Cyber Security Talent Shortage: How We Got Here
While the cyber security industry is growing significantly faster than other markets, the challenge to fill more than 500,000 open computing cyber security positions is a serious issue spanning business as well as federal, state, and local government.
Many colleges and universities saw the worker shortage coming years ago, and in response, established certifications and degree programs to attract new talent and build a pipeline of well-trained graduates. The Department of Homeland Security received authorization from Congress in 2014 (via the Border Patrol Agent Pay Reform Act) to allow the Secretary of Homeland Security to “provide such employees with additional compensation, incentives, and allowances” to address the cyber security talent shortage.
In 2015, the National Science Foundation budgeted approximately $160 million for cyber security research and education programs aimed at supporting the development of computer scientists and engineers.
Why Cyber Candidates Don’t Turn into Cyber Professionals
With all the focus on and investment in cyber security education, we as an industry should be in good shape moving forward, right? Not so fast.
I’ve met many awesome people during my years as a human resources executive who I would love to hire, and so would many of my hiring managers. Here is a typical profile: the candidate obtained a master’s degree in cyber security strategy and/or policy from a university, is passionate, and has the theoretical knowledge to be considered a cyber security professional.
So, why can’t this candidate make it past the finish line and land the job? In most cases, it’s because this person lacks practical application of cyber security knowledge.
In looking at an assortment of resumes, and speaking with motivated candidates about their master’s coursework, they all have the academic knowledge to be able to speak the language, but they have very little fundamental IT experience. Their undergraduate degree might have been in a field other than a computer science discipline, or they might have focused more on the strategy and policy courses in their graduate electives rather than focusing on core fundamentals or cyber laboratories experiences.
Three Critical Areas of Improvement
The best advice I can give to future cyber security professionals is to develop themselves in three key areas: knowledge, experience, and certifications. For small companies, the strategy behind hiring cyber security professionals should be finding well-rounded candidates who have a good baseline to grow in each of those three areas. Small companies typically don’t have as many entry-level opportunities to foster the development of on-the-job, practical experience.
Entry-level cyber security professionals who have the theoretical knowledge along with some basic IT certifications such as CompTIA Network+, Security+, and IT fundamentals have an advantage over candidates who only possess theoretical knowledge. If you already have some practical experience, and you’re willing to attain additional formal education, go for the bigger certifications such as CISSP, CISM, and CEH to give your professional portfolio an added boost.
Finding and participating in hacking groups like DC404, DC210, local hack-a-thons, and builder groups are excellent skills-building resources for all levels of cyber security professionals. And don’t forget about conferences like BSides, ISSA, and DEFCON where you can compete in capture the flag events and learn about the latest trends from various industry experts. If you’re in a degree program, many universities offer lab environments for cyber security students to gain invaluable experience and even set up capture the flag events.
While academic knowledge and certifications are clearly important distinctions to stand out in the applicant pool, the real differentiators are hands-on experience in the field, and that isn’t something you can always gain from the classroom. According to an Intel Security survey about building cyber security skills, respondents ranked hands-on experience and professional certifications above a degree.
To gain more practical experience, there are plenty of opportunities outside of the typical on-the-job scenario. For example, companies look favorably on cyber security professionals who have set up their own sandbox at home. This not only shows the initiative to develop a deeper understanding of vulnerabilities, but also shows passion and curiosity for honing cyber security skills on your own time.
Ultimately, the successful cyber security candidates don’t look at lack of practical experience as a roadblock; they look at it as an opportunity to learn and persevere in a booming market in need of talented people.
If you’re interested in career opportunities in pen testing, security operations, and compliance and risk assessment, check out our current openings.