Over the past two months, we’ve clearly seen how cyber attacks inflict immense harm on companies and governments. The WannaCry ransomware attack crippled healthcare institutions across Great Britain and affected hospitals in the U.S. The Petya attack shut down critical infrastructure in Ukraine; left global shipping giant Maersk reeling; halted operations at a Cadbury chocolate plant in Australia; and struck the property arm of French bank BNP Paribas.
That’s quite a wide swath.
Cyber attacks will continue to become more complex, frequent and destructive. Yet, when discussing cybersecurity, we consistently avoid focusing on the elephant in the room. We do not have enough cybersecurity professionals to help keep us safe in the first place, and more swiftly mitigate the aftermath of these attacks. Our country’s national security is at risk.
There’s no better time to shed a light on the urgency for policies that promote cybersecurity training and certification than now — as cybersecurity leaders meet this week at Black Hat in Las Vegas.
At Black Hat we’ll hear about the latest cybersecurity technology products and techniques that will help to prevent the loss of billions in revenue and reputational damage. But we can be doing much more.
A significant drag on our cyber defenses is the lack of skilled workers able to fill the positions that are and will be open in the coming months and years. We’re not just talking about the elite “cyber ninjas” who are vital to taking on sophisticated threat monitoring and response. We must also pay heed to the cyber worker at the base of the pyramid who takes on the day-to-day analytics and systems protection.
The numbers are stark.
CompTIA research shows that up to 32 percent of companies say that they need to significantly improve their cybersecurity expertise, while only 21 percent of businesses feel that their cybersecurity protections are completely satisfactory.
Moreover, in a recent study focusing on the IT skills gap, companies say they’ve come up short in data security, traditional security safeguards such as firewalls and antivirus software, and cloud security skills.
According to Cyberseek, employer demand for cyber talent exceeds supply in many parts of the country. Beyond dedicated security roles, employers are struggling to fill an estimated 200,000 other IT positions with a cybersecurity component. By 2022, it is expected that there will be a global shortage of 1.8 million cybersecurity workers.
The good news is that the cyber workforce shortage can be fixed rather quickly. Here are four common sense actions that can help reverse the tide.
1. Passage of the CHANCE Act. The Championing Apprenticeships for New Careers and Employees in Technology (CHANCE) Act, introduced into the U.S. House this month, addresses the IT talent gap facing employers across all 50 states. The Secretary of Labor will award contracts that support apprenticeship programs that facilitate a meaningful public-private partnership, ensure that quality candidates are recruited, and provide compressed and targeted training to meet specific employer needs.
2. More programs like GenCyber. Jointly funded by the National Security Agency and the National Science Foundation, the program provides summer cybersecurity camp experiences for middle school and high school students, and helps teachers learn how to teach cybersecurity.
3. Government support for training the next generation of cyber workers is vital. Legislation introduced this year to expand the DoD Cyber Scholarship Program Act and Cyber Scholarships Opportunity Act deserve support. These programs aid with costs for tuition and training in return for commitments to government service.
4. Easy ways for workers to identify the training they need. The National Initiative for Cybersecurity Education (NICE), sponsored by the National Institute of Standards and Technology (NIST), is a cybersecurity education, training and workforce partnership between the U.S. government, academia, and the private sector that merits ongoing funding. The NICE Workforce Framework provides an easy way to classify cyber workers by describing cyber work roles across work categories.
Our cybersecurity focus should not be one of doom and gloom, woe is us. Quite the contrary, we need to look at cybersecurity as an opportunity.
If we do this right, cybersecurity provides a tremendous job pipeline for workers of varying education levels and in disparate locales. Cybersecurity is a growth industry. A smart cyber infrastructure and workforce will enable the free flow of commerce and trusted relationships with business partners and customers, leading to the realization of advanced technologies such as artificial intelligence, big data and autonomous cars.
But, the time for investment is now and it starts with ensuring our workforce is vibrant and skilled enough to meet this critical national challenge.