The more cyberthreats spiral, the more cybersecurity pros we need to fend them off.
But a new study shows that there are a number of blockages keeping the talent pipeline from being filled. For one, young adults aren’t aware of job opportunities, though they’re generally interested.
What’s more, schools aren’t preparing students for the jobs, and there’s even a growing gap within the gap, as fewer young women are informed about potential jobs or express interest in the field.
For the study, Raytheon and the National Cyber Security Alliance commissioned a survey of 3871 people aged 18-26 from 12 countries.
The findings were published on Monday in a report titled Securing Our Future: Closing the Cyber Talent Gap.
Some of the key takeaways:
- Globally, 62% say that no teacher, guidance counselor or supervisory adult ever mentioned the career field to them. Young people in the Middle East are better off than the rest of the world: only 40% of them hadn’t been told of the career, compared with 70% in Europe.
- The situation is worse for women than for men: globally, 9% more young women than men reported that no high school or secondary teacher or counselor had discussed cybersecurity careers as an option with them. The spread was particularly wide in the US, where 55% of men vs. 69% of women hadn’t had the subject broached, and in Europe, where 66% of men vs. 73% of women hadn’t been approached about the career.
- Globally, 33% of men and 24% of women are more likely to consider cybersecurity careers than they were a year ago. The gap is wider in the US: 40% of men and only 23% of women are more likely now to choose a career that entails making the internet safer and more secure.
The study also uncovered an overconfidence among young adults when it comes to their ability to stay safe online.
- Most – 65% – reported feeling that they have the ability to stay safe online, despite their reported lack of education, awareness and engagement of cybersecurity as a career.
- As far as lack of education goes, a majority of young adults – 58% – said they hadn’t been taught how to stay safe online in the classroom or were unsure whether their lessons actually provided that knowledge.
- Some had families who took the time to have the “stay safe online” discussion, some did not: 31% had their first cyber chat with a parent or relative, while 30% had it with “nobody.”
- As far as awareness goes, 67% said they hadn’t heard about a cyber attack in the last year, and 84% said they hadn’t read any articles about it in the past month.
- Being victimized by cybercrime isn’t fazing them: Of the young adults who’d experienced credit card fraud, identity theft, malware infections on devices or other online violations within the last year, nearly half – 44% – said they didn’t change their behavior as a response.
For a world increasingly awash in data breaches and other digital attacks, the survey shows that there are a lot of conversations not taking place.
For one thing, security pros aren’t talking to young people about their jobs, and it’s leaving them with preconceived notions about the jobs being stressful (this downside was reported by 21% of respondents) and boring (18%).
They also think cybersecurity professionals are underpaid (15%) and that fighting inevitable cyber attacks is futile (21%).
Teachers, guidance counselors, parents, cyber professionals: are you talking to kids about the exciting, ever-changing, well-paying field of cybersecurity?
If so, who are you talking to? Who are you not talking to, and why?
If you’re not talking at all, why does the cat have your tongue?
Image of padlock on keyboard courtesy of Shutterstock.com
Ben
Well… in Australia at least, it’s almost impossible to find how to approach it as a path even when actively looking. (I’ve actually tried to ask Sophos and a few similar organisations about where to start before, without managing to get any pointers). So… I can see why it seldom gets mentioned at the level you’re looking at here. The assumption seems to be that it’s something you consider quite later in computer science studies~
Robert
Similar situation in the U.S. Plenty of people talking about the need for cyber security professionals but no jobs unless you already have years of experience. I’m fairly tech savvy, understand security needs (and the delicate balance with accessibility) but can’t get my foot in the door anywhere.There are a ton of people (men, women, minorities) out there who would love to work in this space, but can’t get businesses to talk to them.
How do we break in? What are businesses doing to fill the skills gap? Maybe it’s time to bring back apprenticeships. Hell, I’d be willing to leave my moderately comfortable desk job to get a chance to dive into the maelstrom of infosec.
Tyler Buck
The only times that I have seen inexperienced infosec workers land jobs is when they come straight from a school with a degree related to security. Otherwise, I’ve seen guys unable to break into the market even with a few years of paid security research. The needs of the local market can also really dictate what is available.
Andrew Ludgate
To give you one data point, I spent 10 years as a network administrator (among other things) where “computer security” was just one of the many tasks, prior to starting a career specifically in computer security.
However, I know many people who get started right out of school (or before) — the common trait seems to be having the initiative to figure out how things work (and break) in the computer world, and apply forward-looking defensive strategies in a parallel field.
Something that makes this discussion more difficult is that “cyber security,” “computer security,” “Information Security” and all the others are overlapping but somewhat distinct fields. The overall field encompasses such things as SEIM management, DBM and architectural design, network intrusion analysis, health records management, PCI compliance inspector, and many many more.
Think of a career in information security as being similar to a career in creative writing — there are plenty of workshops, meetups, even a number of accreditations, But what you really need to do is build up a portfolio of ideas you’ve carried to completion, stories you can tell about what you’ve observed, the ability to demonstrate your understanding under pressure in the middle of an interview, and the talent of demonstrating you know how to think outside the box.
You’ll also be helped by a demonstrated background in at least one “cyber” field, whether that be records management, big data analytics, computer systems design, network administration, policy analysis, or something else.
Going to security conferences and networking with people in the field also helps.
Ben
(I’m not in that age range, mind you – i’m looking from scratch after years as raising kids. But i’m dealing with the same advice services that the topic references~)
Nico
If you’re looking from a technical point of view then a senior network role in Network Services at a civil authority or large multinational could be a good way of breaking into the industry albeit at the lower end of the pay scale. If you’re more interested in information security management systems then an Information Governance role could also be a good place to start.
Robert
Nico, what you’re saying is there really is no entry level security positions. A senior role at a civil authority, and especially, at a multinational corporation will take years of work. If that really is the only way to break into doing security work there is a significant disconnect between employers, practitioners, and potential future practitioners.
Elliott
If you’re willing to commit a few years to military service and if you have an aptitude for cyber-security you should be able to get both education and experience. The downsides are that you can wind up in harm’s way, and you may not be assigned to the specialty you are seeking.
Nick
I’m graduating from university in two years, very interested in cybersecurity. Hoping the job market is likewise interested in me!
Andrew Ludgate
The best way to get the job market interested in you is to start building a list of research accomplishments and related hobbies/projects that you can turn into a compelling story for why company X needs to hire you. Tailor your 3rd and 4th year courses accordingly, and try to adapt your class projects to fit the story. For example, if you’re interested in financial data security, make your class projects focus on this area — if it turns out that this part of InfoSec is not for you, better to find out while you’re still in school :)
Also, follow industry leaders in the areas you’re interested in, go to a few local meetups that have to do with security, and you’ll be in a much better position when you graduate than people who are expecting to be handed a job because they’ve got a degree.
Rick
How about taking the first step in fixing this issue with information from people involved in the effort providing information regarding the best schools and resources for obtaining the requisite knowledge? There are far too many discussions regarding the lack of training and far too few discussions regarding EXACTLY how to get on the proper path for a career in the field. What courses are best? What schools are best? What career options are there for people entering the field, specializations? It is time to move past the discussion of the problem and to begin providing information to get people interested and more importantly providing the ‘how’ to get started on the path. This information should be coming from people in the industry, not popular magazines providing a popularity poll and know little about the day to day activities of cybersecurity professionals.
Andrew Ludgate
As I mentioned elsewhere, the issue is that “getting into cybersecurity” is kind of like “getting into public service.” While there are skills you need, the exact skillset depends on what kind of work you want to do. Pretty much any education can be useful, including social sciences education, history, literature, and psychology. The big thing is to develop critical thinking skills and foster a continual desire to learn new things.
What is needed for people entering the field isn’t specialization usually, but generalization — the ability to draw connections between data sets that are seemingly unconnected, and the ability to think outside the box. This can be applied to any training regimen.
The other thing that is needed is socialization. This is where local security meetups are useful — you’ll get more out of attending a B-Sides conference and talking to people than in paying the big money to go to BlackHat or DefCon for example. But also read the presentations from the larger conferences, and you’ll see where the academic side of things is going, and what sort of people are publishing.
The big thing is that security research is both very general, and individually very specialized. This makes it rather difficult to provide one path for people to take to get into the field, as if everyone takes that path, it will no longer be a security interest, just a common part of managing security (with lots of cheap labour).
That said, I agree that more security-focused courses and areas need to be defined. In my view, this shouldn’t be about “cyber” security though; instead it should be about security in general, and data/information security if you want to become specific.
Mahhn
I’m 2nd year Info Sec. I was Sr desktop tech for over 15 years, lots of security experience like any self educating experienced tech, but almost no certs, hell most certs are a joke anyways and play only to get you an interview.
I was offered the Info Sec job because they liked me and I knew what I was talking about. They have since sent me for training (product specific, like most training) and I am sticking around.
It is up to you to do your own learning, build professional relationships, and find or create jobs. Info Sec has some basics but the field is changing so much all the time that your best 2 years ago is next to irrelevant today in some instances. When I started in IT I had no experience and couldn’t get a job. So I started my own company, 3 years later I was hired by people I met on side jobs because they wanted me on their team. Personal networking can get you further than a paper education if you know your stuff and are good with people. Do not rely on a school, they will “always” be at least 1 year behind on threat intelligence. Educating yourself constantly is the only way to be proficient, get and keep a info sec job.
Dan
High school is hardly the place to learn about jobs that will usually require a degree.
When I was at high school, nobody told me about cyber security either, yet here I am.
I think it’s better for people in education not to be focus on the job they want, but to focus on skills/disciplines that will prepare them and make them useful in a number of jobs.
Inevitably, specialized coursed and degrees in cyber security will pop up because of the huge demand, but the people they churn out won’t have the broader knowledge to really excel in the field, or as a safety net if they can’t find a job in this fairly niche area, which will start to happen when said courses and degrees proliferate.
Alice
I disagree with your first statement here. While a schools primary role is to teach a broad base skill set, kids at highschool need some direction and motivation.
For instance, knowing about the possibility of getting into cryptography or cryptanalysis may help them understand why it is important to take an advanced mathematics class, or Digital Forensics which might start with taking basic ICT and learning the “boring” stuff about how computers store data and IP packet format etc.