The labor market for cyber security practitioners is famously a sellers' market. Skilled operators are in high demand, and, while estimates of the number of unfilled positions vary, there's widespread agreement (a few outliers in the US Department of Homeland Security aside) that this number is large, and likely to increase over the next few years. A report in Forbes last month summarized some of those estimates. The Stanford University Journalism Program worked through US Bureau of Labor Statistics numbers for 2015 and concluded that more than 209,000 cyber jobs in the US had gone unfilled. Cisco concluded that the number of open jobs worldwide stood at about one million, and Symantec projects that number to rise to six million by 2019 (and adds that it expects a shortfall of around a million and a half workers by then). Given these projections, how is the industry working to redress the shortfall in qualified cyber security talent?
We spoke with executives at Cyberbit and ISACA to hear the plans for, respectively, one company and an industry association. They agree on one thing: the ability to recognize qualified workers quickly, and to verify their skills through hands-on exercises, is central to any resolution of the talent shortage in the security sector.
Cyberbit's Maryland Cyber Range: collective training for workforce development
Cyberbit's Stephen Thomas, that company's Vice President of Sales, described plans to open a major cyber range in Baltimore, Maryland, by the end of April. The range is expected to serve workforce development by providing an opportunity for collective training that will enable organizations to increase the skill levels of their security teams. Thus people with incomplete skill sets can train with the actual tools an enterprise uses. Thomas sees Cyberbit's range as distinctive in that it offers dynamic, scenario-based training. "Many other ranges are project-based, and so slow," he said. Cyberbit's range "can pivot out different technologies easily."
Some of the individuals expected to benefit from training on the new range include military veterans transitioning to civilian careers (a population, Thomas noted, that's particularly important to Cyberbit's partners in Maryland's state government), and university students. Cyberbit is int the process of engaging various university partners in cooperative programs designed to ensure that their graduates are "job-ready on day one." Other use-cases he expects to be attractive are skills verification by certification bodies, and candidate assessment by enterprise recruiters and human resource offices.
Thomas emphasized the role business development partners played in enabling Cyberbit to establish itself in Baltimore. A wholly owned subsidiary of the Israeli defence firm Elbit, Cyberbit availed itself of the good offices of both the Maryland/Israel Development Center and the State of Maryland's Department of Commerce. Maryland Governor Larry Hogan, who continues the state's long-standing commitment to positioning itself as a leader in cyber security (close to major Federal customers, with access to "cutting edge technology" and a significant workforce) said, "The opening of the Maryland Range in April will provide Marylanders seeking jobs in the cyber industry with access to the latest training and career opportunities available."
Cyberbit demonstrated its Range Platform at RSA.
ISACA: an association's approach to certification and the redress of labor shortages
At RSA we spoke at length with Eddie Schwartz, DarkMatter's Executive Vice-President for Cyber Services who also is a long-serving member of ISACA's board. Not to be confused with ISACs or ISAOs, ISACA was founded long before those organizations came into being: it was incorporated in 1969 as the Information Systems Audit and Control Association (the group now goes by its acronym only). ISACA is an independent, not-for-profit, global organization dedicated to the development and dissemination of industry best practices for information systems. They offer, through their two-hundred-fifty chapters worldwide, certifications for security audit and risk professionals. ISACA has partnerships with governments, schools and universities, and businesses; they engage with standards bodies in many countries (NIST is among the standards bodies they work with).
ISACA sees itself playing a significant role in workforce development, cooperating with educational institutions at all levels and engaging industry to define corporate career tracks and training programs. The organization's CSX program assesses cyber professionals' expertise through practical, hands-on demonstrations of the knowledge they profess. The ability to rapidly and reliably identify qualified candidates for open security positions is especially important, Schwartz thinks, to small and medium-sized businesses. "Thirty-two percent of enterprises say it took more than six months to fill an open position. Imagint the exposure this entails for a small-to-medium-sized business."
Schwartz would like to see more engagement with governments. There's considerable variation in how governments work with standards and certifications. In the US, these tend to be driven by the private sector; many other governments take a far more dirigiste approach. He hopes that ISACA will continue to attract large enterprise partners as advocates.
Cyberbit's Stephen Thomas was originally identified at Vice President of Sales for North America. His title has been corrected in the text above.