The Cybersecurity Skills Gap Won't Be Solved in a Classroom

  • July 11, 2019
 

Unfilled cybersecurity jobs are expected to reach 1.8 million by 2022, up 20% from 1.5 million in 2015, according to the Center for Cyber Safety and Education. The cybersecurity skills gap isn’t going anywhere.

Yet, lack of formal education isn’t slowing down new recruits to the cybersecurity talent pool. There is an army of ethical hackers all over the world that won’t be hired into traditional full-time roles. In the years to come, I predict there will be over a 1,000,000 ethical hackers.

A global study from ESG and ISSA confirmed “that the cybersecurity skills shortage is exacerbating the number of data breaches,” with the top two contributing factors to security incidents being “a lack of adequate training of non-technical employees” (31%) first and “a lack of adequate cybersecurity staff (22%)” second.

Cybersecurity can be a thankless job. Security professionals are on the front lines protecting our digital society, yet they rarely get called out for effectively defending and always get called out when something goes wrong. We need security teams and they need resources. Thus, the skills gap is widening, education is lagging, and society is paying the price with data breach after data breach.

Computer science programs struggle to offer adequate cybersecurity courses for the next generation of technologists. Of the top 50 computer science programs in the U.S., only 42% offer three or more information security-specific courses for undergraduates. Yet, we must acknowledge that this is progress. I’m sure this is far more than what was available five or 10 years ago. Today, the University of Maryland College Park, among the top computer science programs in the U.S., offers a cybersecurity concentration for computer science majors. University of California Berkeley also offered a Cyberwar class in 2017 teaching 80 students how to hack for good. Northeastern University offers 11 courses that cover some aspect of security, including a class covering laws, ethics and policy related to digital technologies.

Fortunately for us, a formal cybersecurity education is not stunting the talent pool. Today we know that more than 80% of ethical hackers are self-taught. Despite 33.3% of hackers having studied computer science at the undergraduate level, and 23.3% having studied computer science in high school or before, less than 6% have actually learned hacking skills in a classroom.  

Security must permeate everything we do in the digital realm. It's not the responsibility of the few but rather the responsibility of the entire connected society. Considering how rapidly the technology and cybersecurity landscapes are evolving, it is impossible for one person, one team and even one organization to keep up with every change.

The lack of information security-focused courses available is just one piece of a much larger puzzle. Security cannot be solved alone and therefore education should not be confined to computer science programs and graduates. The broader connected society must prioritize security because the cybersecurity skills gap will never be solved in a classroom.

There are new education tools cropping up outside of the traditional classroom, offering free coursework designed by ethical hackers for the growing cybersecurity talent pool: Cyber Aces, Hacker101, Google Gruyere, Cybrary, and more. Capture the Flag exercises (CTFs) are also a popular way to hone one’s cybersecurity skills beyond the classroom. To illustrate, approximately 26,300 hackers on the HackerOne platform have learned how to hack using Hacker101’s CTFs.

These tools all encourage collaboration within the cybersecurity community. Collaboration and transparency is the only way education will be able to keep up with the rapidly evolving threat landscape. When we can learn from each other, we can progress faster. The cybersecurity community has been working unilaterally for decades. We must shift the culture of the industry to change that. Companies ranging from industry giants like Google, General Motors, Starbucks, and Nintendo, to startups like Mapbox, Coinbase, and NextCloud are leading by example by collaborating with the hacker community to supplement the work their security teams are already doing.

As an industry, we need to rally together to embrace the emerging cybersecurity talent, creativity, and curiosity that isn’t necessarily hireable or comes with a college degree. The culture of resume-based cybersecurity industry hiring needs to change, for the sake of the protection of our data. Vulnerability reports are the new resume.

 

Source - Forbes available here