At Black Hat in Las Vegas last week, Trend Micro’s Kevin Simzer spoke about the global, dire need for cybersecurity talent. The number of open jobs in cybersecurity continues to increase dramatically. A report from Cisco stated that there were over one million unfilled positions globally in 2016. Symantec’s CEO said the shortfall will rise to 1.5 million by 2019. A study by ISC2 projects 1.8 million open positions by 2022.

Enterprises need information security talent for a set of tasks. The US Department of Commerce established NICE (the National Initiative for Cybersecurity Education, see https://www.nist.gov/nice for details) to support training in cybersecurity. This initiative, documented in NIST SP 800-181, lists seven workforce categories:

Securely Provision (SP): Conceptualizes, designs, and builds secure information technology (IT) systems, with responsibility for aspects of systems and/or networks development. Operate and Maintain (OM): Provides the support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security. Oversee and Govern (OV): Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work. Protect and Defend (PR): Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks. Analyze (AN): Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence. Collect and Operate (CO): Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence. Investigate (IN): Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.

Solutions

The scale and urgency of the issue exceeds the response time of conventional market mechanisms. In the US, National Institute of Standards and Technology (NIST) has partnered with CompTIA (the Computing Technology Industry Association) and Burning Glass (a consultancy) to produce a heat map showing open jobs by region within the US. See http://cyberseek.org/ for details.

Professional certification can open doors for job seekers. As of this writing, CyberSeek shows 108,874 people in the US holding CISSP (from ISC2, see https://www.isc2.org/Certifications/CISSP), CISA, or CISM (both from ISACA, see http://www.isaca.org/certification/cisa-certified-information-systems-auditor/pages/default.aspx) designations, while there are 140,855 open jobs requiring one of these.

Open competitions such as Capture-the-Flag can excite and reward new cybersecurity talent. Trend Micro runs an annual competition, described at http://www.trendmicro.com/tmctf, designed to “target young professionals in the cybersecurity industry to enhance their practical skills in areas such as cybercrimes, targeted attacks, Internet of Things (IoT) and Industrial Control Systems (ICS).”

Beyond conventional state-sponsored and higher-level education, enterprises can ramp up training programs to meet their individual requirements. During the 1970’s many industries rapidly automated conventional back-office processes, creating demand for skilled programmers. Since there were few degree-granting programs in computer science or software engineering then, certain leading firms trained programmers themselves. This business process created three unforeseen benefits.

First, trainees would accept somewhat lower wages than prevailed in the region – in exchange for the career value of training and initial work experience.

Second, after two years of experience, many of these programmers would leave for other opportunities. This benefited the training firm: they had to develop programs, systems, and architectural models that people with two years of job experience could maintain. This meant the code had to be simple, clear, and well-documented. That high-quality development process yielded low defect rates and simplified functional extensions.

Third, the organization strengthened their brand and reputation by benefiting the local economy. Training alumni networked with current and former employees and their colleagues, local schools, government, and other businesses.

As of this writing (Aug 2, 2017), Amazon has 89 open cyber security jobs in the US. IBM has 98. Trend Micro trains skilled individuals in many geographies globally. In the first half of 2017, 50 people completed the training program. Nine have joined Trend Micro, and the rest have joined partner firms in their regions. There is no cost. Students receive a small stipend during the seven-week program. That program will scale up to meet some of Trend Micro’s global cybersecurity skill requirements in parallel with conventional experienced hiring. While some organizations (or consortiums) may not be able to justify a training program, those that do will reap substantial benefits for themselves and their communities.