In mid-August, before the waves of college students would flood campuses across the country, nearly two dozen West Texas college faculty congregated on the campus of Texas Tech University to discuss cybersecurity. The goal: to educate and collaborate with community college instructors to help them develop their own security curricula.
“The demand is excessive, so excessive that it can't be filled by the current education programs that are out there,” said Dr. James Phelps, assistant professor of border and homeland security for the Center for Security Studies at Angelo State University. “And that's why we did the outreach to help build the capacity to fulfill the upcoming need – the existing and future needs – for cyber professionals.”
The summer workshop was funded by the National Science Foundation, which awarded Texas Tech University and Angelo State University a combined $385,000 to be used through 2014.
“What we're trying to do is build the existing capacity across, well, at least right now across Texas,” Phelps said. “Our goal is then to expand it through the NSF to a national education model or outreach model for the rest of the community college and four-year institution programs. And that's because the country does not have an existing model that they can operate from to produce people who can actually do the work.”
It's a sentiment we've heard from numerous people while researching this story: there's just not enough qualified cyber professionals to fill the demand, and something has to be done to fix that.
Keeping up with the Demand
Just last month the U.S. Government Accountability Office issued a report evaluating hiring at the Department of Homeland Security (DHS). As of June 2013, the Office of Cybersecurity and Communications, which is responsible for “enhancing the security, resilience, and reliability of the nation’s cyber and communications infrastructure,” had a 22 percent vacancy rate for mission-critical positions.
This is all happening at a time when cybersecurity in the government sector is booming. Fort Meade, which is essentially ground zero for U.S. cyber operations, has grown by more than 23,000 employees since 2005. As the Washington Post reported this week, its 57,000 workers is more than double that of the Pentagon.
But the government isn't the only one scrambling to fill the void created by the market, as the 2013 (ISC)² Global Information Security Workforce Study, which profiled more than 12,000 information security professionals, points out:
- 56 percent of respondents believe there is a workforce shortage.
- New skills, deepening knowledge, and a wider range of technologies are needed to address risks with BYOD and cloud computing.
- Across industries, a greater percentage of respondents in education, healthcare, manufacturing, and retail & wholesale verticals believe they are understaffed.
In short, most security professionals believe they need more help – particularly those industries outside the typical finance and defense industries – and when that help does arrive they need to have a diverse education.
One final point: earlier this year Burning Glass International Inc., a tech-savy matchmaker for job openings, found that demand for cybersecurity experts is growing at 12 times that of the overall job market and 3.5 times faster than the IT market.
So that demand doesn't look to be slowing anytime soon.
Teaching the Unteachable?
The shortage poses two fundamental questions. How do you develop and train the needed cybersecurity professionals, and, more importantly, can you teach a skill that has, for many of the best and brightest, been self-taught?
Andy Meneely, assistant professor of software engineering at Rochester Institute of Technology, believes so.
“Students love breaking into stuff,” he said. “We've always focused on builders. We've always focused on how do you actually put something together, and we don't think about tearing it down. And what's funny is that in my security class when I start showing them vulnerabilities and I show them exploits and I give them an exercise where they have to construct an exploit, they – some of them – get really excited.”
“A lot of those skills are things that can be tested for but not necessarily taught,” said Fred Cate, Distinguished Professor and C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law and director of the Indiana University Center for Applied Cybersecurity Research.
Cate argues that it's not really computer scientists that are needed, but good, quality managers. And that gap can be filled, at least in part, by recognizing those who have those necessary skills and changing their career paths.
“We really need to be training people for computer security not just out of computer science but out of the liberal arts more broadly and out of professions, you know, business people, law people, economists and organizational behavior people,” Cate said. “We've got all these unemployed law graduates and political science graduates and so forth. Some of them would be really good in cybersecurity, so let's retool them.”
It's not just a lack of people that's an issue. It's that those people that are on the job don't always have the knowledge they need.
“In the software engineering community, in my opinion, we were kind of the last community to realize that security was a problem,” Meneely said. “You could argue that every vulnerability is really just a hidden feature – an unintended feature.”
Filling the Void Through Education
The NSA and DHS jointly sponsor the National Center of Academic Excellence and Information Assurance programs, which currently has has 181 institutions listed across the U.S. But those standards have faced criticism, and new designation is currently being developed to replace the existing programs.
“Those standards are all focused on things that people in cybersecurity today say are the wrong things,” Cate said. “So in order to hold that accreditation we have to offer a curriculum that we believe that the best evidence tells us is training people for yesterday's issues. It's not enough for the government to throw money at the problem. It's got to throw some intelligence at the problem too.”
Hopefully, the new designation will do just that. In the meantime, groups and workshops like those in Texas continue to push forward to develop the existing education infrastructure to meet the new demands.
Phelps remembered a recent job posting he saw that encapsulated the whole issue.
“They didn't want a computer engineer or a software engineer. They wanted a hacker,” Phelps said. “And that's how almost every one of the jobs reads. If you graduate with a computer engineering or a software engineering degree, you're not going to go to work as a security professional. You're going to go to work grading new computer chips or designing new hardware systems that function with those computer chips. You're not going into the business of security.
“The goal is to get the programs to produced less educated and more trained professionals who can do this kind of work.”