an unlikely field. With just a few months of training, a repossession agent (or more bluntly, a “repo man”) could become a penetration tester.
“A penetration tester is similar to a repo man. It’s someone who goes in and looks at a computer system. They have that security mindset. They look for different types of vulnerabilities and look for different ways to penetrate the network and exploit it,” Isikoff said. “A repo man has to do that as well, just in a more analog world.”
PSEG Services Corporation’s VP of Information Technology and CIO Joseph Santamaria said cybersecurity jobs in the energy sector require more regulatory oversight due to the high level of security needed to protect the energy infrastructure. Santamaria said that while they hire cybersecurity workers with bachelor’s degrees, they are also open to applicants with associate degrees with relevant experience.
“We tend to partner with local universities” to develop curricula that reflect the company’s specific needs. And they are getting results. “We are very well known in the areas we serve, and our mission as operators of critical infrastructure is something that people connect very well with,” Santamaria said.
The healthcare industry already contends with a labor shortage of doctors and nurses, but it also needs cybersecurity professionals to protect patient information and the life-saving computer systems involved in modern medicine. According to Northwell Health CIO John Bosco, it’s much harder to attract and retain workers who may not have healthcare jobs on their radar after exiting college.
“Healthcare isn’t always the first place people think they want to go to work. If they are thinking about a career in IT, they are thinking about going to Silicon Valley,” Bosco said.
There may be signs on the horizon that employers are discovering talent not destined for Google or Apple. ClearSky CISO Patrick Heim said that the global marketplace is wide open due to the prevalence of the internet. “I’ve seen an interesting trend develop in conferences and discussions. They like to brag about the crazy places they are sourcing new talent,” Heim said. “It doesn’t matter where you are in the world. You can work remotely.”
All this begs the question: how do we better educate people about the opportunities and pathways to a career in cybersecurity? “When you work very closely with an employer and you’re very intentional about it, you can work through some of those barriers,” according to panelist Bridgette Gray, Executive Vice President of Per Scholas. She cited her organization’s relationship with Barclays International, a global financial institution. “We developed a curriculum, trained the students, and put them in internships in their communities and then they can transition into full-time jobs.”
“We started a partnership with Per Scholas six years ago and we haven’t looked back. Six years ago, we did not have a cybersecurity program, so we co-developed that program,” said Wayne Kunow, Barclays International Head of Cyber & Information Security Governance.
For Kunow, it’s about working with organizations in the communities they serve. “You heard another panelist saying they hire from exotic locations, we do as well. It’s called the Bronx,” Kunow joked. “It’s in our own backyard. Barclays has an emphasis on making a commitment and a difference in our own backyard.”
Insana turned the panel’s focus to the government’s role in closing the skills gap in local communities. “Not only does government themselves need the expertise, but they also play a role in helping to educate young people who are coming up,” he said, before asking Nicholas Lalla of the New York City Economic Development Corporation about what the city is doing to address the worker shortage.
“Cities have a responsibility to train their workforce for the jobs of the future,” according to Lalla. “At the NYEDC, we recognize cybersecurity is a growing market in New York City. We’re investing $30 million in the ecosystem, broadly. We’re really focused on training and connecting talent to jobs, and spurring innovation.”
NYEDC has launched a suite of public-private partnerships called Cyber NYC aimed at establishing a place-based hub for the community to foster cross-sector collaboration, a series of applied learning programs and a cybersecurity boot camp to diversify the talent pipeline.
“When you are thinking of filling an enormous skills gap in the country, you have to think beyond just the traditional pipeline of students,” according to Amanda Gould, the Chief Administrative Officer for the American Women’s College at Bay Path University.
She argued that you have to start reaching out to young girls and women to get them interested in the field. “Only 11 percent of (current workers) in cybersecurity are women. This is a group we are not tapping into as we focus on the technical side.”
Ron Insana was struck by a statistic Gould cited, that just 15 percent of young girls were familiar with cybersecurity. Noting his daughters’ frequent use of social media, Insana asked, “They are clearly familiar with the technology, why is this an area they don’t know much about?”
Gould suggested that it had to do with the mainstream portrayal of what a security expert is and does. “They (girls) hear phrases like hackers and geeks, and other phrases like that out there. I don’t think they hear phrases like protectors and guardians,” answered Gould. “These are people who are good with disseminating information, with media skills, social skills, with perseverance, tenacity, puzzle-solving and curiosity skills.”
The American Women’s College trains women who want to advance themselves, funnel accumulated credits into a degree, or switch careers entirely. Annemarie Johnson is one of those women. “I started my career in the healthcare field and found myself doing more and more technology.” She described how she decided to refocus her career after doing research and discovering the need for cybersecurity workers. It changed her life. She graduated with a bachelor’s of science and now works for Unisys.
For mobile viewers, watch the “Cracking the Code” livestream below.
The WorkingNation Town Hall was held in the memory of Danny Lewin, the co-founder of Akamai Technologies and a former student at the Technion-Israel Institute of Technology. Lewin was a close colleague of WorkingNation founder Art Bilger and was the first American to die in the September 11 terrorist attacks. Read more about Lewin’s genius and impact on the tech world and watch Bilger’s tribute to his colleague.