The cybersecurity skill shortage is a well-recognised industry challenge, but the problem isn’t that there are too few people rather that many of them lack suitable skills and experience. Cybersecurity is a fast-growing profession, and talented graduates are in very high demand. Cyber degree programs are rapidly opening up at colleges across the country, and students are racing to enrol, eager to join one of the most challenging and financially rewarding fields. Yet, there seems to be a growing chasm between what graduates learned in school and what the market demands. In my personal experience as a cybersecurity training consultant, I hear time and again how frustrated SOC managers are with finding qualified SOC analysts. They report they get plenty of resumes, but rarely come across a candidate who has the right skills and experience to take a seat in the SOC and handle the challenges of a high-pressure sec ops environment. So, the real challenge of the cybersecurity skill shortage is making sure new recruits are prepared for the real world.
Cyber security skills are lacking
As cyber threats are multiplying in number and becoming much more complex and sophisticated, the need for young professionals with the cyber security skills to fill those positions is also growing rapidly. According to Forbes, Cybersecurity is a lucrative field with average salary currently at $116,000, nearly three times the national median income for full-time wage positions. But money is not the only thing that attracts people to the cybersecurity realm. A recent survey found that among the top reasons for choosing this profession are the reputation for integrity, as well as for being a leader in a challenging and prominent discipline.
Accordingly, the number of cybersecurity education programs and students is exploding. Based on public US Government data, approximately 3,000 educational institutions are currently training future cybersecurity practitioners and according to the rate of growth, by 2021 there will be over 100,000 graduates in the United States alone. Colleges are increasingly recognising the need to adapt computer science education for tomorrow’s occupational and technology needs. Innovative institutions of higher education are setting up cybersecurity degree programs, to set themselves apart and prepare their students for rewarding careers.
Yet, there is a deep incongruence between academia and the field. This month the SANS 2018 Security Operation Center Survey was published and reported some eye-opening findings. It revealed that 62 per cent of surveyed organisations reported they lack skilled cybersecurity staff. The skill shortage was also cited as the leading challenge hampering SOC capabilities. Mark Aiello, president of Cyber 360, a staffing firm specialising in finding skilled cybersecurity professional to fill vacancies says, “Talent is so scarce that it typically takes eight to 12 months to fill cybersecurity jobs”. The authors of the SANS survey also state that for most organisations, “hiring skilled security staff is challenging and expensive”. It seems to be, that the problem isn’t too few applicants, but rather that most candidates have inadequate skill sets and experience.
Practice makes perfect
SOC analysts must have a large amount of formal knowledge and the analytic abilities to derive actionable insights from the data collected by the company’s various security tools. Moreover, the analyst is expected to use human behavioural and business context to identify threats and make decisions about how to respond to keep the organisation safe. However, most junior security staff enter the cybersecurity job market with only theoretical knowledge of what “security” is, lacking practical analytical methodologies, detection techniques and more advanced specialised skills. New graduates often lack the practical analysis and synthesis skills, which leaves them unprepared to face the challenges they will meet in the cybersecurity world.
The 2018 SANS survey states that “gamification of the SOC via simulations, exercises, training or any other form of targeted practice is becoming the standard operating procedure for providing a SOC skill set and an effective way of retaining skilled staff”. Institutions of higher education are starting to address the deep asymmetry between frontal instruction and practical exercises by incorporating a cyber range into their cybersecurity curricula.
Cyber ranges produce cybersecurity excellence
Innovative higher education institutions are determined to prepare their students with highly relevant knowledge and practical skills that are valued in the workplace. Cyber ranges are virtual environments used for cyberwarfare training and the development of cyber technologies. A cyber range offers hands-on training in which students can fully experience attacks in a simulated environment. This realistic experience strengthens the analyst’s performance and ability to respond to the most menacing emerging threats. In addition to gaining formal and theoretical knowledge, the range allows students to gain the hands-on experience employers value most and enter the job market well prepared and with a strong competitive edge over other job candidates. A cyber range enables colleges and universities to constantly challenge their students and faculty and can also support cybersecurity academic research.
Cybersecurity education is prospering and attracting larger numbers of students each year. Ambitious students are looking for leading-edge programs where they will be challenged and gain valuable knowledge and experience that will prepare them for their careers as cybersecurity professionals. Students realise that theoretical knowledge alone is not enough to prepare them to take part in defending an organisation under cyberattack. Make on-campus cybersecurity simulation labs an integral part of the syllabus and arm your students with as much hands-on experience as possible from their first semester through to graduation.
Adi Shua, Cyberbit Range Product Manager, Cyberbit
Image source: Shutterstock/deepadesigns