In the past few years cybercrime has finally began to seep its way into the public consciousness, and as the digital world has exploded so has the number of attacks against individuals and businesses. While new cybersecurity companies seem to be springing up daily to fill the gap, there's a more fundamental problem beneath it all.
Namely, where are all the qualified cybersecurity professionals?
It was a question posed to me while researching an upcoming story about a push to expand cybersecurity training in universities and community colleges. "There's not enough people to fill all the open jobs," I kept hearing. "Businesses can't even fill their openings."
So we chatted with a few folks around the country and asked them: why is it so hard to find qualified people? While we keep looking into how to actually fix this problem, here are some of their responses on why it's so bad out there.
It's Not Fun: "Working for most security companies sucks. I mean, it's not a fun job because selling security sucks. It's like selling vitamins, and no one wants to take their vitamins. And the old adage in the security space is the only way to solve security is through compliance. Most of the security companies, people think of them as being as much a part of the problem as anything. They're fundamentally – they'll charge you more if your attack gets larger. The technical term for that is 'icky.' People aren't excited to work in those fields because by and large – can you imagine going and working for Symantec or McAfee? We don't have that problem, but it might be because we have a mission that's bigger than were just going to provide security.”
-Matthew Prince, CEO of CloudFlare
Engineers Never Learned: "In the software engineering community, in my opinion, we were kind of the last community to realize that security was a problem. I think the networking and operating system people were the first people to realize it back in the 90s. That's why most of the security research out there now is intrusion detection, firewalls, things like that. Even the mathematicians got to it before us cause they've been working on cryptography forever. ... Programmers these days – programmers have never been taught how to write their code securely. A lot of times we show them 'Hello, world,' and then we show them all these great things we can do with software and we never once show them, well, you don't want to allow your users to do too much.”
-Andy Meneely, assistant professor of software engineering at Rochester Institute of Technology
No One to Take Charge: “It's very difficult, and it's very stressful, and people tend to fall into one of two categories in my observation. They fall into a category of, well, I only want to get education up to a certain level, and I want to work in security, but I don't really want to be the one in charge of security. So they want a cybersecurity job, but they don't want to be the one holding the bag when stuff really hits the fan. …
Then you have the other guys who meet all that criteria and really are gifted, accomplished security professionals. What tends to happen is they sort of go up into the constellation, right? They start to get these jobs as senior engineers, chief security officers, things like that, and once they get up so far in the chain they're not even the ones who are fighting attacks any longer. They're executives at that point. So all of the really good human capital is being eaten up. … There's this void that we're trying to fill in the industry of senior security professionals who are real motivated problem solvers."
-Jeffrey Lyon, President of Black Lotus
Coders, Not Security: "Most universities are producing either computer engineers or computer science majors who are going to go on to become code writers somewhere, but they don't produce people who can actually do cybersecurity, who can do network security, infosec, who can evaluate physical security aspects associated with infosec and cybersecurity and network security. You don't have people who are being produced who can deal with the smart grid and the security of the smart grid or electrical power distribution.
We have a major vulnerability, and it's been identified – you can read about it in any newspaper or magazine in the last six months – about how the United States is being attacked by China, being attacked by terrorist groups, being attacked by Anonymous, but also how businesses are being regularly attacked and penetrated all the time.”
-Dr. James Phelps, assistant professor of criminal justice at Angelo State University
Need to Cast a Wide Net: “We ought to look at taking people with other degrees and how to quickly give them the skills they need or to test them for those skills and then only work with those people who already have those skills. So could we look at one-year programs, certificate programs, programs other than a new degree. So we've got all these unemployed law graduates and political science graduates and so forth. Some of them would be really good in cybersecurity, so let's retool them.
And that's not going to take four years. I think we can do that faster. I think another challenge, one that we're working a lot on, is how to make our curriculum more practical, so they're not just learning the theory of cybersecurity. They're actually working hands on in industry or government, wherever. So then they come out ready for a job. They don't come out needing more training before they can actually go to work.”
-Fred H. Cate, Distinguished Professor and C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law and director of the Indiana University Center for Applied Cybersecurity Research