For too long now, cybersecurity has been described as ‘an emerging industry’, the ‘industry of the future’, or by some other descriptor that puts its advent out on the horizon. Take a few seconds to research recent cyberattacks like those against Equifax, Sony, Target, or the crippling WannaCry campaign, and it’s clear that future is here – and it’s been here for a while.
It is no longer good enough to speak of the challenges as something looming in some vague, not-too-distant future. One of these challenges, facing not just the security industry, but entire nations, is the dearth of skilled security analysts. This was an issue I spoke about almost five years ago when I was expanding my first venture, Earthwave. In fact, many in the industry have been warning of the skills shortage for years, and it seems that finally something might be being done about it.
In Australia, the Australian Cyber Security Growth Network (ACSGN) has been set up to explore – among other things – how to bridge this gap. Earlier this year the group released a report which found a “shortage of job-ready workers” was one of the three key challenges facing the cyber security industry.
‘Job-ready’ is the key term here. While students may be graduating with IT degrees, these generalist degrees barely prepare them to log into the programs and tools security specialists use. Think of it this way, a medical student – after completing their initial degree – must then specialise in a particular field and gain years of practical knowledge before they’re ready to pick up a scalpel. The same premise holds true for cyber defence.
A discussion paper, recently released by UNSW researcher Adam Henry, explored this disconnect between what is taught in universities and what is required in the industry. He calls for a new approach to cyber education, one that recognises there are distinct specialisations with unique skill sets that should be honed individually. A central element of this new approach would be a strong partnership between education providers and the private sector in order to give students hands-on experience in their chosen field.
While these are Australian examples, the problem is global. ISACA, a non-profit infosec advocacy group, predicts a global shortage of two million cyber professionals by 2019.
Much focus has been put on the tertiary sector and the need to teach immediately relevant cyber skills, but the education question starts much earlier. For example, a pilot program was launched in the UK earlier this year, offering school children cyber security lessons to identify the next crop of talent. This ‘pipeline’ approach is critical as it ensures the availability of future generations of talent. Alongside the program, the UK government also provides university scholarships and work placements for promising students, in addition to an apprenticeship scheme to support employers train and recruit talented teenagers.
This kind of holistic approach, from grade school through to graduation, is what is needed to address the skills gap. With automation already wreaking havoc on industries of old, a career in cybersecurity offers not only job stability, but the ability to pick and choose where you work. It’s better to have skill set that is in demand than in decline, but first we need to support the next generations of security analysts by providing them the practical knowledge they need to succeed. And we need to start while they’re young.