Developing Strong Cybersecurity Workforce Skills
Shortage of Skills
There is a steep trajectory of growing demand for cybersecurity skills in recent years. According to a report by New America1, in 2015, the global shortage of resources was forecasted to be 1.5M by 2020. However, in a recent article published by Infosecurity Magazine2, that number has climbed to 4M – exceeding estimates by greater than 260%.
In the same report, from late 2019, the U.S. has an estimated workforce of around 805,000 cybersecurity professionals, and in North America there are approximately 561,000 unfilled positions. Globally the numbers are even more staggering. 65% of surveyed organizations are struggling with a shortage of skilled cybersecurity staff.
As pointed out in a Forbes Insights3 report, organizations are trapped in an arms race, where threats are outpacing their ability to maintain a strong cybersecurity workforce. The pain of not having the right type and quantity of skilled resources is glaringly obvious, across nearly all industries. All these reports share a common theme, which is that one of the key solutions to this overwhelming shortage is to increase the knowledge and skills of an organization’s existing staff. The fastest way for a company to develop a strong cybersecurity professional workforce, which is tailored to their business needs, is to develop from within.
Based on the Forbes study, Forbes Insights4 describes several benefits of training existing staff, as opposed to hiring new employees. Some of those benefits include:
- Staff already understand the business and its needs
- Employees are already integrated within the business teams, departments, and culture
- Staff have an existing stake in the organization’s safety and success
- Saving money by training against a known, or at least familiar, business threat landscape
- Saving time by not having to search for, onboard, and indoctrinate from an already limited external talent pool
To further compound the effects of this large resource shortage, the general cybersecurity across the entire workforce is also an ongoing challenge. As Forbes4 points out, over a third of cyber threats originate from inside an organization due to negligence or ignorance. This results in a resounding call from CISOs to increase the cybersecurity knowledge of an organization's workforce. An untrained or unaware staff can pose serious threat, such as:
- Poor personal cybersecurity hygiene, leaving them exposed outside of the office
- Poor PIN, password, and authentication practices
- Presumed trust on public Wi-Fi, which is highly susceptible to interception
- Inability to identify phishing, smishing, vishing, and other social engineering attacks
- Using business resources for personal activities (e.g. e-mail, shopping, games, etc)
- Presumed security through obscurity
- Ignorance of best business security practices
- Poor adoption of security practice because of perceived complexity / burden
The good news is that today there are sophisticated online platforms that can deliver specialized cybersecurity and IT training.
Developing a Next Generation Cybersecurity Workforce
Developing a cybersecurity workforce that gets ahead in the cyber arms race starts with the business understanding their needs. There are several resources available to help organizations assess and define their needs and help structure the development of their workforce.
The National Initiative for Cybersecurity Careers and Studies (NICCS), managed by the Department of Homeland Security (DHS), publishes a wealth of material (5) on cyber education and training. Some examples include the following whitepapers sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and authored by Carnegie Mellon University (CMU) Software Engineering Institute (SEI):
- Cybersecurity Careers of the Future
- Cybersecurity Talent Identification and Assessment
- Cybersecurity Career Paths and Progression
The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework6 is based on NIST Special Publication 800-181. It is a standardized taxonomy and lexicon for cybersecurity jobs and roles. The NICE Framework is intended for public, private, and academic sectors, and it defines the following components of the cybersecurity skill set:
- Collect & Operate
- Operate & Maintain
- Oversee & Govern
- Protect & Defend
- Securely Provision
The U.S. DoD Directive 8140.017, Cyberspace Workforce Management directive, provides guidance and procedures for all government and contractor workers that perform Information Assurance related job functions. It unifies the overall cyber workforce and establishes specific workforce elements (cyber effects, cybersecurity, cyber information technology (IT), and intelligence (cyber)) to align, manage and standardize cyberspace work roles, baseline qualifications, and training requirements.
So, how can a business leverage these resources to develop and mature their own cybersecurity workforce? The answer is comprehensive training. These guides and frameworks help to define the courses and certifications that organization’s workforce need to be successful.
Developing the Right Skills
With the overwhelming demand for more cybersecurity workers and the benefits of training in-house to meet this need, there has been a flood of online training options emerging in recent years. Businesses are now met with the challenge of choosing an option that fits their needs. Finding the right fit that offers high-quality content and curriculum is not easy. Some key requirements to look for in a curriculum are:
- Comprehensive training on fundamental cybersecurity skills
- Training tracks that lead to cybersecurity certifications
- Courses with credits that qualify as Continuing Education Units (CEUs) towards certification maintenance
- Individualized course tracks that align to each of the NICE framework skill sets
- Specialized training in state-of-the-art cybersecurity tools and current tactics
Cybrary for Teams offers an extensive training library for developing cybersecurity skills that both follow the NIST/NICE framework and meet the above requirements. For example, Cybrary has a comprehensive cybersecurity curriculums for developing the skill sets of team members across all experience levels:
- Security Operations Center Analysts (Level 1)
- System Administrator
- Network Engineer
- Penetration Tester
- Incident Handler
- Security Operations Center Analysts (Level 2)
- Azure Cloud Engineer
- Cybersecurity Engineers
- Security Operations Center Analysts (Level 2)
- Chief Information Security Officer (CISO)
For more information on Cybrary for Teams and the impact it's skills training can have on your business’s workforce, request a free demo today.
https://www.newamerica.org/cybersecurity-initiative/reports/cybersecurity-workforce-development/section-one-what-are-cybersecurity-jobs/ https://www.infosecurity-magazine.com/news/cybersecurity-skills-shortage-tops/ https://www.forbes.com/forbes-insights/our-work/making-tough-choices/ https://www.forbes.com/sites/insights-fortinet/2019/08/27/the-importance-of-training-cybersecurity-awareness-as-a-firewall/#563aa1b48b4b https://niccs.us-cert.gov/workforce-development/cybersecurity-resources https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center https://public.cyber.mil/cw/cwmp/documents-library/