What cybersecurity leaders say we can do now to advance the cybersecurity workforce
The cybersecurity talent shortage is no secret. Here are ways experts are working to fix it.
Nathan Mitchell Photography
It’s a dream scenario for any senior cybersecurity leader: given $100 million tomorrow, what would you do?
Air Force Major General Christopher Weggeman didn’t hesitate.
Asked how he’d spend a sudden surge of new funds, the Air Force’s cyber commander told the Billington Cybersecurity Conference in Washington, D.C. last week that his request would be clear and direct: new talent and new training.
“The thing I need the most in terms of capacity is trained, ready manpower,” Weggeman said. “I need a persistent training environment … And I think this is really, really important because it’s said [that] the most critical element in cybersecurity operations isn’t silicon or copper — it’s carbon. It’s manpower.”
But just as clearly as Weggeman targeted cyber talent as his main need, so too did many other Billington attendees point to the glaring deficiencies in cybersecurity talent and then clear paths forward to fixing them.
Admiral Michael Rogers, commander of US Cyber Command, offered up a major idea around helping build a more robust cybersecurity workforce: training that doesn’t take limited talent away from the mission for six months or more at a time.
Rogers called out new training capabilities among three game-changers he’s looking for to advance the government’s cybersecurity mission.
“What are the capabilities that industry can help us with that will help us ensure an adaptive, learning workforce over time?” he asked.
In the private sector, industry experts agreed that developing more talent will move more quickly when industry leaders work together.
“We saw the issue a long time ago, that the workforce shortage is going to be a challenge,” said Diane Miller, Director, Global Cyber Education & Workforce Development Programs, Northrop Grumman Corporation.
Investing in academia, sponsoring youth cybersecurity competitions, and building broad job development programs are all admissions from cybersecurity firms that “we are all in this situation together,” Miller said. “There is no point in all of us fishing from the same pond.”
But making sure the pool of people coming into the industry is as diverse as the nation is, is something that also desperately needs work.
An industry bearing only slightly more than single-digit percentages of women and minorities is “broken,” said Bernard Skoch, national commissioner of the CyberPatriot National Youth Cyber Defensecompetition.
“I am disturbed about the gender representation in cybersecurity. If you allow young women in high school to say ‘[Cybersecurity is] a guy thing,’ you’re broken. If you allow underrepresented minorities to say, ‘That’s not for me,’ that’s broken,” Skoch said. “The specific skill sets are important. What’s far more important is attracting the right population.”
The problem is partially one of numbers, Skoch and Miller agreed: you can’t leave more than 50 percent of the population out of the field and dream of having enough workers.
It’s also one of effectiveness, Miller said, where people from a wide array of backgrounds make for more clever and nuanced solutions to problems that teams from any one discipline may never consider.
“Cyber problems are really complex. You’re not going to fix them alone in your basement on your computer: being able to fix them in a team is important,” Miller said. “A diversity of backgrounds, experiences … need to all come together and work together to resolve those kinds of problems. We cannot leave anyone behind.”
The fix? Get to students before they leave elementary school, Skoch said, eliminating barriers to entry from social pressure or personal perception later on.
Diverse backgrounds beyond technological chops are particularly important, said Gregory Touhill, the retired Air Force general and former Department of Homeland Security official recently named the nation’s first-ever chief information security officer (CISO).
What do top-flight cybersecurity players need? Touhill listed five “existential activities” alongside technical excellence: Critical thinking, speaking foreign languages, talent in mathematics, communication skills, and training in logic and philosophy.
“The job you’re going to have five years from now hasn’t even been invented yet,” Touhill said, “It’s important for us to teach folks about the ‘why’ as it is to teach them about the ‘how.’”
Another key part of helping close the nation’s talent gap: don’t forget your strengths.
Those in government and those that support the nation’s cyber defenders would be wise to remember their “special gem,” as Weggeman called it: the mission.
“We develop a workforce that is passionate about our mission and our mission is our customers. People who are interested in supporting global security challenges ... are attracted to business like ours,” Northrop Grumman’s Miller said.
Leveraging those passions, Miller continued, means giving talented people opportunities for internal advancement such as research, rotations into different missions and the ability to compete, if anonymously, in global competitions.
Giving the nation’s best and brightest a path to bigger and better things within the mission of the federal government, then, remains a powerful tool toward closing the cybersecurity talent gap — and toward better cybersecurity for all.