Written by Simone Petrella
The cybersecurity workforce finally got a seat at the table…but it still needs a voice.
Last week cybersecurity workforce issues officially got a seat at the White House table. It’s welcome and a long time coming but it didn’t have a real voice in the conversation. Why do I say this? Because it’s one thing to have the conversation and an entirely different one to identify actionable steps that move that conversation forward.
One thing I noticed immediately was the dearth of cybersecurity workforce organizations and expertise. NIST was called upon to create new standards to improve security in supply chains but the government’s own National Initiative for Cybersecurity Education (NICE), which falls under NIST, was seemingly absent from the discussions. Having worked in the cybersecurity training and education space myself for the last six years, I was also surprised to see none of the major players or even competitors we often encounter at the table either.
Private sector and education leaders came out of the meeting with a series of commitments around tackling the cyber talent gap, from large-scale commitments to train in-house corporately to integrating cybersecurity concepts into K-12 classrooms. These are important initiatives, but I encourage those of us in the industry and those in a position to effect real policy change, to ask the following questions when looking at some of these commitments:
1. Large-scale corporate commitments to train six figures worth of people in cybersecurity.
One of the problems that have plagued the industry since I first entered the field in 2006 has been a lack of available talent, both in candidates as well as existing professionals. If companies are going to commit to training 150,000 people over the next three years, how are we going to identify these large pools of talent to train? Who will be responsible for identifying and sourcing these groups?
2. Corporate partnerships with non-profits and higher education institutions.
There are some incredible non-profits and universities focusing on cybersecurity training initiatives. We work with some of them. However, the reality is that these initiatives are a patchwork of small-scale efforts that do not produce the numbers of qualified cybersecurity talent requires to fill the almost 500,000 gap. We need to ask what about these recommitments to partnerships will make them different this go around? How can we incentivize both the private sector and the organizations they partner with to truly invest the [significant] dollars and time required to develop effective cybersecurity professionals?
3. Community College and Higher Education Institutional Commitments to provide credentials and career-ready curriculum.
Again, the key here is to look at how this conversation can lead to measurable success at the scale needed to claim improvement. Community colleges can absolutely be a good pipeline for increased talent pools and diversity, but how do we create a standard that is consistent across the fragmented nature of our education system that reliably churns out a job-ready cyber workforce? For those programs’ commitments to making training available en masse to millions of workers, I pose the same question as above: how are we going to identify those workers? And perhaps most importantly, how do we measure the efficacy of these training programs and evaluate if those that go through them ultimately have the skills and competencies required for specific cyber work or roles?
Final Thoughts
In order to answer these key questions, I hope the White House brings the players, like NICE, N2K, CompTIA, ISC(2), SANS, Carnegie Institute, Aspen Institute, and others to the table that have been grappling with these issues full time and have done some tremendous work in trying to move the needle forward on increasing cybersecurity talent in our existing workforce as well as creating a new pipeline of talent for our future.