With cyber crime on the rise and data breaches hitting an all-time high in 2013, companies need more help than ever in protecting both their own and their customers’ data, which is reflected in the estimated 300,000 unfilled cybersecurity jobs advertised in the United States right now. Meanwhile, nearly 16 percent of Americans aged 18-29 are unemployed—more than twice the national rate.
Marian Merritt, Director of Cyber Education and Online Safety Programs, sat down with us recently to discuss how the new Symantec Cyber Career Connection (SC3) will help close this talent gap.
Q. What are some of the factors perpetuating the shortage of cyber security professionals?
A lack of clarity and standardization. Historically, there haven’t been good definitions of what “cyber security” encompasses or what it takes to be successful in the field. The result is that there are educational programs available and there are nonprofits offering certifications in cybersecurity, but for someone entering the field it’s not entirely clear which to pursue and in what order. To help solve the standardization issue, the Department of Homeland Security is making an effort to codify the jobs as well as the education and certifications they require.
Additionally, we know that there is a problem recruiting women into IT roles. We hope that with better focus on STEM education this can be addressed, but that’s a long-term solution. We’re looking for opportunities that might make a difference more rapidly.
Q. Where is today’s cyber security talent coming from? Are there concerted efforts to fill the career gap?
We’re seeing piecemeal efforts. We do hear a lot about companies sponsoring four year college training in cybersecurity as a subcategory of IT, and that's great, but it means that young people are not available for employment for four years. The Obama Administration has also been keenly focused on this issue, earmarking extra funds for cyber-related education, helping move more veterans into cyber roles, and supporting community colleges in the development of cybersecurity curricula. What’s important, ultimately, is the connection between cybersecurity hiring organizations and educators. In many cases, students are handed a certificate but not a connection to a job. The whole point is to get them jobs. We think we can avoid that pitfall.
We also believe there is no significant barrier to older workers entering the cybersecurity field, particularly those switching careers. Ultimately, we would love for our model to expand and be replicated elsewhere.
Q. Research from Burning Glass—a leading provider of career data and services—shows that 84 percent of cyber security job postings in 2013 required candidates to have at least a bachelor’s degree and 51 percent required at least one form of professional certification. Do the two always go hand-in-hand? Is there a way to pursue a career in cyber security without a college degree?
We’ve seen reports estimating that up to 20 percent of today’s open cybersecurity positions could be filled by people without college degrees. While a degree is often preferable, it’s not always required, and many companies are willing to provide the right candidates with specialized training to bring them up to speed. What we do anticipate is that helping young people get into entry-level cybersecurity roles will take some mix of A+ and Security+ certifications from a recognized provider like CompTIA, and that’s what we’re trying to accomplish with the launch of the SC3 initiative this year.
Q. Would you say that some of the high profile security breaches that have been in the news in the past year or so—especially among retailers—are more symptomatic of a cyber security talent shortage or changes in the threat landscape?
There are many factors contributing to security breaches, but cybersecurity talent shortages certainly play a role. Cyber criminals are also finding increasingly creative ways to get into organizations and access sensitive data—and not always through direct attacks. In some cases they’ll get in the back door by targeting smaller companies that do business with the larger entity. Months can pass before a breach is recognized, and it might even be another business partner that ultimately uncovers it, such as a credit card company noticing a lot of fraudulent activity associated with a particular retailer.
Unfortunately, cyber crime continues to be an attractive and lucrative business, especially in some countries where people are less concerned about being detected. That being said, things are improving with more concerted partnership between law enforcement of different countries. Cyber crime can cause people to lose confidence in the marketplace, and that’s problematic for the global economy.
Q. How will the qualifications of tomorrow’s cyber security professional differ from today’s?
That is a great question. I imagine that a lot more of the basics will be taught in high schools as a path for those who are interested in the field, and A+ certifications could certainly be completed via online courses. More advanced training—anything requiring students to use and interact with IT equipment—would still need to take place in labs, and I don’t think America’s high schools are outfitted for that kind of work at this time. We have visited private schools that are already focused on advanced IT skill development, and we consider that to be a leading indicator of the cybersecurity field’s trajectory and formalization.