Lucrative jobs in cybersecurity are booming, yet companies still struggle to find IT professionals with the necessary skillset. The cybersecurity field is experiencing a huge shortage, with job postings in the profession increasing 74% over the past five years. A Cisco report estimates that there are currently 1 million unfilled cybersecurity jobs worldwide. To fill the gap, some community colleges and universities are enhancing their computer science offerings to include a cybersecurity focus.
A September 2016 Modis survey found that of 500 technology leaders, 22% said security and infrastructure skills were the most difficult to find in job candidates. And 40% of CXOs surveyed said external threats were their company's largest security worry.
"Cybersecurity is a relatively new field compared to other computer sciences, so the lack of awareness is definitely one part of the problem," said Lauren Heyndrickx, senior director of security at JCPenney.
Misconceptions about what a cybersecurity job actually entails are common, and might be part of the reason few women and minorities go into the field, Heyndrickx said. "It's more than just the pure technical aspects—it includes business, law, compliance, risk and other areas," she said. "The ultimate goal is to enable companies to do business in a secure way, which is much more than installing and configuring security systems."
Enrollment in computer science programs has increased tremendously in the past couple years, according to Rachel Greenstadt, associate professor of computer science at Drexel University in Philadelphia, who operates the Privacy, Security, and Automation Lab.
"The issue is more that security requires certain skillsets that haven't necessarily been a traditional focus of computer science programs," Greenstadt said. "We've seen industry and government increasingly interested in hiring people with this expertise. I think our students are interested, but there is some catch-up work to be done in terms of the orientation of programs across the country."
Tech leaders can play an important role in preparing current students for cybersecurity roles, Heyndrickx said. "As with all formal education programs, there's a risk of disconnect between theory and practice," she said. "A good collaboration between educational programs and business practice can help overcome that gap, for instance by providing internship opportunities, or advice colleges on relevant curriculum content."
Here is a look at three programs that have adapted to better prepare the cybersecurity experts of the next decade.
Computer science majors often graduate without any required courses in security, Greenstadt said. To address this deficiency, Drexel University rolled out a cybersecurity concentration last year. Students learn threat modeling, system security evaluation, cryptographic methods of protecting networks, and mitigation methods.
"Increasingly, understanding the environment that security exists in in terms of institutions, risk, economics, and psychology is very important," Greenstadt said. Drexel's security concentration includes a course called Security and Human Behavior, examining the economics of information security, usability issues, password policies, and organizational risk, which previously were not part of the traditional computer science curriculum.
"As we're seeing increasingly sophisticated threats, and interest among industries in making serious efforts to realize the benefits of information technology without exposing ourselves to risks, we need people that are trained in a much more rigorous way than has been done in the past," Greenstadt said. "Figuring out how to do this is going to require a collaboration between industry, government, and academia."
Once you go into the field, your education is never truly over, Greenstadt said. "In security, the field is so fast-paced that you have to be learning and constantly educating yourself," Greenstadt said. She recommends staying abreast of cybersecurity news, attending conferences, and keeping in touch with peers in the field.
Borough of Manhattan Community College
In August, Borough of Manhattan Community College (BMCC) in New York received a $770,000 grant from the National Science Foundation to create a cybersecurity concentration within the school's computer information systems and computer network technology associate degree programs. It will also allow the school to recruit high school students to the program. BMCC is one of four community colleges to receive the cybersecurity education grant.
More than two-thirds of BMCC students are black or Hispanic, and more than 60% are female.
"The most important aspect of this particular program is giving opportunities for underrepresented minorities and women to get into these careers," said Ahmet Kok, professor of computer information systems at BMCC and principal investigator of the grant project.
"There is a dearth of qualified technicians in the US that are capable of doing cybersecurity and meeting that demand," Kok said. "Offering students these highly-skilled programs is important for workforce development, and for students to have upward mobility."
The rise of the Internet of Things (IoT) means having trained cybersecurity professionals will be paramount for keeping companies safe, Kok said. "Everything is a computer these days with the Internet of Things," Kok said. "It's really important for people to understand that these devices have big implications for cybersecurity."
The concentration will involve 18 courses, half of which will be new. They include Ethical Hacking and System Defense, Network Forensics and Incident Response, and Mobile Computing.
"Cybersecurity is not something that is an entry level kind of technical career—in order for somebody to be a cybersecurity professional, they need to have other IT fundamentals under their belt," Kok said. "Our approach is creating a concentration that is a part of other degree programs, so these students not only get those fundamental facts under their belt, but can concentrate on security within those areas," he added.
Kok reached out to a number of companies and asked about their cybersecurity needs before designing the new concentration. One thing that surprised him was the desire to have someone not only with technical skills, but also people skills. In response, the school developed an advisory council to help students prepare for interviews and learn to dress for the workplace.
"People working in the tech industry now should be involved in the education of students in cybersecurity," Kok said. Tech leaders can play a leadership role, advising colleges as to what jobs are available, and what technical skills are required.
BMCC plans to start offering the concentration this spring.
University of Maryland University College
The University of Maryland University College began offering a single undergraduate program called Cybersecurity in 2010—the first of its kind in the nation, to the school's knowledge, according to S.K. Bhaskar, assistant dean of Computer Information Systems and Technology. It has since split into three different programs: Computer Network and Cybersecurity, Cybersecurity Management and Policy, and Software Development and Security, all of which have experienced consistent growth in the past few years.
"There are a lot of jobs in cybersecurity, but to get many of them, a degree in cybersecurity is just one thing you need," Bhaskar said. Many jobs require certifications, work experience, and sometimes security clearance, especially in the government sector.
The goal is to prepare and incentivize students to take IT certifications at the end of the program, Bhaskar said, such as Security Plus or Network Plus. The school offers to waive the fee for the certification exams, and allows students to take those exams in place of of a final test for the course.
Bhaskar expects to see more skilled job applicants in the future, as cybersecurity programs in colleges and universities grow. "The situation is getting better," Bhaskar said. "With all of the cybersecurity breaches constantly in the news, people are more aware, so programs like ours are raising the bar and constantly getting better."
UMUC also offers four graduate programs, in which most of the students have been in the IT field for a number of years.
Bhaskar said he believes cybersecurity education should start as early as high school. "If you're in the tech industry and not thinking about cybersecurity, that's a very grave mistake," Bhaskar said. "There isn't an aspect of modern living or occupations that doesn't involve computing in one way or another. No matter what profession you're engaged in, you need to be aware of cybersecurity."
The 3 big takeaways for TechRepublic readers
- As the number of jobs in cybersecurity outpaces the number of qualified applicants, some community college and universities are adding cybersecurity-focused programs to prepare the future workforce.
- Misconceptions that a cybersecurity job involves only technical aspects may be keeping women and minorities out of the field, some experts said.
- Tech leaders should partner with cybersecurity preparation programs to provide information on what skills their future employees will need, and offer updates from the front lines.
- What business leaders need to know about the state of cybersecurity (TechRepublic)
- Video: What the Secret Service can teach us about cybersecurity (ZDNet)
- 5 things we learned about the state of cybersecurity from Structure Security 2016 (TechRepublic)
- Cybersecurity predictions for 2016: How are they doing? (ZDNet)
- Cybersecurity: Understanding the attack kill chain and adversary ecosystem (TechRepublic)
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.