By Larry Clinton
Last week, we discussed that we needed to make a New Year’s resolution to start talking about things that really matter for cybersecurity. One area that really matters if we’re serious about improving our cybersecurity is addressing the current workforce shortage. We can never create an adequately secure our cyber systems unless we have enough trained people.
We have known this immutable fact for decades. Yet not only aren’t we solving the problem, but it’s getting worse – much worse. Currently, there are over 500,000 cybersecurity positions unfilled in the US. The Bureau of Labor Statistics estimates that number will increase by 31 percent through 2029.
Although there are a few complicated cybersecurity problems we really don’t know how to solve – such as how to secure AI without undermining needed utility – that is not the case with cyber workforce development. We can build on our New Year’s resolution by beginning to address the workforce gap. All we need to do is train people. We do know how to train people, we just aren’t, and haven’t been doing an adequate job. And we are paying, and will continue to pay, the price for our negligence.
We have faced similar problems in the past and successfully resolved them. When we realized that we needed a specialized military to address the complications of modern air-warfare we created the Air Force Academy. When we needed to re-orient the hundreds of thousands of soldiers returning home after WW II, we created the GI bill. There are models for massive, large training programs to address national needs, these should be adapted to the critical cybersecurity problem we are now facing – because it, too, is going to get worse – much worse.
This is a supply side labor problem more than a demand issue. Ironically, these are thousands and thousands of extremely important, high paying and professional positions and yet we have an endemic problem. Although there are a variety of laudable cybersecurity workforce programs, it is clear our current strategy is not adequate to meet our needs. We need to create a multipronged effort that acknowledges the present course is inadequate and needs to be replaced by a high-profile multi-pronged effort.
One Idea, Make Cybersecurity Workforce Development a National Priority: The “Cyber GI-bill”
Our nation is under constant cyber-attack. Just as the “GI-bill” funded education for those who provided government service defending our country during World War II, the new “Cyber GI-bill” would offer free education to all who committed to government service (not limited to military service) upon completion of their training. The ongoing student debt crisis plaguing Millennials and Gen Z Zoomers has made the financial element of education very important. We should capitalize on this opportunity by enticing these students into free education for cybersecurity coupled with government service.
One aspect of this program would be to create virtual service academy for cybersecurity. Cyber is a new domain of combat. Just as the Air Force Academy was created when air-warfare was understood as a unique domain so too might a cyber-service academy help train our future leaders for specialization in this unique aspect of national defense. Since cyber-attacks are not limited to traditional military targets graduates of these programs could fulfill their commitment by serving any level (e.g., state/local) or department of federal government.
Moreover, it is neither necessary nor wise to limit this offer to the traditional service academies. All accredited colleges and universities should be eligible for this virtual program. A cyber-specific ROTC-like initiative could be created, leveraging the national mission vital to strengthening the cybersecurity talent pipeline. The curriculum for the program could be adapted from any of the major cybersecurity programs already in existence and then shared with any accredited institution interested in providing this training (tax deductions night be offered to incentivize private contributions). This would substantially eliminate financial risk for colleges and universities in developing cyber programs, while dramatically expanding the reach of the program on a cost-effective basis. An added benefit would be the creation of a strong network among institutions for innovation and information sharing. Upon completion of government service, graduates could continue to serve our national defense in the private sector which is also under attack.
Finally, we can address the diversity problems in STEM professionals by investing in programs targeting underserved women and minority populations. For example, we could subsidize developing cyber workforce development programs for Historically Black Colleges and Universities as well as similarly oriented programs in other higher learning institutions.
Appreciating that workforce needs must be addressed well before the collegiate level. We need to develop a cyber education program that spans all levels of education. We should integrate cyber into K-12 education with classroom initiatives, expanded teacher education, and after-school competitions to develop an interest in the field. These programs should offer hands-on experiences in building operating systems, so students are prepared for and confident enough to think several steps ahead of attackers. Education programs should blend technical training with humanities, business, and policy to prepare cyber professionals for privacy and human-computer interaction challenges.
Programs for Title 1 schools should be created including tax incentives for private entities willing to underwrite these programs at the state, local, and regional levels. Contributing teaching materials and techniques as well as scholarships targeted at inner cities could assist in both helping to close the cyber workforce gap as well as economic development needs.
The federal government could stimulate funding for such a program by requiring government contractors to contribute a small percentage of the administrative costs of their contracts to a revolving fund to support these efforts. Contractors may offset these contributions with “in-kind” assistance directed to these populations.
Lawmakers are starting to consider these kinds of solutions. Late last year, a bipartisan panel of senators introduced a bill creating the Dr. David Satcher Cybersecurity Education Grant Program, which would expand cybersecurity training at HBCUs and other colleges and universities that serve a high proportion of Pell Grant recipients. Moreover, House Homeland Security Committee Member Rep. Kat Cammack proposed during a cybersecurity hearing a Cyber Academy to begin addressing the workforce gap.
Expand the Audience for Cyber Professions and Address Diversity Gaps
We also need to expand the target audience for these positions. We must eliminate the stereotype that cybersecurity is just a “techy” and “nerdy” profession. Leading organizations are already reconceiving cybersecurity as less tech-centric and more like an enterprise-wide issue with major cybersecurity related roles in areas like HR, contracting, supply chain, risk management and even media communications. A successful cyber recruitment program would expand the pool of interested people and make “cyber cool.”
The accounting sector encountered a similar challenge with a shortage of people entering the profession which was perceived as boring and technical. The industry responded by developing a creative marketing program that created a new “face” for their profession to make accounting jobs more enticing to a younger demographic. The cybersecurity recruitment effort could adapt the accounting model. For example, creating a personified representative for cybersecurity. These marketing techniques create a young, attractive, energetic, and approachable vision of what working in cybersecurity is like (think less Smokey the Bear and more Jessie, the DraftKings spokesperson). Moreover, we can leverage pre-existing interests in youthful demographics to make careers in cybersecurity more attractive. For example, we should be accessing younger audiences through gaming events, demonstrating how their gaming skills can be used to develop a lucrative career in cybersecurity. Media can also be leveraged. Just as ESPN turned niche activities, like poker, and fantasy football into prominent portions of their lineup, expanding their reach, the same can be done with gaming with a cyber component.