Cybersecurity is increasingly everyone’s problem. Organizations, schools, health care providers and even – perhaps especially – state and federal governments face a barrage of increasingly frequent, expensive and dangerous cyber attacks. Globally, there is a cyberattack every 39 seconds. A 2021 IBM survey found that data breaches cost companies, on average, $4.24 million per incident – a record high, up 10% from the year prior. And large-scale security incidents such as the Colonial Pipeline ransomware attack have made it clear that cybersecurity is a significant national security issue.
The challenge is that the workforce necessary to prevent cyberattacks doesn’t exist. There are hundreds of thousands of open positions and too few skilled applicants to fill them, which leaves people, businesses, state and federal agencies and U.S. infrastructure vulnerable to attacks. The upside of the fact that we are all in this together is that the ubiquity of cybercrime is driving collaborative action to address the problem.
Professionals who want to help close the gap while also leveling up their careers are enrolling in advanced university programs such as The University of Tulsa’s 100% online part-time Master of Science in Cyber Security. For-profit and nonprofit organizations are also developing cybersecurity education initiatives. And the federal government has stepped up to help train up the workforce necessary to respond to or even prevent future attacks.
Early government reskilling programs had mixed results. The professionals who joined the 2019 Federal Cybersecurity Reskilling Academy pilot program gained cybersecurity skills but didn’t receive the advanced hands-on experience they needed to move into higher-paying positions. Going forward, the White House will play a role in reducing the cybersecurity talent shortage, but it may not involve overseeing government programs that give people skills to launch cybersecurity careers. This guide digs deeper into the talent shortage in cybersecurity and the federal government’s latest measures to address it.
How dire is the cybersecurity skills gap?
Let’s be clear about the cybersecurity workforce shortage – it isn’t that no one is joining the industry. Rather, it’s that not enough people have the skills to combat emerging threats. For example, there are roughly 90,000 Certified Information Systems Security Professionals in the U.S., according to CyberSeek, but more than 106,000 job openings require the certification. Cybersecurity Ventures predicted in 2020 that there would be 3.5 million unfilled cybersecurity jobs by the end of 2021. That prediction came true.
Because there are so many specialty areas in cybersecurity, and because the field is evolving so quickly, basic cybersecurity know-how no longer cuts it. Employers now look for professionals with a range of cybersecurity skills related to network security, information security, penetration testing, incident response, security for cloud computing, risk management and more.
They also want cybersecurity professionals with well-developed soft skills. According to a survey from (ISC)², the skill employers want most is a “strong problem-solving ability.” Communication skills are also vital because cybersecurity professionals investigate relationships among data, systems and people. Cybersecurity professionals have to be able to translate technical jargon into plain English.
The specialty areas that make up cybersecurity represent more than 50 technical and semi-technical career pathways, and the list of cybersecurity jobs is growing year by year. Professionals with the right combination of technical skills and soft skills will have their pick of well-paying, secure positions in this dynamic, evolving industry given that it’s likely many of those positions will remain open for months, if not years.
Why is there a shortage of cybersecurity professionals?
Consider how much technology has evolved in the last 15 years. At the turn of the century, cell phones and laptops were still fairly novel. Less than 25 years later, many people can’t fathom life without them. The effect of widespread technological integration on cybersecurity cannot be overstated. Organizations have resisted updating their security platforms and processes, relying instead on legacy software and manual network management. Network engineers and systems managers were understandably reluctant to fix what didn’t seem broken. But an increasing number of malicious and stealthy cyber attacks targeting small businesses and large enterprise firms has made it clear that now is the time for companies to refocus on information security and network security.
Unfortunately, many cybersecurity specialists aren’t prepared to protect data and systems from modern attacks and incursions. The technology has outpaced their expertise. Tackling today’s security threats requires specialized skills, which is why the master’s in cybersecurity has become the entry-level degree for information security and data protection professionals. Top cybersecurity programs, such as TU’s online M.S. in Cyber Security, let students engage in real-world practice with the latest digital security technologies so they can meet the rapid pace of technological advancement head-on.
What cybersecurity skills are in demand?
Cybersecurity is a skill cluster composed of many competencies. People associate the field with technical skills related to information technology, network engineering, systems engineering and programming, but the cybersecurity skills gap isn’t just a tech problem. While cybersecurity professionals must have technical network security skills, information assurance skills, cloud networking skills, penetration testing skills, database skills and DevSecOps skills, Infosec’s list of the 10 most in-demand cybersecurity skills also includes less technical competencies.
For example, analytical skills help cybersecurity professionals assess risk, predict problems, consider solutions and use data to drive decision-making. Auditing involves not only investigation but also documentation and reporting, so cybersecurity professionals who conduct audits must have interpersonal and communication skills. Governance, risk management and compliance skills are important because cybersecurity professionals must understand business operations and be comfortable designing cybersecurity strategies that align with business objectives and industry regulations. A large part of incident response in cybersecurity involves investigation, which means cybersecurity professionals must be curious, thorough and creative enough to put themselves in an attacker’s shoes. And security analysts need threat intelligence skills so they can rank and respond to existing and emerging cyber threats.
Soft skills are also in demand because organizations want cybersecurity professionals who can lead their teams through change and explain the importance of cybersecurity – translating technical jargon into everyday, easy-to-understand language. As social engineering hacks become more common, cybersecurity analysts and IT professionals must identify threats that rely on psychology and find ways to protect their coworkers from them.
The diversity of skills now necessary in cybersecurity underscores the importance of education. A CISSP or Comptia security certification can support technical mastery, but it won’t improve your ability to work collaboratively or understand how cybercriminals think. TU alumnus Tony Meehan (BS ’03, MS ’05) said that, while studying for his master’s, he “learned that asking questions and working with a diverse team of people with different backgrounds and experiences is how you accomplish something great – not as an individual, but as a team.” Master’s candidates enrolled in The University of Tulsa’s cybersecurity program study not only best practices related to securing information systems and networks but also how to make cybersecurity a team sport.
How the White House is working to close the cybersecurity skills gap
The federal government has dedicated billions to cybersecurity workforce enhancement through bills such as the Infrastructure Investment and Job Act and the Build Back Better Act. By requesting $9.8 billion for federal civilian cybersecurity in the 2022 budget, including $15 million to support the newly minted Office of the National Cyber Director, the Biden administration has made it clear that cybersecurity is a priority. Tack on the Department of Defense’s additional request for $10.4 billion, and the overall governmental ask for cybersecurity exceeds $20 billion for the first time in history.
Many recent government initiatives centralize education, training and workforce development. The Build Back Better Act delivers $100 million to the Federal Emergency Management Agency to help state, local, territorial and tribal governments recruit and train a cyber workforce. In the past, Biden emphasized the importance of education, “as it relates to being able to train and graduate more people proficient in cybersecurity.” It makes sense – if the feds are bulking up their efforts to enhance defensive and offensive cybersecurity efforts, they will need the people to carry out their mission.
The National Security Administration and Department of Homeland Security already jointly sponsor the National Centers of Academic Excellence in Cybersecurity (NCAE-C) program to help colleges and universities train the workforce necessary to meet the high demand for cybersecurity professionals and to promote research in cyber defense. The University of Tulsa became a designated Center of Academic Excellence in Cyber Defense in 2000. Since then, it has held all three NCAE-C designations – making it one of just a handful of higher education institutions in the country to do so. That means the university continuously meets rigorous standards related to its cybersecurity curriculum, student development and cybersecurity research efforts. Based on the trajectory of national information security initiatives, TU graduates could have bright futures in national defense.
How private-sector companies are supporting White House initiatives
In August 2021, President Biden met with industry and education leaders to discuss the challenges of shoring up cybersecurity in the U.S. and how protecting the country’s information and infrastructure will be a nationwide effort. It was just one facet of a larger drive to establish public-private partnerships in support of its efforts to ramp up cyber defense “like never before.” The White House has set expectations for companies that own and operate critical infrastructure. After devastating ransomware attacks on the Colonial Pipeline and JBS Foods, the world’s largest meat supplier, Biden issued a National Security Memorandum establishing voluntary cybersecurity goals that would address a “patchwork of sector-specific statutes that have been adopted piecemeal” over several years.
Following the president’s meetings with representatives of private sector companies and nonprofits, several high-profile technology and information security organizations announced initiatives designed to help close the cybersecurity skills gap:
- Apple agreed to work with suppliers on cybersecurity training programs.
- Code.org pledged to teach cybersecurity concepts to a diverse array of more than 3 million students across 35,000 classrooms.
- Fortinet pledged to train one million people over the next five years through its Training Advancement Agenda initiative and Network Security Experts Training Institute programs.
- Girls Who Code established a micro-credentialing program.
- Google pledged to help 100,000 Americans earn industry-recognized digital skills certificates in technology and cybersecurity.
- IBM set a goal of arming 150,000 people with skills for cybersecurity over the next three years. The company also plans to support diversity in technology by partnering with Historically Black Colleges and Universities.
- Microsoft pledged to expand its cybersecurity training partnerships with educational institutions and nonprofit organizations.
How do I close the cybersecurity skills gap?
In the future, cybersecurity will be integrated into information systems and IT security and expertise will continue to be more important than titles. You can close the cybersecurity talent gap by reskilling to meet the increasing demand for trained professionals with technical skill sets related to risk prevention, high-value application security, cloud security, ethical hacking and intrusion detection. Stacking cybersecurity certifications is an excellent start, as is knowing your way around a firewall or programming languages such as Python.
But becoming a cybersecurity expert requires more than knowing how to use security tools. TU’s online graduate cybersecurity program prepares students to “master the theory, concepts and techniques of information assurance and network defense in real-world environments” – and to succeed in either cybersecurity roles or cyber-enabled roles.
The FBI reports 4,000 ransomware attacks target businesses daily. Companies have realized the value in application security and operating systems management in an evolving threat landscape. Yet, 3.5 million cybersecurity jobs went unfilled in 2021, along with a host of cyber-enabled jobs. University of Tulsa graduates secure high-profile jobs at major companies, including Amazon, CymSTAR, Google, GPSG, Hilti, Instagram and Pacific Northwest National Laboratory. They earn, on average, more than $95,000 immediately after graduation in cyber-enabled career pathways, such as network engineering and management, information management, systems management and software development.
These roles in information technology make up more than half of all jobs requiring cybersecurity skills, according to Burning Glass Technologies. This suggests it is incumbent upon individuals, regardless of industry or title, to do what it takes to keep systems and sensitive data safe. While the White House and its private industry partners continue to look for creative pathways into cybersecurity, it will almost certainly be individuals like you who succeed in closing the gap.