It’s official: 2017 was the worst year ever for cyber-attacks globally, according to the Online Trust Alliance. The number of cyber incidents, ranging from the massive WannaCry and NotPetya ransomware attacks to huge data breaches at Equifax and Uber, doubled compared with 2016. So far, 2018 hasn’t been quite as bad, but there have still been many high-profile damaging breaches, such as those which affected Facebook and British Airways. It’s no surprise that the World Economic Forum’s Global Risks Report 2018 rated the potential damage from cyber-attacks as the third-largest risk facing societies and the global economy today, behind extreme weather events and natural disasters.
One of the main reasons why cyberattacks are having such an impact is resourcing. Put simply, many organisations’ security teams are overstretched and getting overwhelmed, because they don’t have enough skilled personnel to enable them to deal with current and emerging threats. In early 2018, a report by analyst ESG found that over half (51 per cent) of enterprises have a problematic cybersecurity skills shortage. This has more than doubled since 2014, when ESG conducted similar research. The specialist careers website CyberSeek states there are currently over 300,000 unfilled cybersecurity jobs in the U.S. alone, and it’s predicted there will be 1.8 million unfilled security roles globally by 2022.
This shortage of experienced personnel manifests itself in several ways. It increases the workload of existing cybersecurity staff, and leads to the hiring of junior personnel who require on-the-job training, rather than skilled pros. It also perpetuates the situation in which security teams only have the bandwidth to focus on firefighting problems and simply trying to ‘keep the lights on’ as best they can, and don’t have the time to work on more strategic initiatives that would enable the business. Against the backdrop of a fast-growing array of cyber threats, coupled with an increasing demand for secure digital transformation, it’s clear that the cybersecurity skills shortage poses a huge risk to organisations of all sizes, industries, and geographies.
To help drive awareness of this problem, one of the focus themes for the 15th annual National Cybersecurity Awareness Month (NCSAM) is ‘Educating for a Career in Cybersecurity.’ It aims to highlight the opportunities to inform students of all ages, from high school to higher education and beyond, about cybersecurity as they consider their future career options, and to motivate teachers and counsellors about the range of roles available in the sector. But how do we go beyond just creating awareness, and take positive action?
Addressing the skills gap quickly demands action at all levels of education, because the problem isn’t limited just to the cybersecurity sector. According to the Smithsonian Science Education Center, 2.4 million science, technology, engineering, or math (STEM) vacancies will remain unfilled in 2018. 78 per cent of U.S. high school graduates don't meet the required grade for one or more college courses in math, science, reading or English. There is also significant underrepresentation of women and people from diverse ethnic groups in STEM roles. As such, the first challenge to overcome in closing the skills gap is increasing school students’ interest in relevant STEM subjects and building their skills.
This is why Keysight operates education programs worldwide, to address this issue head-on with local, national and international projects. These involve direct school-support activities and running educational events targeting students from age 9 upward, to foster an early interest in STEM topics, show how these drive innovation and help to develop their problem-solving capabilities.
Driving interest in STEM subjects shouldn’t stop when students leave high school: it needs to continue into higher education too, with established courses that provide a defined pathway into relevant careers for students of all ages. But there’s still some way to go here, as a 2016 cybersecurity skills report showed that just 7 per cent of top universities internationally offered cybersecurity degree courses at undergraduate level, and only one-third offered a Masters program.
However, this situation is changing fast. Several universities and colleges are investing in new facilities offering cutting-edge education technologies, with the aim of enticing students onto cybersecurity courses. For example, in the past 18 months universities across the U.S. have invested in cyber ranges, which are specially-equipped computer labs that provide realistic training environments in which students can explore and practice cybersecurity scenarios and develop their skills and knowledge.
Cyber ranges can also be used by enterprise security teams to practice how to recognise emerging cyber-incidents and indicators of compromise, and how to respond to them properly. This in turn helps them to identify and remediate threats faster. Cyber range training provides a safe environment for simulating and conduct network probes and cyber-attacks against enemy targets, and for countering those attacks with defensive operations to protect critical business applications and network infrastructure. They can also replicate successful breaches as case studies.
The cybersecurity industry is also playing its part in creating opportunities to attract and develop new cybersecurity talent. Ixia, a Keysight company, established the international Cyber Combat competition in which teams of students and cybersecurity industry professionals pit their skills against each another. These cyber war games have two main objectives: to present cyber security in an exciting and engaging context to students, and to enable current security pros to hone their skills and stay up-to-date on the latest tools and techniques in simulated cybersecurity attack scenarios. They also help contestants to understand the mindset of cyber-attackers, which in turn makes them better at defence.
In conclusion, the security skills shortage will not be fixed overnight. After all, creating a threat hunter or cyber analyst with three years’ experience takes, well, three years. But by engaging students’ interest early and highlighting the extensive range of opportunities and rewards the industry offers, we can attract the new talent that’s needed to help us keep pace with the growing cyber risk.
Marie Hattar, Chief Marketing Officer, Keysight Technologies
Image Credit: Pavel Ignatov / Shutterstock