The shortage of skilled cybersecurity professionals is the result of complex problems that will take a while to correct. The good news, for those who qualify, is that it is likely to remain a growth field for some time.
Recent studies and surveys suggest that the cybersecurity workforce crisis is a multipronged problem. There is not only a shortage of workers but also a lack of skills among many of those already in the workforce. In addition, the field of cybersecurity is evolving rapidly, so we’ve got a problem that we'll be struggling with for some time.
It will take the cooperation of industry, government and academia to fill the ranks with the skills we need, and it will not happen overnight. But students who are interested in computer sciences and have a taste for the tit-for-tat game of protecting IT systems against well-financed and clever criminals should find a rich market for their skills for the foreseeable future.
The move toward automation can help. Tools to monitor networks and systems, identify vulnerabilities, evaluate security status, and fix problems can take some of the pressure off the workforce. But there will always be a need for skilled people to keep an eye on those systems and anticipate things that a machine cannot.
The status of cybersecurity is in flux. It is moving from a trade or craft to a more professional status, with academic degrees and technical certifications, though it is not quite at the level of doctors and lawyers who have strict licensing requirements. For now, cybersecurity remains largely the realm of self-taught loner.
The founding fathers of cybersecurity were self-taught through necessity. A generation ago, there was little if any opportunity for training. Many of those who have since come up through the ranks still came to cybersecurity in roundabout ways, learning their skills through tinkering rather than formal programs.
W. Hord Tipton, executive director of certification organization International Information Systems Security Certification Consortium and former Interior Department CIO, said he has been told by corporate executives that they do not recruit cybersecurity personnel at colleges, targeting instead self-taught practitioners. Why? Because schools “are not producing the type of graduate that companies and government are looking for.”
That is changing. Academic programs are springing up in response to the growing demand. That is good not only for cybersecurity but also for schools. The prospect of employment is a powerful recruiting tool. Government and industry also are engaged in programs such as scholastic competitions that grab the interest of students and identify talent in high school and even earlier.
The most challenging hurdle ahead probably is identifying the skills that practitioners need. Those vary so much from sector to sector and change so much over time that it is practically impossible to teach someone more than the most basic lessons in a formal program. That is because the technology is evolving quickly and because the bad guys are doing a great job of innovating. Any cybersecurity professional worth his or her salt will spend a lot of time learning new skills.
Let’s hope that despite those challenges — or maybe because of them — cybersecurity becomes an attractive enough field to draw bright young people who think that matching wits all day with an unseen enemy is fun.
NEXT STORY: Quantum crypto's demise is greatly exaggerated