"We tend to focus on the shiny technology when, in fact, actually, humans are the weak link in cybersecurity."
-- Michael Daniel, cybersecurity coordinator, Executive Office of the President
As a nation, the US will be recognizing cybersecurity awareness throughout the month of October. The Department of Homeland Security and likely every vendor that sells cybersecurity products or services will be sounding the 'awareness alarm', offering tips and tricks for users in an effort to promote safer online practices and better cyber hygiene.
But for those of us in the cybersecurity profession, awareness should not stop at educating users. As leaders in our field, the term must invoke a determination to address a workforce in crisis.
No one can truly understand what we are facing as a profession unless they are actually in the profession. Security managers are struggling to find qualified staff to run the security operations center; system administrators are bustling to keep pace with patching demands; incident responders are trying to catch a breath in between back-to-back breach timelines.
In recent years, it has been said that we are suffering from a 'human capital crisis,' a term recognized by both lawmakers and leaders in the public and private sectors. The very core of this crisis is characterized by a widening gap between supply and demand for workers. The (ISC)2 2015 Global Information Security Workforce Study (GISWS) forecasts that this workforce gap will only continue to widen and will reach 1.5 million professionals worldwide by 2020 due to the insufficient pool of qualified candidates.
Among U.S. federal government GISWS survey respondents, 60% said that they do not have enough personnel to meet the demands of their mission, and that this is one of the key factors working against them. While both public and private sectors have dedicated significant resources to programs in an effort to fix this problem, we have found no silver bullets. As it goes, practitioners in this field are working in an environment with the odds stacked against them – and with very little relief in sight.
During the month of October, I would like to challenge those in our field to promote a different type of awareness. My challenge is for us to pull together and inspire whomever we come in contact with to consider a career in cybersecurity.
The impact of growing the cybersecurity workforce with trained and skilled personnel will be far reaching, and will ultimately benefit the users at the central focus of this month’s National Cyber Security Awareness Month activities.
How can we promote such awareness? I, for one, intend to promote careers in cybersecurity whenever I get the chance to address students and their parents such as later this month when speaking to MITRE employees as part of (ISC)2 Foundation’s Safe and Secure Online program. Here are some suggestions for my cybersecurity colleagues and others as you go about your day-to-day activities during the month of October:
- Look for opportunities to speak with children about cybersecurity. Check out your neighborhood school’s calendar of events to identify career days and rally your colleagues to get involved.
- Educate yourself on the many scholarship opportunities for those seeking careers in this field and encourage students entering college to apply.
- Know a veteran who is transitioning to civilian life? Provide him/her with information about the many programs that assist with cybersecurity career training and support.
- Your friends who are either unhappy in their current role or temporarily out of a job might see cybersecurity as a chance to transition onto a rewarding career path. Not sure how to get them started? Find an (ISC)2 member or contact us directly.
- Are you a member of (ISC)²? If so, you can volunteer to teach parents, children, teachers and seniors about online safety through the (ISC)2 Foundation’s Safe and Secure Online program, which also offers an opportunity to pique student interest in a cybersecurity career at a young age.
- Feed a student’s interest in cybersecurity by guiding them to one of the many cyber camps, challenges and competitions within our community.
Certainly, the goal of cybersecurity awareness is to inspire users to maintain a daily regimen of sound cyber practices. Let’s not stop at 'shiny technology'. Instead, let’s get the message out that fortifying the workforce is essential in establishing and maintaining a safe and secure cyber world.
Dan Waddell, CISSP, CAP, PMP, (ISC)2 managing director, North America Region and director of U.S. Government Affairs, was lead author of this peer-reviewed post.