There is a known crisis in the cybersecurity workforce: a massive shortfall in qualified and trained security professionals. There is also an unknown solution to this crisis. Why? The broad and growing scope of the challenge requires a corresponding broadening of skill sets that are both known and unknown.
A multitude of studies identify the cybersecurity labor shortage and illustrate the drastic need for more experts, especially in the public sector because of its universality to the population. For example, in a 451 Research study of more than 1,000 IT professionals, security managers reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5 percent) and inadequate staffing (26.4 percent). As recently as July 12, 2016, the Office of Management and Budget issued a memorandum, titled "Federal Cybersecurity Workforce Strategy," discussing how the federal government was attempting to address recruitment challenges for its cybersecurity workforce.
There was a point in time when the public sector — not just in the cybersecurity arena but also in arenas such as law, medicine or engineering — could attract qualified candidates for a variety of positions with the promise of stability and benefit packages. This is not the case today, nor is this just a public sector challenge. Private companies are also feeling the talent shortfall, but these companies can offer compensation packages that include perks such as stock options and larger paychecks that the public sector cannot match.
However, the government can offer attractions distinctive from fiscal, focusing on purpose, control, influence and challenges. Its market is always broader, with more interdisciplinary opportunities and applications, and its societal influence is longer lasting. Some people derive greater satisfaction and fulfillment from a public career than from one in private industry. There is always, however, the need for the government package to meet certain fundamental, material aspirations and requirements of employees. The challenge is to balance fiscal requirements with the above-referenced factors.
Unfortunately, the problem is not limited to resource competitions. The real cybersecurity challenge is the unknown. Perhaps former Secretary of Defense Donald Rumsfeld gave the best explanation of this during a news briefing 14 years ago:
"There are known knowns. These are the things that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. These are things we don’t know we don’t know."
The known knowns and known unknowns represent the current status of the cybersecurity industry. Unfortunately, attack methods and breaching techniques are constantly evolving. This means that finding the elusive talent to overcome present challenges is only part of the solution. Sure, we know the tried-and-true breach methods. But what about the attacks we don’t yet know? If the method is unknown, then so is the required response. The talent shortfall, therefore, is about much more than just a limited technical pool.
Cybersecurity: History repeating itself
Addressing the cybersecurity workforce shortfall requires a look back at history.
During the '60s, there was a push to interconnect computer systems. But even at that time, concerns were raised about security and data protection. However, these concerns were disregarded in order to focus on connectivity. This same focus continues today. Ease of connectivity first, security later. The reality, though, is that the two are intertwined. Connectivity and security must be coordinated together and be able to scale equally. Data without protection is unreliable and dangerous. Security without data is an empty bank vault, impressive but with neither function nor purpose. The balancing of this yin and yang is the ultimate goal.
Though connectivity was the initial focus, today cybersecurity has assumed greater importance. This new prioritization is critical as we continue to encounter cybersecurity’s unknowns. To avoid history repeating itself, this cultural shift needs to flourish because defective, altered, manipulated, compromised or breached data nullifies the benefits of connectivity. This will therefore require growth in the security talent pool and a broader definition of the talents required for that pool. Fortunately, government agencies are helping to build talent through organizations such as the National Initiative for Cybersecurity Education, but work remains.
Part 2 of this article will discuss the significant dangers a talent shortfall represents and the four essential skills that every cybersecurity employee should possess.
Steve Kirk is a cybersecurity professional with 17 years of experience, 11 of them with Fortinet. Prior to Fortinet, he worked for network security company Secure Computing, 3Com and Foundry. Kirk has 26 years of experience supporting the U.S. federal sector. He is a graduate of Radford University.
