Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below.
We recently updated our Terms and Conditions for TechRepublic Premium. By clicking continue, you agree to these updated terms.
Invalid email/username and password combination supplied.
An email has been sent to you with instructions on how to reset your password.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to TechRepublic’s News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.
All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).
Training the next generation of cybersecurity experts to close the crisis gap
Your email has been sent
The biggest threat to cybersecurity departments could be the lack of qualified employees, leaving companies vulnerable.
The cybersecurity sector faces a severe crisis: a lack of qualified workers. In June 2022, Fortune reported that companies are desperate for cybersecurity workers. Cyber Seek lists more than 714,000 open cybersecurity jobs. And the demand for cybersecurity experts is expected to increase.
The U.S. Bureau of Labor Statistics says it will rise by 33% from 2020 to 2030, much faster than the average for all occupations. Cybersecurity Ventures assures the situation is part of a trend that began in 2013. Since then the number of unfilled cybersecurity jobs has risen by 350%.
For companies that are looking to hire cybersecurity professionals, TechRepublic Premium offers a hiring kit for cybersecurity engineers.
The crisis affects all sectors. Through the Department of Homeland Security (DHS), the U.S. government launched in November 2021 the Cybersecurity Talent Management System (CTMS). CTMS is designed to recruit, develop and retain cybersecurity professionals by streamlining the hiring processes, and offering competitive compensation and career development opportunities. The business sector is also working to close the gap, with companies like Cyber Talent Institute, Sans Institute, Cybint and others emerging to respond to the crisis. In contrast, some companies like Deloitte offer in-house cybersecurity training and skilling.
An increasingly challenging cybersecurity environment, workers’ burnout, the increase of cyberattacks, lack of diversity and the long years it takes to train an expert are reported as the drivers of the crisis. However, some of these factors may be a matter of perception.
SEE: Mobile device security policy (TechRepublic Premium)
To understand the challenges, TechRepublic spoke to Ning Wang, CEO of Offensive Security.
“Like many fields, it takes several years to become a cybersecurity expert. However, there are many roles in cybersecurity at an entry or intermediate level which don’t require two-to-four years of training,” Wang said. For example, Security operations center (SOC) analysts who work with a team to monitor and counteract threats, or incident responders, who create security plans, policies and protocols. On the other hand, other jobs like a penetration tester—which simulates cyberattacks and searches for vulnerabilities and bugs—require longer skilling times, and experience is often required.
Wang says that skill is a matter of perception, and the time it takes for a person to become an expert varies from case to case. “I have come across some incredibly committed and motivated people who have been able to earn our Offensive Security Certified Professional (OSCP) certification and get a penetration tester job in about a year,” Wang added.
Her advice? Know what to study, how to learn, be dedicated, find mentors and help when needed to achieve the goals. Wang also advises companies to find the right people to train and provide them with quality learning materials explicitly designed for their learning paths.
“Everyone learns by applying and doing, not just by watching and listening, so hands-on learning is critical for cybersecurity training. A training program that recognizes and incorporates these elements will achieve faster and better results, thus accelerating the training process,” Wang said.
Good cybersecurity experts develop hypothesis-driven problem-solving capabilities, figure out what to do when they are stuck, and learn how to get something done with limited time or resources.
Another factor that has been reported to be driving the job demand crisis is the lack of interest of new generations in cybersecurity. In 2018, a report found that only 9% of Millennials are interested in a cybersecurity career. Wang believes that this is another misperception. She says new generations are interested but they learn differently.
“The way this generation learns is different. Attention spans are shorter, and the need for instant gratification is much greater,” Wang said. She also noted that training modalities need to change to be effective for new generations who prefer video over text and short content versus long content.
“We need to create shorter training modules in the mediums the new generations prefer and develop atomic learning units that provide instant feedback,” Wang said. She calls for streaming technology to help students understand how to hack and for education to adapt to the irreversible new learning preferences.
As Deloitte reports, companies are turning to AI, machine learning and automated security solutions as force multipliers. New automated security technologies are being used to monitor, scan and respond to attacks affecting an ever-expanding attack digital surface. These technologies have been praised as a solution to the chronic shortage of cybersecurity talent. As organizations leverage automated security technology and attacks evolve and increase, Wang says the approach might not be entirely on the right track.
“I think it is great that companies are developing automated tools to identify vulnerabilities and flag suspicious activities. However, I don’t believe these automated tools can close the unmet gap due to lack of security experts, because an algorithm can’t think critically like a hacker or a human being does,” Wang explained.
Machine learning models might be able to detect suspicious login and activities, but these applications are constructed on existing data. As attacks and vulnerabilities evolve they present new data that is not factored into the AI applications. This is known as a drift in a machine learning model. “No matter how we automate, these tools help us identify known vulnerabilities, but they cannot help us identify the new types of vulnerabilities,” Wang explained.
Further, the large majority of attacks are not breaching systems with advanced coding or forcing their way through highly guarded security systems. Cybercriminals have become experts in human nature. They are constantly finding new ways to trick workers into responding to an email, clicking on a link or downloading malware. Experts say that companies need to strengthen the human element of cybersecurity if they are to make their operations more secure.
“We need real people who are as talented as the cybercriminals, who can think like hackers, to identify these new risks to improve and train our AI and ML tools,” Wang said.
Leading cybersecurity organizations have come to terms with the reality and many are fighting fire with fire. Ethical hackers, bounty programs, and a hacker mindset approach are proving to be a practical offensive strategy to modern-day attacks, as TechRepublic recently reported,
“Essentially, the best way to defend is to know really well how you can get attacked. Developing the hacker mindset is essential to succeed in the cybersecurity industry. You cannot do this job simply by following a to-do list and ticking off a set of tasks,” Wang added.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Despite significant investments in cybersecurity solutions, the number of attacks is not declining. Organizations building security teams are still struggling to find talent that responds to cybercriminals’ elasticity, adaptability, resilience, and relentless techniques. So what should companies look for when hiring cybersecurity talent?
Wang says that security experts need to be critical thinkers and creative problem solvers with the tenacity of not giving up easily. They must have the patience to study, observe, and feel comfortable figuring things out by trial and error. These more innate aptitudes are much more complex to teach than the IT skills needed for cybersecurity.
According to Wang, managers should look for six attributes when hiring for aptitude:
It’s important for businesses and hiring managers to remember that very few candidates will tick every box—that’s why it’s important to hire for potential. “There’s also something greatly rewarding about recognizing talent and nurturing it through training. Those with aptitude will blossom quickly and the business training them will be rewarded handsomely,” Wang said.
TechRepublic Premium’s cybersecurity engineer hiring kit eliminates some of the guessing work in getting the recruitment process started. It includes a job description, salary ranges, interview questions and more. Click here to download the hiring kit.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Training the next generation of cybersecurity experts to close the crisis gap
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Windows 11 gets an annual update on September 20 plus monthly extra features. In enterprises, IT can choose when to roll those out.
Edge AI offers opportunities for multiple applications. See what organizations are doing to incorporate it today and going forward.
This is a complete guide for Apple’s iPadOS. Find out more about iPadOS 16, supported devices, release dates and key features with our cheat sheet.
Discover data intelligence solutions for big data processing and automation. Read more to explore your options.
Whether you are a Microsoft Excel beginner or an advanced user, you’ll benefit from these step-by-step tutorials.
Edge computing is an architecture intended to reduce latency and open up new applications. The terms around it can be fluid, but are helpful to know. From the glossary’s introduction: Edge computing is an architecture which delivers computing capabilities near the site where the data is used or near a data source. In an idealized …
This document helps make sure that you address data governance practices for an efficient, comprehensive approach to data management. This checklist from TechRepublic Premium includes: an introduction to data governance, a data governance checklist and how to manage a data governance checklist. From this checklist’s introduction: Data governance is the process by which an organization …
Recruiting a Scrum Master with the right combination of technical expertise and experience will require a comprehensive screening process. This hiring kit provides a customizable framework your business can use to find, recruit and ultimately hire the right person for the job. This hiring kit from TechRepublic Premium includes a job description, sample interview questions …
Knowing the terminology associated with Web 3.0 is going to be vital to every IT administrator, developer, network engineer, manager and decision maker in business. This quick glossary will introduce and explain concepts and terms vital to understanding Web 3.0 and the technology that drives and supports it.
