The Cyber Gap Series — Part 6

Education Factor

As the previous articles have established, the question concerning the cybersecurity jobs gap is more than just numbers. It is more than demand simply exceeding supply. In reality, the employment disparity is a skills disparity; a disconnect between what the industry needs and what is available. With the history of the cybersecurity industry reaching as far back as the 1970’s, one would assume the rapid increase in market demand that was spurred by the events of 2007 and the post-9/11 world would be met with a reserve of qualified individuals awaiting for the opportunity to take advantage of a ripe jobs market. This, of course, has not been the case. The political and socioeconomic climate of the preceding decades was simply not conducive to the growth of such a reserve. Yet even more troubling is the intervening years have failed to close this gap. Even accounting for the multi-year delay caused by the short-term inflexibility that defines the technical jobs market, there appears to be no end in sight to the gap, nor even a shortening of the distance.

In order to understand why the intervening years have continued to see a steady increase in the number of unfilled jobs, we must now examine the influence the education pipeline, both traditional and alternative, has had on the market. There are two equally important aspects that must be examined: what the current educational pipeline teaches and why it fails to produce qualified individuals and the nature of the educational-industrial complex that may act as a barrier to improvement. Earlier in this series of articles, it was noted that roughly 82% of employers are keenly aware of the skills gap and 61% of organizations believe that less than half of all applicants are qualified. Furthermore, only about 23% of education programs in the United States fully prepare their students in the skills necessary to bypass the skills gap[1]. This shockingly low number of effective programs has led many employers (80%) to no longer consider possession of a four-year degree an affirmation of technical skill, instead they merely serve as a market signal of general competency[2][3]. With traditional academic institutions being the chief source of initial education,[4] why has its value depreciated in the eyes of current industry leaders?

Part of the reason lies in the content of these four-year degrees. Currently, such programs emphasize the policy and compliance aspect of cybersecurity with minimal focus on deep technical knowledge. Courses typically utilize a theoretical/book-based form of teaching, with practical, hands-on learning comprising a smaller portion of the curriculum. Because of this, many students lack an understanding of the fundamentals of computer and information security, requiring employers to provide on-the-job training to compensate[5]. The misalignment between curriculum and industry has a cascading effect, creating the manpower shortage that pervades the jobs market. This effect becomes especially obvious at the high end of the capability scale.[6]

One may now ask why the content of these degrees is so disconnected from the needs of the industry. This disconnect stems from the industries lack of universal standards.[7] Without universal standards, there cannot be a common skills baseline. Without this baseline, it becomes difficult to establish ideal career development paths, inhibiting specialization.[8] Without specialization, creation of a job market taxonomy will prove to be problematic. And if the industry cannot differentiate job responsibilities and the skills and knowledge required to fulfill them, the jobs market will struggle to fill vacancies with the right persons. Complicating the matter further is the relevancy of trade certifications and non-traditional forms of education such as self-tutelage.[9] There are those within the industry that believe centralization may be counterproductive and advocate against universalizing industry certifications and job taxonomy.[10]

Even within organizations that push for the creation of a unified, structured system within the industry indirectly contribute to the state of the educational pipeline. For instance, the National Centers for Academic Excellence, jointly sponsored by the NSA and DHS, certify schools capable of educating future cybersecurity personnel. The CAE uses two certifications, Cyber Defense (CD) and Cyber Operations (CO), to differentiate institutional capability. CAE-CD designated schools offer programs geared towards reducing the vulnerability of the nation’s information infrastructure. Conversely, schools that possess the CAE-CO designation offer deeply technical, interdisciplinary, higher educational programs firmly grounded in computer science, engineering, and electrical engineering disciplines. Schools with the CO-designation emphasize hands-on learning, relying on extensive use of labs and other practical exercises to simulate real-world needs.[11]

While both designations appear to be synergistic to one another, the reality is quite different. Of the two certifications, Cyber Operations is centered on instilling deep technical knowledge and understanding of the tools, tactics, and strategies required to defend against cyberattack. The skills taught through this program are the skills that industry leaders explicitly request their candidates be trained in. The CD certification lacks this focus. In fact, the Cyber Operations program was created in response to criticism concerning the Cyber Defense certifications lack of rigor and technical focus. Even worse, there have been recommendations dating as far back as 2012 to remove the CD certification and require all current CD-designated institutions to meet the CO requirements or be dropped from the CAE certification list.[12] To date, the CD certification is still used by the CAE. Bearing this in mind, the current number of institutions with the CD certification is 272. The number of institutions with the CO certification? 21.[13] How can this status quo be maintained for so long? To answer that question, we will look to the second part of the educational factor: the education-industrial complex.

The Education-Industrial Complex

To briefly summarize, the goal of the education-industrial complex is to shape state and federal educational policy in a way that maximizes private corporate profits.[14] The existence of this power dynamic has been suggested by research conducted over the Common Core debate.[15] Connections between government, not-for-profits, unions, and educational material supply corporations have been established that suggest this complex influences primary, secondary, and post-secondary education policies. The result of this dynamic effects both employees and employers. The obsession that exists within both the business and social spheres for traditional credentialing (ex. Bachelors/Masters) leads businesses to use the degree requirement as a standard applicant screen, leading to the rejection of an average of 6.2 million applications across all industries.[16] This creates a de facto state in which educational institutions are the gatekeepers to the “good jobs”.[17] Such an environment is believed to have been created because of the Bush Administration’s implementation of the Comprehensive National Cybersecurity Initiative in January of 2008.[18][19]

Economically speaking, businesses using the degree barrier must now pay more for marginally better performance from a smaller applicant pool.[20] The smaller applicant pool also contributes to the greater hiring costs, mentioned previously, as businesses must search for greater periods of time as the pool continues to shrink. These burdens are shouldered even when non-traditional educations may yield better results, considering the degree requirement may often be irrelevant or, as noted above, a poor indicator of future performance. In fact, a study that occurred over the course of 2013–2016 showed that roughly a third of seniors from 34 different schools, when administered the Collegiate Learning Assessment, were unable to make a cohesive argument, assess the quality of evidence in a document, or interpret data in a table.[21] With the continued privatization of accreditation, apprenticeships, self-learning, and other non-degree programs have also suffered, further consolidating traditional educations role in the jobs market.[22] Unfortunately, with the education-industrial complex being concerned with selling fads, products, and new theories, and reform of the system being less than politically expedient,[23][24] the likelihood of widespread institutional improvement seems tenuous.

Remediation

Now that we have examined the many factors that have contributed to the current cybersecurity jobs gap, the next step is to examine what steps have been recommended to reverse this trend. Not only will the policies of the educational, social, economic, and political spheres be examined, but the specific skills and knowledge the industry has, very vocally, requested. Once the most common policy recommendations have been examined and laid out in a cohesive manner, we will dive into the more granular aspect of improving cybersecurity education. Specific skills, tools, and even personality traits will be examined to fully explain exactly what the industry needs. As the industry is still struggling to adhere to a universal lexicon, the next series of articles will attempt to create a well-structured framework that will assist those looking to be, or already are, a part of the cybersecurity industry.

[1] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap. Center for Strategic & and International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf

[2] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap. Center for Strategic & and International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf

[3] Department of Homeland Security. (2017). A Report to the President on Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce. NIST. https://www.nist.gov/system/files/documents/2018/07/24/eo_wf_report_to_potus.pdf

[4] McAfee. (2016). Hacking the Skills Shortage. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf

[5] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap. Center for Strategic & and International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf

[6] RAND Corporation. (2014). Hackers Wanted: An Examination of the Cybersecurity Labor Market (RR-430). https://www.rand.org/pubs/research_reports/RR430.html

[7] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap. Center for Strategic & and International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf

[8] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap. Center for Strategic & and International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf

[9] McAfee. (2016). Hacking the Skills Shortage. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf

[10] CSIS Commission on Cybersecurity for the 44th Presidency. (2010). A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters. Center for Strategic & International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/101111_Evans_HumanCapital_Web.pdf

[11] National Centers for Academic Excellence. (2020). National centers of academic excellence. National Security Agency. https://www.nsa.gov/resources/students-educators/centers-academic-excellence/

[12] Homeland Security Advisory Council. (2012). Homeland Security Advisory Council: CyberSkills Task Force Report Fall 2012 (Fall 2012). U.S. Department of Homeland Security. https://www.dhs.gov/sites/default/files/publications/HSAC%20CyberSkills%20Report%20-%20Final_0_0.pdf

[13] National Centers of Academic Excellence. (2020). CAE Fact Sheet. National Security Agency. https://www.nsa.gov/Portals/70/documents/resources/students-educators/centers-academic-excellence/Cyber%20Defense%20CAE%20Overview.pdf?ver=2019-06-04-150623-417

[14] Singer, A. (2012, April 16). Beware the education–industrial complex. LA Progressive. https://www.laprogressive.com/education-industrial-complex/

[15] Singer, A. (2012, April 16). Beware the education–industrial complex. LA Progressive. https://www.laprogressive.com/education-industrial-complex/

[16] Hess, F. M., & Addison, J. G. (2019). Busting the college-industrial complex. National Affairs. https://nationalaffairs.com/publications/detail/busting-the-college-industrial-complex

[17] Hess, F. M., & Addison, J. G. (2019). Busting the college-industrial complex. National Affairs. https://nationalaffairs.com/publications/detail/busting-the-college-industrial-complex

[18] Executive Office of the President of the United States. (2008). The Comprehensive National Cybersecurity Initiative (NSPD-54/HSPD-23). Federation of American Scientists. https://fas.org/irp/eprint/cnci.pdf

[19] RAND Corporation. (2014). Hackers Wanted: An Examination of the Cybersecurity Labor Market (RR-430). https://www.rand.org/pubs/research_reports/RR430.html

[20] Hess, F. M., & Addison, J. G. (2019). Busting the college-industrial complex. National Affairs. https://nationalaffairs.com/publications/detail/busting-the-college-industrial-complex

[21] Hess, F. M., & Addison, J. G. (2019). Busting the college-industrial complex. National Affairs. https://nationalaffairs.com/publications/detail/busting-the-college-industrial-complex

[22] Hess, F. M., & Addison, J. G. (2019). Busting the college-industrial complex. National Affairs. https://nationalaffairs.com/publications/detail/busting-the-college-industrial-complex

[23] Young, V. M. (2013, June 4). The rising education-industrial complex. The Federalist Papers. https://thefederalistpapers.org/current-events/the-rising-education-industrial-complex-2

[24] Education Next. (2020, March 26). Today’s education-industrial complex. https://www.educationnext.org/todays-educationindustrial-complex/