Congress Hears Ideas for Boosting Cybersecurity WorkforceHow Certifications, Apprenticeships Could Help Address Staff Shortages
Because of the shortage of cybersecurity workers, the federal government and the private sector need to consider accepting high school graduates as entry-level employees as well as finding new staff through certificate programs and apprenticeships, cyber education experts told a House subcommittee last week.
"While traditional college systems can play an important role in growth and development, they cannot be the only place we go to find and nurture cybersecurity talent," says Barbara Massa, executive vice president and chief of business operations at the security firm FireEye.
At a hearing of the Homeland Security Committee's Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, Rep. Yvette Clarke, D-N.Y., committee chair, cited a deficit of 460,000 trained cybersecurity workers in the U.S. along with a litany of cyber incidents that have recently struck government and private organizations as evidence that more cybersecurity professionals must be recruited.
"I want to commend [DHS] Secretary [Alejandro] Mayorkas for making enhancing the cyber workforce the second of DHS's 60-day cyber sprints. By prioritizing this aggressive approach, Secretary Mayorkas has made meaningful progress in reducing the significant number of cyber vacancies at the department while taking additional steps to address the shortage of cyber professionals nationally," Clarke said in her opening statement.
The subcommittee heard testimony from five witnesses who listed flaws in the way the government and private sector attempt to attract, train and retain potential cybersecurity workers. They suggested actions, such as developing apprenticeship programs, increasing funding for the DHS Cybersecurity Education and Training Assistance Program and reducing the time needed to onboard new federal cybersecurity staff.
Tony Coulson, executive director at the Cybersecurity Center at California State University, San Bernardino, told committee members that the current hiring process for cybersecurity workers is out of date and the general requirement that demands a college degree in a cybersecurity-related field excludes many potential workers. To rectify this, he suggested that the industry take a page from other sectors, such as plumbing and carpentry, that focus on hands-on training.
No College Required
Subcommittee member Rep. Richie Torres, D-N.Y., asked the witnesses about the necessity of all cybersecurity staff members having a four-year college degree.
Kevin Nolten, director of academic outreach at Cyber.org's Cyber Innovation Center, which trains high school students in security, recommended that more high schools offer cybersecurity certificate programs that prepare students for technician-level jobs upon graduation.
"Not every student is going to go to college. So what we want to ensure is that upon graduating high school, we have students with industry-based certifications, so they are skilled to go walk into an organization and be employable, immediately," Nolten said.
James McQuiggan, security awareness advocate at KnowBe4, called on the cybersecurity industry to create true entry-level positions.
"What is missing is proper entry-level positions requiring only a high school education and an entry-level certification," he says. "An entry-level security operations center analyst is a great starting point for someone just out of high school with a certificate and the willingness to learn."
"The hands-on experience that can be gained via certification programs, cyber competitions and training programs carries great value for problem-solving against today's emerging threats," Massa testified. "By removing degree requirements and focusing on relevant cyber training, we have the potential to greatly expand the pool of available cybersecurity talent."
Michael Lines, head of product security at LeanIX, called for fundamental change in the high school-college pipeline - adding a vocational aspect to the process. "Instead of forcing students into a treadmill of obtaining college degrees at massive personal cost, there is instead an option for two years of vocation training starting in high school with one option being cyber-related," he said.
He envisions a student taking two years of training to achieve a thorough grounding in the fundamentals and obtain a "Security+" certificate along with some hands-on training.
"When the entire program is focused on getting a productive job post-high school for those who wish it, as opposed to four or more years of higher education, I think that the students and society overall would be much better off," Lines said.
Mark Eggleston, CISO at CSC Global, says companies need to take action to improve their chances of expanding their cybersecurity staffs. "Lower or set entry-level job descriptions - entry level should never require college, certifications or years of experience,” he says. “ Do pro-bono coaching, mentoring and career guidance/fairs to spread the word that all is awesome in cyber.”
Apprentices and Interns
Many of the subcommittee's questions to the witnesses focused on not only hiring more workers but increasing the speed at which they can be trained and introduced into the workforce.
Coulson said apprenticeships can help fill the gap.
"There's a huge opportunity here for apprenticeships - to have people earn while they learn also increases velocity, if that student is able to gain experience while they're in their job, while they're receiving their education," he said. "And it also tightens the partnership with educational institutions to build the workforce you need, as opposed to, 'Well, here's somebody we graduated. I hope it works out.'"
Max Stier, president and CEO of the Partnership for Public Service, pointed out that the federal government inadvertently places roadblocks that greatly slow the hiring process for cybersecurity workers, sometimes to the point where a recent graduate opts to take a job elsewhere.
"Clearly, in cyber, in many instances, it's security clearances. And one of the things that can be done is ensuring that the security clearance process is completed while interns are students," he said, adding that paying interns is also crucial.
Another benefit of this approach, Massa noted, is that it opens up a new, diverse talent pool that includes those who may not have access to a traditional college path.
"There is a growing urgency to present new routes that enable access to similar opportunities and skill-building avenues. All these initiatives are critical to the expansion of the talent pool that is needed for the future of cyber," Massa said.
Other pools of potential cybersecurity personnel should not be ignored, says KnowBe4's McQuiggan. For example, he said those who now:
- Analyze data can work in a SOC;
- Have marketing or communications backgrounds can focus on security awareness and training programs;
- Work in manufacturing can become system administrators;
- Work in high-pressure environments could consider taking a role on a Cyber Security Incident Response Team, or CSIRT.
"They do not all need the certifications or degrees, rather a willingness to learn and take the initiative to solve problems and complete projects," McQuiggan said. "They also need to separate themselves from the pack, which comes down to networking. Being able to get out into the community and meet other cybersecurity professionals will only increase their chances of being hired at a company or organization."