The nation’s colleges and universities are scrambling to add courses to prepare students to fill the huge number of cybersecurity jobs that have arisen because of the exponential growth in hacking worldwide.

The extent of the problem isn’t clear; analysts say the number of job vacancies ranges from 100,000 to 350,000, with as many as 45,000 positions in California.

Ashton Mozano, a cybersecurity professor at the University of San Diego, says there are thousands of $80,000 entry-level jobs available to applicants who have nothing more than an undergraduate degree in computer science or computer engineering.

Analysts are trying to nail down the actual number of openings. But the shortfall is real.


A lot of the blame has been placed on academia for failing to train large numbers of students with targeted skills. Industry and government officials also are being criticized for failing to define their needs more clearly — a key component for helping colleges solve the labor shortage.

Several vocational schools, such as Hack Reactor and General Assembly, have popped up in Los Angeles in recent years to train people for variety of computer programming jobs, and they teach skills that would be beneficial in cybersecurity. UCLA Extension, USC, Cal State Fullerton, Cal State San Bernardino and Loyola Law School, among others, have cybersecurity programs.

The University of San Diego works closely with Circadence Corp., a San Diego company led by Mozano that specializes in the “gamification” of cybersecurity training. Students are exposed to high-resolution videos and graphics that give them a sense of what a real “hack attack” is like. They also use the immersive software to learn how to spot and prevent digital assaults.

Mozano is trying to change the way that students are taught in hopes of drawing larger numbers of people into the field quickly. “Certain academic fields in mathematics and engineering are infamous for presenting material in drab, monotonic, esoteric, non-interactive manners,” he said.


To make matters worse, cybersecurity suffers from an image problem.

The field pays well, but many computer science students would rather create new products and technologies for Apple or Google.

“Computer science is sexy. Cyber isn’t,” said P.K. Agarwal, regional dean of Northeastern University’s Silicon Valley campuses, which teach cybersecurity. The field offers high-stress jobs “where you can get fired if things go wrong, and no one pats you on the back if there were no problems overnight,” he added.

Analysts said the industry needs to jazz things up and highlight job opportunities.


Meanwhile, the staffing shortage is serious enough that “the president should … train 100,000 new cybersecurity practitioners by 2020,” the Commission on Enhancing National Cybersecurity said Dec. 1.

The shortage also means “you’ll see more things like the Tesco attack, which targeted bank accounts [in England], and a greater risk to healthcare records and everyday devices like your phone,” said John Callahan, director of cybersecurity programs at the University of San Diego. “In the digital age, this is potentially the greatest period of risk that consumers have ever faced.”

There’s special concern about ransomware, a type of malicious software that hackers can use to remotely take control of computers, including those in automobiles. In most cases, victims have paid money — sometimes tens of thousands of dollars — to regain control. For example, hackers carried out such an attack against Hollywood Presbyterian Medical Center last year, leading the hospital to pay $17,000 in ransom.

The U.S. Justice Department estimates that there are about 4,000 attempted ransomware attacks each day against individuals, companies and the government, and that many of them are successful.


“Based on FBI statistics, bank robbery in the U.S. is a $40-million-a-year problem, whereas cybercriminals using ransomware are making over $200 million per quarter,” said Stephen Cobb, a senior researcher at digital security company ESET.

The federal government and the military began to significantly ramp up their efforts to fight cyberattacks about a decade ago. Security firms and a wide range of companies did the same.

Analysts said most cyberattacks, including some pretty sophisticated ones, are blocked or minimized. But hackers have quickly adapted to methods designed to stop them.

Hackers have stolen data from the Democratic National Committee and Hillary Clinton’s presidential campaign. Earlier this year, hackers stole digital spying tools thought to belong to the National Security Agency.


In late November, a hacker disabled the fare system for the San Francisco Municipal Transportation Agency, forcing it to give free rides until proper operations were restored.

Experts said these kinds of intrusions underscore the need to develop a huge professional class of cyber professionals — and to market the field as a noble and dynamic domain where well-regarded, highly valued specialists defend precious assets and protect the public’s safety.

Northeastern University’s Agarwal says there are about 100,000 of these unfilled jobs nationwide. Peninsula Press, a journalism program at Stanford University, puts the figure at 209,000. Cyber Seek, an industry-government coalition, said it could be about 350,000 when including positions that require at least some cyber abilities.

The jobs include security analysts, network engineers, software developers and risk managers. Some lower-level positions pay as much as $70,000 a year. Management positions can top $235,000.


Technical know-how is important for job candidates, but other qualities are prized too.

“There is a desperate need for technologists who can speak at both the engineering and board levels — candidates who can understand technology and yet speak to the business case for security,” said Kirsten Bay, chief executive of Cyber AdAPT in Half Moon Bay, south of San Francisco.

“The best cybersecurity professionals think like criminals,” said Domini Clark, an Idaho-based recruiter at the recruiting company Decision Toolbox. “The joke in the industry is that superstars have an ‘evil bit’ in the code of their personalities. They know better than to have a high-profile online presence. ‘Paranoid’ is too strong a word, but they tend to be hyper-cautious and some take pride in operating in ‘stealth mode.’ ”

gary.robbins@sduniontribune.com