Training tomorrow’s security talent
From 2013 to 2014 there was a 46 percent increase in the number of reported data breaches, followed by a continuous stream of high-profile cyberattacks. Last year, Cisco reported that there were 1 million unfilled jobs in the cybersecurity field. The lack of qualified cybersecurity talent and the demand for professionals to defend against future attacks is a major concern for the intelligence communities in both the private and public sectors.
[ ALSO ON CSO: How to find qualified people for your security team ]
In the United States Intelligence Community’s 2015 assessment of threats to US national security, U.S. Director of National Intelligence, James Clapper, said that threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact.
“The ranges of cyber threat actors, methods of attack, targeted systems, and victims are also expanding,” he added.
While the threats and the level of sophistication of threat actors will continue to advance, the ability to detect and address those threats is a major concern for a majority of enterprises.
Released in July, the 2015 Black Hat Attendee survey revealed a serious shortage of IT security resources in the days ahead.
The report noted: “While nearly three quarters (73 percent) of respondents think it likely that their organizations will have to deal with a major data breach in the year ahead, a majority also feel that they do not have enough budget, staff, and training to handle the load.”
All signs point to a need for significant changes in cybersecurity, specifically in training young talent and developing pipelines for them to enter into cybersecurity careers.
Maurice Uenuma, senior vice president of workforce development, CIS, said, “We look at the work force challenge on two fronts. First is the supply challenge, and we need to grow a larger more robust workforce of talent, and second is the education of the work force as a whole.”
Toward that end, CIS has a Workforce Development Program, which includes a number of initiatives to enhance performance-based learning for students and professionals.
“The greatest need is to fill those cyber security fields with capable talents whether they exist at large enterprises from federal agencies to commercial enterprises, regardless of the nature of the enterprise, those skills are in great demand,” Uenuma said.
Cyber security needs to focus on more than filling the void of talent, and by educating the work force as a whole, enterprises can build better defenses.
“There is a great need for the rest of the work force in general to exercise cyber hygiene. It’s not enough just to have more and better qualified candidates but the companies that have to hire them also have to understand how to leverage their workforce for cybersecurity,” Uenuma added.
Because enterprises will always be vulnerable, educating the work force on cyber hygiene best practices is one layer of defense that is critical in any organization. In order to help agencies provide continued best practices information to their employees, CIS has published a free cyber security work force handbook.
CIS knows that cybersecurity at any enterprise is very much tied to its entire work force, and that the ability of an enterprise to properly manage its work force still remains the largest vulnerability at any organization.
Educating the work force and training and recruiting the next generation of leadership are only a few of the programs offered by the non-profit organization, CIS.
CIS hosts the U.S. Cyber Challenge, which runs competitions and cyber camps to train new talent.
“Some of the areas where there is a greatest shortage of talent are the most technical areas of cyber security: Incident response, forensic analysis, secure coding, network monitoring, and security operations,” Uenuma noted, adding that regardless of the enterprise, these skills are in high demand.
[ ALSO ON CSO: Why the perception of a security talent shortage is really a leadership opportunity ]
The U.S. Cyber Challenge, in its mission to develop a pipeline of future cyber security talent, hosts competitions for high school and college students training them in all things cyber. Jerrod Bates, information security instructor, Delaware Technical Community College, organized his sixth cyber security camp this summer.
The joint effort among Delaware Community College, University of Delaware, Wilmington University, and Delaware State University hosted 65 students in a week-long competition focused on different security topics.
“We teach training in ethical hacking in order to be able to learn defense. There is also SANS training, network penetration, packet crafting where kids craft specialized data packets,” Bates said.
In addition to students learning web application pen testing software like Metasploit, the week culminates in a four and a half hour capture the flag competition. CIS provides scholarships for students to attend the camps in Delaware, Utah, Vermont, and Illinois. At the Delaware camp, eight different companies held a career fair for participants to build sustainable relationships and learn the value of networking.
Networking is a critical tactic that CIS realizes will help to build bridges to opportunities for both the enterprise and the talent pool. Their partnership with Monster.com to build the Cyber Comp X platform was designed, “to create a meaningful pipeline of cyber talent,” said Susan Fallon, vice president of business development at Monster.com.
“Our mission is to align with whatever their workforce needs are, whether that is a federal agency or a private enterprise. We work with 14 federal agencies today, and we are also working with education institutions and other nonprofits on how to best engage both job seekers and employers,” said Fallon.
Cyber Comp X is set up to engage a wide range of participants, from those who may only want to dip their toes in the water, to those who are trying to lead. While on one level the technology is set up as a social networking site where parties can engage in conversation, share ideas, and network, the platform is also set up with a gamification layer.
“The site has competitions available with hot topics at different competitive levels, and after you engage in a competition, you can come back and report your results. That data is then aggregated,” Fallon explained.
The next step is bringing jobs to the site, which Fallon said is what Monster.com is passionate about. Using their 6Sense technology allows employers to look at conceptual and contextual information in a resume, said Fallon. The technology will “whittle down the talent pool on the employer side but is also able to do the same thing on the job seeker side,” Fallon said.
The relationship between CIS and Cyber Comp X, said Fallon, “Is focused on the solution to this very big talent crisis, which demands we take new approaches.”