The war in Ukraine has heightened fears of Russian cybersecurity attacks on American institutions, from businesses to federal agencies to universities. But for years, there has been a national shortage of cybersecurity professionals. To fill this gap, several universities have worked to expand cybersecurity degree and certification programs. Still, some experts say more is needed with such high demand.
“The magnitude of the workforce gap is so large it’s almost hard to imagine,” said Dr. Richard DeMillo, acting president of the School of Cybersecurity and Privacy (SCP) at Georgia Institute of Technology and Professor of Computer Science. “There are more cybersecurity vacancies globally than there are cybersecurity professionals. We need to find ways to quickly recruit more trained people into the labor market.
According to a report of (SAI)2, a nonprofit cybersecurity membership association, the United States added more than 250,000 people to the cyber workforce between 2020 and 2021. Yet in 2021, the need for security professionals cybersecurity increased by 30%. Also, (ISC)2 found that there are approximately 400,000 open cybersecurity positions in the United States and approximately 2.7 million unfilled cyber jobs globally.
DeMillo noted that this shortage has been building for about a decade. As information technology has advanced over the past generation, malicious actors, whether nation states, organized crime syndicates or retail criminals, have also found more tools to carry out cyberattacks. Much of the global economy and society has simultaneously turned to computers and social networks.
“So that’s all exposed now,” DeMillo said. “Ultimately, we’ve built infrastructure around the world that’s not quite up to scratch to prevent our underlying systems from being exploited. In real terms, the necessary cybersecurity skills just aren’t there, and that’s where higher education comes in.”
In early 2020, a series of high-profile cyberattacks, namely the SolarWinds hack, led to greater visibility of this issue. In response to this growing need, Georgia Tech opened SCP in fall 2020 with undergraduate and graduate programs focused on areas of cybersecurity. SCP built on approximately 30 years of preparatory work from Georgia Tech’s Cybersecurity and Privacy Institute.
But DeMillo noted that some higher education institutions looking to start or expand their programs may need to team up with others.
“If you’re a large research university in a metropolitan area, you probably have easy access to experts who can teach classes,” DeMillo said. “But if you’re a small liberal arts college in a rural area, chances are you’re far from those resources. This means that colleges and universities must cooperate with each other to share resources in a way that is not entirely natural in higher education. This way we can ensure that the courses are developed and the training is successful. »
DeMillo added that universities can find local players with cybersecurity needs to work with them. For example, SCP began conducting cybersecurity training with the many agriculture and food security professionals in Georgia who may be vulnerable to cyberattacks.
Clar Rosso, CEO of (ISC)2, further noted that the non-profit organization offers cybersecurity certification and training programs, including a newly created entry-level certification. She pointed out that new partnerships have formed to strengthen the cyber workforce and to make training more accessible to underrepresented groups in a field historically dominated by white men.
“We see more of a marriage between degree programs and certification programs,” Rosso said. “We have universities integrating certifications into some of their undergraduate programs, for example. And we’re seeing signs that this new entry-level certification program is helping to attract a more diverse workforce, like among women.
For Dr. Lorrie Cranor, a professor of computer science and engineering and public policy at Carnegie Mellon University (CMU), the cybersecurity workforce shortage is not due to a lack of programs, but rather lack of American students and support.
“I don’t think the gap is due to a lack of programs at higher education institutions,” she said. “I think the gap comes from a lack of Americans who want to be trained in cybersecurity and a lack of scholarships to support those programs. I think there are a lot of programs out there , although there could certainly be more.
While current events may draw more attention to this labor shortage, Cranor, like DeMillo, stressed that the shortage is far from new. She leads CyLab, a security and privacy institute that coordinates with cybersecurity-related academic programs across CMU. Most of these programs have been around for years, she noted, and reflect the breadth of the field.
“I think a lesson from our work is that cybersecurity isn’t one-size-fits-all,” Cranor said. “For students who have a more technical background, we have programs that suit them well. And for students with more experience in public policy, we have programs that focus on those skills.
To spark more interest in cybersecurity, CyLab also runs a free computer security education program for high school and college students. Called picoCTF, the program further seeks to attract students who are underrepresented in the field, such as students of color, women and girls. But Cranor noted that picoCTF funding has not been “at the levels we would like to see”.
“Government and business can help solve this scholarship problem with more funding for education,” she said.
Rosso de (ISC)2 emphasized that cybersecurity challenges will not be solved without humans, not computers, at the forefront.
“The cybersecurity magic pill that some organizations are selling is technology, and we and the entire cybersecurity profession are saying put people before technology,” she said. “Technology is part of the solution, but we also need people to know what we are looking for to solve the problem.
Rebecca Kelliher can be reached at [email protected]