You are here

THE BROAD VIEW

The mad dash to find a cybersecurity force

The dangers of catastrophe from hacking are great and immediate, yet there is a woeful shortage of trained defenders

BT_20181110_MLCYBER10_3613354.jpg
Shamla Naidoo (second from right), global chief information security officer for IBM, has had success reaching out to mothers returning to work, as well as to veterans, to find potential cybersecurity workers. Employers and educators are rethinking the way they attract and train potential employees to meet the demands of an increasingly vulnerable online world.

A STUNNING statistic is reverberating in cybersecurity: an estimated 3.5 million cybersecurity jobs will be available but unfilled by 2021, according to predictions from Cybersecurity Ventures and other experts.

"It's scary. Our power grid, our cars, our everyday devices - basically everything is online and able to be attacked," said Georgia Weidman, author of Penetration Testing: A Hands-On Introduction to Hacking.

Weidman is the founder of two cybersecurity companies, Bulb Security, where she is chief executive, and Shevirah, where she is chief technology officer. Shevirah specialises in security for mobile devices.

"It would certainly cause mass destruction if our power grid went down or our water pumps started going haywire or our dams decided to open all their sluices," she said. "That's actually something that could happen."

sentifi.com

Market voices on:

According to a report released this year by the Identity Theft Resource Center, the number of data breaches tracked in the United States in 2017 hit a high of more than 1,500, up almost 45 per cent over 2016. In one incident this year, the data of 29 million Facebook users was stolen.

In response to the sheer number of new digital gates that might be left open, employers and educators have had to become more creative in finding people to guard them.

They need penetration testers to simulate attacks to find and fix vulnerabilities that could be exploited by a real attacker.

They need malware analysts to find out what malicious programs do so they can protect from the attacks.

They need security researchers to discover new vulnerabilities in applications and other products - before the thieves do - so they can be fixed. They need security architects to make sure all the best practices are being followed.

Big shortage

According to the chief economist for LinkedIn, Guy Berger, there was a shortage as of September of 11,000 people with cybersecurity skills in the San Francisco Bay Area, 5,000 in New York and almost 4,000 in Seattle, the areas with the largest concentration of need. LinkedIn regularly issues workforce reports based on its analysis of jobs data in the United States.

Some major corporations have openly taken to hiring hackers to help protect them. An extreme example is Kevin Mitnick, who hacked into corporations, landed on the FBI Most Wanted Fugitives list and went to jail for five years, but is now a security consultant to Fortune 500 companies and governments.

As he says on his website about hackers: "It takes one to know one."

Many companies are also putting less emphasis on the need for a college degree to qualify for a cybersecurity job, Weidman said.

With an undergraduate degree in mathematics from Mary Baldwin College in Staunton, Virginia, and a master's in computer science from James Madison University in Harrisonburg, Virginia, Weidman said she had seen how much hands-on experience really mattered in the cyberfield.

That insight came early when she participated in the National Collegiate Cyber Defense Competition as a student.

The competition, which began in 2005, is held at colleges across the country and designed to test student teams' abilities to detect and respond to outside threats and to protect services such as mail servers and web servers.

The sponsors include high-tech companies like defence contractor Raytheon and IBM, but also retailers like Walmart and transportation companies like Uber.

Recalling the difference between theoretical learning in college and hands-on experience, Weidman said she could do a lot of maths about computer networking, "but could I actually manage a network at a company? Absolutely not".

The people who were in community colleges would "wipe the floor with those of us at universities, because community colleges really were focused on how to do these things", she said. "I think that people at the university level are starting to realise that we need more hands-on skills in cybersecurity, as well as just the theory."

Changing curriculums

With that in mind, colleges and universities are changing their curriculums. Weidman is working with the Tulane School of Professional Advancement in New Orleans to build an online class for its Applied Computing Systems & Technology degree programme.

At New York University, the Center for Cybersecurity has been operating for 20 years and graduates about 50 students annually. But this year, it created an online master's programme to help make the training more affordable in hopes of attracting more people to the field.

Students in cybersecurity get a 75 per cent discount, so the master's degree costs about US$15,000, compared with about US$60,000 for the traditional on-campus programme. The online programme enrolled 125 students in September and hopes to have 1,000 students annually within three or four years.

"Nationally, we graduate twice the number of psychology majors as opposed to engineers," said Nasir Memon, professor and associate dean for online learning at the NYU Tandon School of Engineering. "We graduate as many park rangers as compared to computer scientists."

Students frequently graduate in fields that lack opportunity for long-term careers, he said. If they want to switch to computer science in traditional programmes, they can face daunting barriers, like multiple semesters of catch-up courses and a requirement to take the Graduate Record Examination.

"So one of the things we did is start a bridge programme, where we say, we don't care what you did in your undergrad; you could have done physics, anthropology, anything, just come on in," said Prof Memon.

The welcome the school extends is in the form of an intense, four-month online programme of computer science courses with a price of US$1,500. If students pass, they are eligible for the full programme.

More women

This year, 230 students were accepted into the bridge programme, 22 per cent of them women. That number compares with 11 per cent of women in the cybersecurity force overall, according to a 2017 report by the Center for Cyber Safety and Education and the Executive Women's Forum on Information Security, Risk Management & Privacy.

Shamla Naidoo, global chief information security officer for IBM, has had success reaching out to mothers returning to work, as well as to veterans, to find potential cybersecurity workers.

She said: "Posting a job description and hoping people are going to show up and apply to the job wasn't working because the people just didn't exist. So rather than trying to hire the skills and knowing they're not as easily available, let's create the skills internally."

She created a system open to hiring people who have little or no experience, and, in many cases, even skills, in cybersecurity, with the understanding that they will come in, join a more experienced team and learn on the job. They are formed into teams of five to seven people solving one problem at a time, with the new employees teaming with more experienced security experts to watch.

Many skills from other industries are transferable to the cybersecurity field. Cybersecurity experts need to be able to communicate policies to, as Ms Naidoo put it, "increase the cybersecurity IQ" of an entire organisation. For example, people from a finance background might be able to educate their co-workers in accounting about cyberrisk.

She has grown her team by about 25 per cent over the last year with developers, consultants and research professionals. She said being more flexible in hiring, and hiring outside of the normal pipeline, had evened out some of the inequities in the field - like a relative dearth of minorities and women.

"To solve the skills shortage, we have to hire people who have the right aptitude, who have the right attitude, people who are curious, are willing to learn." Ms Naidoo said. "I will hire people wherever I can find them."

Michael Doran, 38, was a police officer in St Louis for almost 10 years before going into cybersecurity.

"I quickly found out a lot of the older detectives were not doing a lot of the computer crimes," he said. "I saw my opening there to make a niche for myself."

After learning about the field of digital forensics, he took free, online courses through the National White Collar Crime Center. He then decided to get another bachelor's degree and a master's degree online in computer forensics and intelligence. He studied at Utica College from home while working full time, but it did not take long for the private industry to scoop him up.

"It was an offer I couldn't refuse," he said, speaking of more than doubling his salary to near six figures.

More C-suite executives are filling their own skills gaps when it comes to cybersecurity, said Eric Rosenbach, co-director of the Belfer Center for Science and International Affairs at Harvard Kennedy School and former chief of staff at the Defense Department.

He runs an online class for working, senior-level executives "who are only now seeing how seriously they need to take it because they've seen so many other CEOs get fired for major breaches", he said.

Beyond the particular needs of firms in the cybersecurity arena, there is also a skills gap in the larger population that needs to be addressed, he said.

"I'm surprised, even at Harvard, how few of the students here know very basic stuff about cyberhygiene, two-factor authentication, things like that, that people should be doing to protect themselves." NYTIMES