By David L. Schwed
Studies show that there are some 3 million cybersecurity jobs open around the world - half a million of them in the United States alone – and that number is only rising. Partially in response to help meet this demand, universities around the world have been opening cybersecurity degree programs, as companies scramble to hire the experts they hope will protect them from another round of ransomware attacks.
But even as these freshly-minted security grads come on-line, businesses are still struggling with a cybersecurity skills gap. A 2018 study of top security staff at firms of all sizes shows that 70% feel that “the cybersecurity skills shortage is worsening and becoming a rapidly widening business problem.” The reasons for the gap? Nearly a third said that they didn't have enough qualified staff to deal with analysis, application security and cloud security issues
Why should that be the case? While more schools than ever offer cybersecurity programs, companies are still not finding the talent and skills they need, forcing us to take a critical look at why this is happening. Two main causes could be that either schools aren't doing a very good job of teaching the students, or the needs of business are changing so rapidly that the skills graduates leave with are already outmoded when they go looking for a job.
I'd like to propose another reason for this skills gap. Perhaps companies aren't finding the candidates they need because those candidates haven't learned to apply their skills to the real world. They may have a lot of book-knowledge, and even hands-on experience – but they haven't learned how those skills fit into the context of business. Companies are looking for someone to lead - and build - robust cyber defense system – and schools aren't training students how to do that.
Organizations need personnel who are familiar with the latest attacks, the mitigation products and strategies available, and the solutions to prevent future attacks – but they also need someone who understands governance, who can take control in the event of an attack and explain to top executives what they need, why they need it, and why it's the best solution, in a manner that will make things clear even to non-tech oriented executives.
The data backs this up. While cyber-threats to business are constantly increasing, the number of available solutions from cyber vendors is growing as well, leaving many cyber professionals and the organizations for which they work, confused about how to defend themselves. In fact, an IBM Security poll of 700 C-level executives revealed a great deal of confusion about who the enemy is, how to fight them, and what tools are most effective. Other polls show that many business owners are in denial about being attacked: A study by Keeper Security shows that 66% of decision makers don't believe their business will be attacked, but that same study shows that 67% were attacked in the past year – and nearly half don't even know where to begin to protect their businesses.
Companies need cybersecurity pros who can help them make sense of all this – who can apply what they have learned- and what they have been trained to do - to the boardroom, to take the lead on what the threats are and what needs to be done to protect organizations. In order to bridge the skills gap, universities must begin training cybersecurity students in dealing with the real-world issues they will face on the job – explaining the threats, determining the best solution out of a wide range available and training them in how to act when faced with an attack, providing the leadership organizations are yearning for.
To accomplish that, schools need to work more closely with organizations to determine what they need assistance with – what they expect from graduates, what their role in the organization will be and how to apply their skills to the day-to-day situations they will face. This is more than arranging for internships; it's development of a curriculum that will integrate governance issues in the education of cybersecurity students, ensuring that their skills are relevant – and usable – by organizations that need help. By doing that, universities can close the skills gap and produce the kind of students that will easily fit into organizations – enabling them to effectively and confidently protect their companies against bad actors.
David L. Schwed is the founding director and a professor of the Cybersecurity masters program at the Katz School of Science and Health at Yeshiva University.