CYBRARY RESEARCH STUDY
Hybrid Skills in Cybersecurity: Educating the Workforce to Advance the Evolution of Future Roles
Philip H. Kulp | Nikki E. Robinson | Travis D. Howard
Cybrary Fellowship Research, August 2020
CYBRARY RESEARCH STUDY
Philip H. Kulp | Nikki E. Robinson | Travis D. Howard
Cybrary Fellowship Research, August 2020
Cybersecurity roles are transitioning to hybrid jobs composed of technical and soft skills that require practitioners to integrate varying competencies. Practitioners must understand that learning is a journey and not a goal because technology changes so rapidly that new skills must be continuously acquired. The purpose of this study was to survey Cybersecurity and Non-cyber IT professionals to identify the awareness and practice of Hybrid Skills. The analysis of the data focused on understanding if Cybersecurity professionals are currently practicing Hybrid Skills and identify the source of learning. 85% of the participants responded that they relied on self-study to learn new skills, while only 30% of the participants identified a university as the source of continuing knowledge.
The survey collected data from Cybersecurity and Non-cyber IT professionals to compare responses and identify differences across the industries. The survey responses for respondents’ understanding of Hybrid Skills needed for their jobs suggest that Cybersecurity respondents outperform the Non-cyber IT respondents. The respondents were then asked if they review job postings to identify trends in their roles. The results again favored the Cybersecurity respondents. Finally, the responses from Cyber and Non-cyber IT professionals were compared to examine the active implementation of Hybrid Skills in their current roles.
High-level observations from the survey:
The survey proved to be an overwhelming success with over 1800 people responding from the Cybersecurity and Non- cyber IT roles. Participants reported their age, gender, and the highest level of education achieved. Respondents to the survey also self-reported the title of their current position.
Practitioners must understand that learning is a journey and not a goal because technology changes so rapidly that new skills must be continuously acquired. Automation has been predicted to replace jobs for many years; instead, robots replace tasks and not whole jobs . Workers must contend with multiple factors over a career which could detract from their marketability. Employers must understand those job seekers may also desire careers that are not only challenging but also fulfilling. New professionals entering the workforce are not always looking for the highest paying job; a meaningful job is still attractive. Taking into account the broad aspects of a lifetime of learning, Cybersecurity professionals must create a plan to stay relevant in the job market by monitoring trends and adapting to changes while following a meaningful career path.
A combined MITx and Harvardx report on edX identified 66% of registrants as having at least a bachelor’s degree . The demographic information portends workers’ understanding of the need for further training in specific topics after graduating from a traditional institution. Coding bootcamps and other modular learning opportunities can be leveraged to gain particular skills needed to enhance a career or maintain an existing role. Other forms of modular learning are accessible through Massive Open Online Courses (MOOC) and online learning platforms such as Cybrary. Self-styled learning requires organizational skills and learning from mostly asynchronous material, which may not suit every student. Students must also discover the best methods they need for learning. Students must select the training which will provide a benefit to their current role or position them to meet the requirements of a future job.
UC Berkley described data science as the “biggest minor” in the near future, which will prepare students for performing work in other areas of their careers . IT and Cybersecurity roles will require the ability to make sense of data for the business. These jobs will also require the ability to communicate with managers, team members, and engineers on other teams . The jobs of the future will require Hybrid Skills composed of not only hard skills such as data science and statistics, but soft skills such as relationship building, collaboration, and emotional intelligence. The soft and hard skills used in the survey questions were based in part on top competencies Google looks for in candidates . While some jobs may benefit from Hybrid Skills, others may cross functional boundaries and be compromised of skills from diverse fields.
The National Initiative on Cybersecurity Education (NICE) framework created a taxonomy of the terms related to the cybersecurity workforce . While NICE attempted to create a clear distinction among cybersecurity fields, some hybrid jobs already exist, with combined Cybersecurity and Non-cyber IT roles. For example, a cybersecurity legal counsel, privacy compliance officer, or cyber threat intelligence linguist bridge the divide between the law and cybersecurity . As the company’s intellectual property and business function become tied to data, cybersecurity awareness will permeate into every role in the organization; cybersecurity hybrid jobs may become the norm.
Survey respondents answered questions on a scale from 1 to 5. An answer of 1 represented Strongly Disagree, and a 5 Strongly Agree. An answer of 3 was a neutral response. The answers were grouped by the respondent’s current role for comparison. Questions asked if respondents understood Hybrid Skills and then proceeded with specific examples.
The first question was general to see how respondents self-reported. The responses were compared to actual Hybrid Skills to identify the difference between perception and reality.
Cybersecurity respondents reported an average response of 4.2. Non-cyber IT respondents reported an average of 3.9.
The next question was more specific to understand how people discover the Hybrid Job skills they should be learning.
Cybersecurity respondents reported an average response of 3.9. Non-cyber IT respondents reported an average of 3.5.
A difference between the perceived understanding of Hybrid Skills and the discovery already appeared.
Cybersecurity respondents reported an average response of 3.8. Non-cyber IT respondents reported an average of 3.6.
A further divergence was identified between perceived understanding of hybrid skills and the application of Hybrid Skills in their current role.
The responses to the survey were evaluated according to two major themes to determine if a gap exists between the perception that Cybersecurity professionals understand Hybrid Skills and if they are practicing them:
The responses were compared between Cybersecurity and Non-cyber IT respondents. The comparison is needed to determine if Cybersecurity professionals are maintaining the skills required to compete in the current and future marketplace. During the compilation of the data, some interesting trends emerged regarding education levels, so further analysis was performed.
Two survey questions were used to measure the understanding of Hybrid Skills. The first question asked respondents, “I understand the hybrid skills needed to maintain my marketability (skills which are not core to my job).” The second was indirect and asked respondents about how they actively tracked job trends with the following questions, “I review job openings to look for trends in the market.” The table below includes the average responses to each question and the combined average per reported role.
For both questions, the Chi-square test of homogeneity was used to determine if an equal distribution across the sample could be identified. Cybersecurity professionals exceeded the critical value of both tests, which suggests that the responses comparing Cybersecurity and Non-cyber IT were not evenly distributed. Cybersecurity professionals overperformed the expected rate of self-reported knowledge of the Hybrid Skills needed to maintain marketability by 4.8%. Cybersecurity professionals overperformed the predicted rate by 7.8% when answering the question that they review jobs to understand trends in the market. While the responses to these questions point to encouraging signs for Cybersecurity professionals, the researcher performed additional analysis of the responses.
The responses were separated for each reported role, and the average was calculated. Data Scientists responded with the highest rates, followed by Cybersecurity professionals. An interesting observation was the low ranking for Executives. Upon further review, the data seems to make sense since Executives tend to stay in positions longer than IT professionals, so they would not be searching for job postings. Data Scientists had the highest response values, which is of interest since they also had the highest rate for Hybrid Skills in practice.
Nine questions in the survey were used to assess Cybersecurity professionals’ practice of Hybrid Skills compared to all other professionals in the IT industry. Some of the questions were related to technical skills such as the use of statistics, Data Science, ML, or AI. Other questions related to soft skills such as team collaboration, artistic, social, and emotional intelligence. The table below includes the averaged responses to each question and the combined average per reported role.
For the nine questions regarding the practice of Hybrid Skills, the same Chi-square test was used to determine if an equal distribution across the sample could be identified. Cybersecurity professionals exceeded the critical value of the test, which suggests that the responses comparing Cybersecurity and Non-cyber IT were not evenly distributed. The Cybersecurity professionals exceeded the expected value of the responses as compared to Non-cyber IT professionals.
“What resources do you use to acquire new skills?”
Across all industries, 85% selected self-study, 48% selected MOOC, and 62% selected certifications. Only 30% selected universities. These results do not discount the value of higher education since universities build the foundation and structure for a lifetime of learning. The respondents high rate of self-study suggests they understand traditional education is not the end of the experience, and continuous knowledge is a requirement.
Cybersecurity and Non-cyber IT professional chose ‘None’ and ‘MOOC’ at approximately the same rate. ‘Self-study’ was chosen at similar rates, with Cybersecurity at 89% and Non-cyber IT at 85%. The two groups diverged further when selecting certifications with Cybersecurity responding at 75% and Non- cyber IT at 57%. Some differences were observed with the response for ‘University’ with Cybersecurity selecting the response 35% and Non-cyber IT at 29%.
The differences between the two groups may be associated with the entrance requirements into the field, either realistic or perceived. The question “How can I break into the cybersecurity field,” is encountered continuously by those already in cybersecurity. Cybersecurity professionals do not always point to universities as their source of knowledge for their job, but they responded with higher rates than the Non-cyber IT respondents. With the high response rates of 89% and 75% for self-study and certifications, respectively, cybersecurity professionals appear to understand the need for continuous learning. The need for self-study and attaining certifications may also affect the responses by Cybersecurity professionals to the question regarding how a newcomer can break into the industry.
After analyzing the results of learning resources, the demographic data for education was re-visited and divided by the job role to review the differences between Cybersecurity and Non-cyber respondents.
Dr. Philip Kulp is a Cybrary Fellow and content creator on the Cybrary platform. He has been consulting in cybersecurity for over 20 years and performing other IT roles for over 25 years. In his current role as a cybersecurity architect and incident responder, he combines his passion for IT and cybersecurity to develop realistic approaches to secure the enterprise. He also serves as a secure code reviewer, independent assessor, and webapp tester. Dr. Kulp developed the NIST 800-53 and DevSecOps Fundamentals courses for Cybrary and is actively working on other classes to deliver content for the cyber community. Philip seeks opportunities to balance his cybersecurity skills between academic, technical, and compliance roles. He holds the CISSP certification and two Offensive Security certifications of OSCP and OSCE. In his educational capacity, Philip serves as a chair, committee member, and mentor for doctoral students in the Ph.D. and D.Sc. programs at Capitol Technology. He also serves as an adjunct professor at Drexel University. Dr. Kulp has authored research papers on security for medical drone security, graphing website relationships to predict website security, and the current topic of Hybrid Skills in the cybersecurity community.
 Bentley University. 2016. 2016 Year of the ‘Hybrid Job’.
 Joyce, L. 2020. Data Science: A 21st Century Job Skill for Every Discipline.
 Bate, L. 2018. Cybersecurity Workforce Development: A Primer.
 National Institute of Standards and Technology. National Initiative for Cybersecurity Education (NICE).
 The Economist. 2017. Lifelong Learning is Becoming an Economic Imperative.
 Elmore, T. 2018. The Seven Top Skills Google Now Looks for in Graduates.
 Ho, A.D., Reich, J., Nesterko, S.O., Seaton, D.T., Mullaney, T., Waldo, J., Chuang, I., 2014. HarvardX and MITx: The First Year of Open Online Courses, Fall 2012-Summer 2013. SSRN Journal.