Qualifying the Skills Gap

Jon Brandt
Author: Jon Brandt, Director, Professional Practices and Innovation, ISACA
Date Published: 13 April 2020

In February 2020, ISACA® released its State of Cybersecurity 2020, Part 1: Global Update on Workforce Efforts and Resources report.1 This paper reports on data collected in Q4 2019, and it is similar to the series of reports on the state of cybersecurity issued by ISACA on an annual basis. Not surprisingly, respondents largely reaffirmed prior reporting that enterprises remain understaffed, struggle to find talent and expect budgets to grow.

An ever-growing sea of purported solutions exists to counter the staffing shortage and train staff—university programs, industry training products and credentialing programs. In the United States, newer initiatives include a federal reskilling program, registered apprenticeship programs, and many existing upskilling or reskilling programs offered by each state’s workforce agency. With so many solutions in the market—some for many years—one would expect the shortage to at least show signs of levelling off. Unfortunately, the opposite is true. In its annual Cybersecurity Workforce Study, (ISC)2 estimates a global shortage of 4.07 million cybersecurity staff, which represents a 26% increase from 2018.2

From my vantage point, stakeholders maintain a mindset that simply creating programs will spark new interest and miraculously solve the shortage. This is the equivalent of throwing something at the wall and seeing if it sticks. It has not worked thus far, and all available evidence suggests this is a losing proposition. I assert too many remain focused on the wrong problem. Let me explain.

From my vantage point, stakeholders maintain a mindset that simply creating programs will spark new interest and miraculously solve the shortage.

In ISACA’s State of Cybersecurity 2020 survey, respondents were asked how many cybersecurity applicants are well-qualified; responses to this question were bleak. Respondents indicated prior hands-on cybersecurity experience was the overwhelming factor in determining whether a candidate is qualified. When asked about the biggest skills gaps in today’s cybersecurity professionals, however, the top 2 responses were:

  1. Soft skills
  2. IT knowledge and skills gaps (which includes knowledge of IT operations, networking, infrastructure and different technologies)

ISACA’s findings are not isolated. I recently posed a question to a social media group comprised of past and present members of my former military occupation. Directed at those who have since moved into nongovernment roles, I asked 2 questions. First, name 5 essential things you expect entry-level people know. The second, name 5 tasks you expect entry-level people be able to do. The post generated interesting dialog but did not produce actionable results as responses were nebulous. But the social media results did largely support the ISACA survey findings.

As I pondered this situation, a couple of things occurred to me. First, the industry has done little to demystify the work. In other words, we largely fail to describe cybersecurity work, which is critical to generating enough interest for current and future needs. In doing so, we continue to alienate many bright minds who enjoy analyzing problems, solving puzzles or questioning the status quo. In its absence is the overarching idea that the typical cybersecurity practitioner is a male wearing a black hoodie in a darkened room who has not seen the light of day for weeks, with empty cans of energy drinks strewn on a desk. Further, there are inconsistencies in job titles, unrealistic requirements and scope of work. In short, how can we expect workforce education and development programs to succeed when the target is moving?

Earlier this year, US House Research and Technology Chair Haley Stevens (D-MI) led a cybersecurity workforce hearing and stressed the need for multiple pathways3—an approach supported by many, including US National Initiative for Cybersecurity Education (NICE) Director Rodney Peterson and yours truly. Such engagements are necessary to remove barriers to entry because the value proposition of a cybersecurity university degree varies by country. Further, only 27% of ISACA survey respondents indicate university graduates are well-prepared, and yet, 55% of respondents report their enterprise requires a university degree.4 Organizations are wise to remove university requirements because they are unnecessarily constraining talent pools.

Earlier, I indicated that the profession or organizations are focusing on the wrong problem. Nowhere is that more evident than here in the United States. There is no shortage of programs for those willing to enter the profession. Displaced workers and career changers are targets of a growing number of apprenticeship programs, grants, scholarships and reskilling programs. These programs mostly address today’s problems and, as such, are shortsighted. To positively influence the shortage of practitioners we must look at the pipeline.

IT-related jobs have long required a lifelong-learning approach—something that other occupations are encountering as industries and positions morph to keep pace with the Fourth Industrial Revolution.5 It is plausible that the traditional university model is simply too rigid for the speed at which industry and the world is evolving. Higher learning institutions are wise to consider competency-based education.6 Formal education serves a purpose but is not the only solution. I would argue the overreliance on university education in the United States has done more harm than good in the field of cybersecurity.

Within the US K-12 education system (generally, students aged 5-17), there exists heavy focus on standardized testing and science, technology, engineering and math (STEM) education. Although many believe STEM education to be a panacea, my personal research on this subject is unsettling. First, STEM education is not a well-defined experience,7 possibly attributed to the lack of technical class requirements within teacher certification programs. Worse, in a US National Center for Analysis of Longitudinal Data in Education Research (CALDER) working paper, researchers report that “expanded access to STEM courses in high school does not increase postsecondary STEM enrollment or degree attainment.”8 Further, a 2019 Organisation for Economic Co-operation and Development (OECD) report identified bleak interest in science or engineering jobs for high performers in math and/or science—less than 11% for males and 29% for females.9 Fortunately, there are glimmers of hope.

In early March 2020, I attended an outstanding online seminar on the 2019 K-12 State of Cybersecurity.10 The most intriguing part of that afternoon was hearing about the US State of North Dakota’s K-20W initiative,11 which is uniquely working on the entire continuum from kindergarten through Ph.D. and workforce. At its core, the program capitalizes on deliberate synergies involving state technology executives, academia, technology teams and industry stakeholders. Impacts include awareness training for educators, classroom equipment, and creation of computer and cybersecurity science standards. This program will, hopefully, cascade to other US states and beyond, and motivate changes to teacher certification programs.

Conclusion

Until recently, much of the reporting on the cybersecurity skills shortage has been quantitative. Although early reporting may have helped increase budgets and headcount, the result is a seller’s market whereby salaries are outpacing budgets and enterprises are hesitant to invest in their staff for fear that they may be poached. In response, adding learning and recruitment programs does not motivate people to enter the field—especially if the barrier to entry is a university degree. Lastly, the cybersecurity field is rather broad, so it is incumbent upon hiring managers to work with their human resource departments to define critical knowledge, skills and abilities for their positions before specifying requirements such as university degrees.

Jonathan Brandt, CISM, CCISO, CFR, CISSP, CSA+, PMP
Is a senior information security practice manager in ISACA’s Knowledge and Research department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA® departments as a subject matter expert on information security projects and leads author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe..

Endnotes

1 ISACA, State of Cybersecurity 2020, Part 1: Global Update on Workforce Efforts and Resources, USA, 2020