US in mad dash to build cybersecurity workforce
A stunning statistic is reverberating in cybersecurity: An estimated 3.5 million cybersecurity jobs will be available but unfilled by 2021, according to predictions from Cybersecurity Ventures and other experts.
“It’s scary. Our power grid, our cars, our everyday devices – basically everything is online and able to be attacked,” said Georgia Weidman, author of “Penetration Testing: A Hands-On Introduction to Hacking.” Weidman is the founder of two cybersecurity companies, Bulb Security, where she is chief executive, and Shevirah, where she is chief technology officer. Shevirah specializes in security for mobile devices.
“It would certainly cause mass destruction if our power grid went down or our water pumps started going haywire or our dams decided to open all their sluices,” she said. “That’s actually something that could happen.”
According to a report released this year by the Identity Theft Resource Center, the number of data breaches tracked in the United States in 2017 hit a high of more than 1,500, up almost 45 percent over 2016. In one incident this year, the data of 29 million Facebook users was stolen.
In response to the sheer number of new digital gates that might be left open, employers and educators have had to become more creative in finding people to guard them.
They need penetration testers to simulate attacks to find and fix vulnerabilities that could be exploited by a real attacker.
They need malware analysts to find out what malicious programs do so they can protect from the attacks.
They need security researchers to discover new vulnerabilities in applications and other products – before the thieves do – so they can be fixed. They need security architects to make sure all the best practices are being followed.
According to the chief economist for LinkedIn, Guy Berger, there was a shortage as of September of 11,000 people with cybersecurity skills in the San Francisco Bay Area, 5,000 in New York and almost 4,000 in Seattle, the areas with the largest concentration of need.
Some major corporations have openly taken to hiring hackers to help protect them. An extreme example is Kevin Mitnick, who hacked into corporations, landed on the FBI Most Wanted Fugitives list and went to jail for five years, but is now a security consultant to Fortune 500 companies and governments. As he says on his website about hackers, “It takes one to know one.”
Many companies are also putting less emphasis on the need for a college degree to qualify for a cybersecurity job, Weidman said. With an undergraduate degree in mathematics from Mary Baldwin College in Staunton, Virginia, and a master’s in computer science from James Madison University in Harrisonburg, Virginia, Weidman said she had seen how much handson experience really mattered in the cyberfield. That insight came early when she participated in the National Collegiate Cyber Defense Competition as a student.
The competition, which began in 2005, is held at colleges across the country and designed to test student teams’ abilities to detect and respond to outside threats and to protect services such as mail servers and web servers. The sponsors include high-tech companies like defense contractor Raytheon and IBM, but also retailers like Walmart and transportation companies like Uber.
Recalling the difference between theoretical learning in college and hands-on experience, Weidman said she could do a lot of math about computer networking, “but could I actually manage a network at a company? Absolutely not.”
The people who were in community colleges would “wipe the floor with those of us at universities, because community colleges really were focused on how to do these things,” she said. “I think that people at the university level are starting to realize that we need more handson skills in cybersecurity, as well as just the theory.”
Shamla Naidoo, global chief information security officer for IBM, has had success reaching out to mothers returning to work, as well as to veterans, to find potential cybersecurity workers.
“We’ve been talking about this for the last few years,” Naidoo said. “The first year, I spent a lot of time worrying about it. After that I thought, there’s no point in worrying about it, I’m going to have to go act, and I’m going to have to act in a nontraditional way. Posting a job description and hoping people are going to show up and apply to the job wasn’t working because the people just didn’t exist. So rather than trying to hire the skills and knowing they’re not as easily available, let’s create the skills internally.”
‘‘ POSTING A JOB DESCRIPTION AND HOPING PEOPLE ARE GOING TO SHOW UP AND APPLY TO THE JOB WASN’T WORKING BECAUSE THE PEOPLE JUST DIDN’T EXIST. Shamla Naidoo, IBM
Shamla Naidoo, second from left, global chief information security officer for IBM, has had success reaching out to mothers returning to work, as well as to military veterans, to find potential cybersecurity workers.