The cybersecurity industry is facing a huge shortfall in qualified cybersecurity professionals in the coming years, warned a panel of experts at the Advanced Cyber Security Center’s (ACSC) annual conference held Nov. 3 at the Federal Reserve Bank in Boston.
Moderator Janet Levesque, chief information security officer at security firm RSA (recently acquired by Dell), gave some context for the discussion by providing some cybersecurity statistics. She said that the U.S. cybersecurity market is projected to grow from $75 billion in 2015 to $170 billion by 2020.
According to data from the US Bureau of Labor Statistics cited by Levesque, more than 200,000 cybersecurity jobs go unfilled in the United States every year, and cybersecurity job postings are up 75 percent over the last five years.
Mark Aiello, president of cybersecurity staffing firm Cyber 360, said his clients can go for more than a year trying to fill vacant cybersecurity positions because they have a “laundry list of skills” they want the candidate to have.
“There is tremendous reluctance to go off that song book,” Aiello said. “They eventually understand that this Goldilocks candidate doesn’t exist,” he added.
‘Immature’ cybersecurity job market
Aiello observed that the cybersecurity job market is “immature,” so “standard job titles don’t exist. A cybersecurity analyst over here is a cybersecurity engineer over there.”
To provide a common language on how to categorize and describe cybersecurity jobs, the National Institute of Standards and Technology’s National Initiative for Cybersecurity Education (NICE) is working on the Cybersecurity Workforce Framework, a draft of which was released on Nov. 2.
The framework organizes the cybersecurity workforce into seven high-level categories of work, which are made up of more than 30 specialty areas such as “incident response” and “legal advice and advocacy” and more than 50 work roles such as “vulnerability analyst,” according to NIST.
The framework is a cybersecurity workforce dictionary that will allow employers, educators, trainers, and workers to use consistent terms to describe cybersecurity work. It can be a reference resource to help companies define and share information about the cybersecurity workforce in a detailed, consistent, and descriptive way, NIST related.
Another panelist, Devon Bryan, executive vice president and chief information security officer at the US Federal Reserve System, said that there is a “war for talent” that makes the job of cybersecurity managers challenging to say the least.
Bryan recommended that the cybersecurity hiring manager work with the human resources (HR) department to craft an appropriate job vacancy announcement and to provide the parameters for pulling the right candidates from the pile of resumes.
“If how you are explaining your knowledge, skills, abilities, and competency requirements isn’t quickly resonating, then we can’t completely fault the HR person for that. We have to help them make the translation,” Bryan added.
Carla Brodley, professor and dean of the College of Computer and Information Science at Northeastern University, said that her college has a six-month internship, or “coop,” program that puts students in work settings for an extended period of time. She said that the school works with more than 500 companies with the program.
“We teach kids how to interview and create a resume, we bring new companies in to get in front of the students…Our students generally have no problem landing jobs. We have 100 percent placement,” she said.
It’s all about sharing...or not
Experts at an earlier panel discussion at the ACSC conference said that sharing information about cybersecurity threats and lessons learned from data breaches can help companies and organizations become more secure.
But they also highlighted the many barriers to sharing such information, including legal risks, risks of disclosing proprietary information, regulatory restrictions, and simple trust issues among competitors in the same industry.
In addition, an ongoing investigation into a data breach or another cyber incident could prevent companies or agencies from sharing information, said Richard Puckett, vice president of cybersecurity at GE Digital’s product and commercial security group.
“With an ongoing investigation, particularly regarding a nation-state, where you are tracking a particular actor based on what they are doing, disclosing information could actually harm the effort to defeat” the nation-state actor, Puckett said.
Michael Darling, director of cybersecurity and privacy at PwC, said that legal concerns often get in the way of cyber information sharing. “Once you start talking to the lawyers who don’t have a clear idea about how you do those things and what the rules of the road are, that is one of the biggest barriers.”
Still, sharing cybersecurity information and collaborating on cyber defense are good things to do, the panelist agreed.
“In a world where time and space don’t matter in the cyber realm, everybody lives in a bad neighborhood. Corporate partnerships become much more important,” Darling said.
Puckett added that GE has been expanding rapidly in the industrial internet, and securing connected industrial devices requires industry collaboration. He noted that attackers are increasingly targeting hospitals and manufacturing firms with ransomware. “There’s profit to be made there,” he said. “An hour of downtime in a factory is money,” he added.
The GE executive cited the example of the Murai distributed denial of service (DDoS) attack that recently took down DNS provider Dyn, disrupted Spotify, Twitter, PayPal, and a number of other websites, and brought sections of the internet to a standstill.
Murai attackers were able to set up a botnet of thousands, or perhaps millions, of poorly secured Internet of Things (IoT) devices. To do this, the attackers continuously scanned for vulnerable IoT devices that are connected to the internet. Once these devices were located, the attackers infected these devices with malware that reported back to a central control server and enlisted the compromised device as a bot in their botnet.
Michael Papay, vice president and chief information security officer at Northrop Grumman, said that his company is engaged in collaborative cyber defense with competitors because they are all working together on aerospace and defense systems. “The information we are protecting is the information of the US government, allies, partners, and whoever we are doing the job for…We have to be very open with each other regarding cybersecurity.”
Papay added, ”We need to work closely together to make sure that everybody in our supply chain, all the way down to lowest level of supplier that has confidential and classified defense and technical information, knows what they are doing” when it comes to cybersecurity.
Cybersecurity information sharing and a well-trained workforce will be two key ingredients in the ability of companies and organization to stay ahead of the bad guys, who have been sharing information for years and are often as highly trained as the good guys.
Image Source: Shutterstock, Fred Donovan