The Remediation Series — Part 1

A Concise Review of the Advised Skills, Policies, and Reforms Needed to Fill the Gap

In the preceding series of articles, we examined the social, economic, political, and educational factors that lead to the creation of the Cybersecurity jobs gap. The current state of the industry began in 2007 in response to the hacks in Estonia and the United States Department of Defense. Since that time, the world of Cybersecurity has undergone a large degree of evolution, with the aforementioned factors barely resembling their pre-9/11 selves. Despite the world’s economy undertaking drastic efforts to improve the security of cyberspace, little difference has been felt in the jobs market.

With the security of a nations information infrastructure becoming a core tenet of administrative policy, the global cybersecurity market currently being worth $173 billion (expected to increase to $270B by 2026)[1], and expanding social awareness of data privacy concerns[2], it appears that a good majority of the contributing factors are being addressed. However, despite political and socio-economic support, industry leaders are continuing to find themselves short-handed when it comes to qualified candidates for onboarding. This is due to the industry itself, the education pipeline, and the relationship between the two. The education pipeline responds, in theory, to industry needs by updating curricula with material and staff that provide the most relevant training, so a newly minted graduate is prepared to participate. This dynamic has failed to fully materialize in the Cybersecurity world, with both parties shouldering responsibility.

Due to the responsive nature of education[3], it is the responsibility of any given industry to establish the direction and nature of the pipeline by advertising needs. These needs are obviously met when there are people available who possess the correct knowledge and skills. Now, organizational practicality paired with the realistic assumption that no single person can know everything there is to know about everything leads to the grouping of needs into specific job roles. This compartmentalization, for example, leads to the differentiation between cardiologists and orthopedists, allowing each to specialize according to their interests and aptitudes. The Cybersecurity industry, by contrast, lacks this degree of structure. Lacking a common lexicon and taxonomy of skills[4], the industry will often put forth job openings with descriptions that are disconnected from the stated requirements and requested qualifications.

Inevitably, the absence of a common lexicon and taxonomy results in a wide variance in the quality of traditional four-year degrees[5]. Topics receive dissimilar emphasis in addition to certain teaching methods being used in certain institutions but not others. Unsurprisingly, the quality in human capital stratifies even before employment begins. This disunity in educational structure is most clearly seen in the difference between CAE-CD and CAE-CO certified institutions. To quickly recap, the National Centers for Academic Excellence (CAE) Cyber Defense (CD) certification signifies that a given institution offers programs “geared towards reducing the vulnerability of the nation’s information infrastructure.” The CAE Cyber Operations (CO) certification indicates an institution “offers a deeply technical, interdisciplinary, higher education program firmly grounded in computer science, engineering, and electrical engineering disciplines.” Programs with the CO-designation are very hands on and help guarantee a student’s readiness for the industry. In fact, the CAE-CO program grew out of controversy surrounding the CD certifications perceived lack of rigor. Currently, there are 272 CD certified institutions, while there are only 21 CO institutions.[6]

Perhaps the only way to reduce or eliminate this stratification is the wide-spread adoption of a common lexicon and job taxonomy. The succeeding articles will examine the common cybersecurity process, then the hard and soft skills industry leaders are in the greatest need for, then frameworks for a common lexicon and taxonomy, and finally additional measures that are commonly recommended in the current literature

[1] Auxier, B., & Rainie, L. (2020, August 17). Key takeaways on Americans’ views about privacy, surveillance and data-sharing. Pew Research Center. https://www.pewresearch.org/fact-tank/2019/11/15/key-takeaways-on-americans-views-about-privacy-surveillance-and-data-sharing/

[2] Columbus, L. (2020, April 6). 2020 roundup of cybersecurity forecasts and market estimates. Forbes. https://www.forbes.com/sites/louiscolumbus/2020/04/05/2020-roundup-of-cybersecurity-forecasts-and-market-estimates/#755680bd381d

[3] RAND Corporation. (2014). Hackers Wanted: An Examination of the Cybersecurity Labor Market (RR-430). https://www.rand.org/pubs/research_reports/RR430.html

[4] McAfee. (2016). Hacking the Skills Shortage. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf

[5] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap. Center for Strategic & and International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf

[6] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap. Center for Strategic & and International Studies. https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/190129_Crumpler_Cybersecurity_FINAL.pdf