#RSAC: Recruiting the Next-Generation Cyber-Workforce

The cybersecurity workforce gap has been well-documented—and cultivating the next generation of cyber-workers, the Millennials, from an early age has been widely seen as a mandate for continued industry viability. Tackling the recruitment conundrum takes a multipronged approach, according to panelists at RSA 2015, who took the stage to discuss the challenges and the opportunities for wooing young people to cyber in the digital age.

Jeffery Jacoby, program engineering director, cybersecurity and special mission intelligence information and services at government contractor Raytheon, noted that the Millennials, typically considered to be ages 18-26, is an ideal generation to embrace cybersecurity as a career. They’ve grown up in a connected era, are no stranger to both the wonders and the dangers of the internet, and they’re at the point in their lives where career decision-making happens. But there’s a decided lack of awareness at play that’s hampering the ability to capitalizing on these characteristics.

“The question becomes, what is their interest, how prepared are they to enter the workforce, and what are their online behaviors,” Jacoby said. “And here, confusion emerges. Like with anything else, if you torture numbers long enough they’ll confess to almost anything.”

To that point, a Raytheon survey found that 25% of Millennials indicate an interest in cybersecurity as a career. That number hasn’t changed from the year before, which is encouraging—but, nearly two-thirds (63%) also indicated that they didn’t really understand the rules and responsibilities that they would be up against, and what the day-to-day tasks would be.

When asked what would help them make the commitment to making the internet more safe and secure, this too started with a basic understanding of the roles and responsibilities—they wanted to ask, what will be expected of me and will I like it? Will I be suited to it, will I be good at it?

But it’s not just the Millennial demographic that needs to be addressed, because other key cohorts and niches have crucial parts to play.

“I look at it as a fundamental supply and demand model,” Jacoby said. “We’ve got a real problem today, and don’t forget that public and private entities don’t have the same resources. It’s difficult and extremely expensive to work through a model to attract Millennials and then retain them. We also need to take people currently in the workforce, and give them more training to bring them on board.”

Cecily Joseph, vice president of corporate responsibility and chief diversity officer at Symantec, said that her company has a K-12 workforce development initiative, especially to create a path for underserved and under-represented young adults.

“There are at least 300,000 jobs that are unfulfilled today,” she said. “About 20% of those jobs can be filled with people that don’t have a four-year college degree—and there’s a 16% unemployment rate among that demographic.”

The program has four phases, starting with the “excitement” phase to get young people excited about a cybersecurity career. The vendor has partnered with several organizations, including the American Association of American Women to run things like a summer program for middle school girls, and an outreach program for high school kids. The second phase is training and certification, where program participants can work on core skills, technical certifications and product proficiency, and soft skills like interviewing and resume-building. From there, the program will place participants in 10-week internships before moving into the final job placement phase.

It just had its first graduating class, with 15 students and a 80% graduation rate. A full 25% of them are women, and another 80% are of color. And, 80% are in extended internships or have job placements now.

Panelist Ann Barron-DiCamillo, director of US-CERT at DHS, said that the agency is actively working on recruiting and retaining cyber-talent, including by working closely with academic partners to provide financial incentives for cyber-relevant degrees via the National Science Foundation’s Scholarships for Service program. It’s also offering internships for digital media analysis, network analysis and other fields; it has brought 2,300 graduates through the program since 2000, with a 90% placement rate.

If the program numbers seem low, that’s because they are. According to US Department of Homeland Security (DHS), by 2020 there will be 1.2 million positions in cybersecurity—and only 400,000 graduates to fill them.

To help gain scale, DHS is also sponsoring federal virtual training environments, where, so far, 60,000 people have been trained, and it is exploring ways to bring in veterans to the workforce. It also runs federal cybersecurity training exercises and competitions.

The other piece of the puzzle is helping educators, mentors and parents understand what the jobs are, so that they can effectively communicate that. The Raytheon research showed that only 41% of students surveyed said that someone in their lives has mentioned cybersecurity IT as a career. That’s up from 18% in 2013, but still low. Further, 36% didn’t feel high school computer class was giving them relevant skills.

DHS is tackling this too, and has developed a curriculum in lesson-plan format to implement in classrooms. Topics range from “cyber 101” up to more technical in-classroom teaching. DHS has begun outreach to school boards at the state and county level and is hoping to expand nationwide thanks to its status as a trusted objective group. It also runs camps for teachers.

Also, it’s important to recognize that no matter what happens, demand will outstrip supply thanks to the sheer scale of what needs to be protected, especially as the internet of things (IoT) expands exponentially.

“We can’t just look at the supply side,” Jacoby said. “It will take talent, but to lower demand to manageable levels, we need more automation and technology evolution, and to build more security into the things we’re putting on the network.

There’s no time to wait. Symantec research also confirms what we know anecdotally: cyberattacks are on the rise, Joseph said. “In 2014 there was a 40% increase—and there was a 60% increase in 2013. The targets are large and small businesses alike,” she noted. “It’s no wonder that research from the Boston College Center for Corporate Citizenship found that when it comes to what execs will be most focused on in three to five years from a social perspective, the No. 1 issue was around data protection and privacy—that wasn’t even in the report results in previous years.”

What’s Hot on Infosecurity Magazine?