Analysts: Cybersecurity staffing shortages negatively affect national security
By GARY ROBBINS | The San Diego Union-Tribune (Tribune News Service) | Published: April 17, 2017
The nation’s colleges and universities are scrambling to add courses to prepare students to fill the huge number of cybersecurity jobs that have arisen due to exponential growth in hacking worldwide.
The extent of the problem isn’t clear; analysts say the number of job vacancies ranges from 100,000 to 350,000, with as many as 45,000 positions in California.
Ashton Mozano, a cybersecurity professor at the University of San Diego, says there are thousands of $80,000 entry-level jobs available to applicants who have nothing more than an undergraduate degree in computer science or computer engineering.
Analysts are trying to nail down the actual number of openings.
“The cybersecurity industry does not have the best track record when it comes to quantification,” said Stephen Cobb, a senior researcher in the San Diego office of ESET, a digital security company.
But the shortfall is real.
And a lot of the blame has been placed on academia for failing to train large numbers of students with targeted skills. Industry and government officials also are being criticized for failing to define their needs more clearly — a key component for helping colleges solve the labor shortage.
Academia is trying to fix the problem, especially in San Diego County, where hackers routinely assault the region’s huge military, defense and science communities, as well as the assets of consumers.
National University, the University of San Diego, San Diego State University, UC San Diego Extension and Palomar College now teach courses that weren’t available 5 to 10 years ago.
USD also closely works with Circadence Corp., a company in Kearny Mesa that specializes in the “gamification” of cybersecurity training. Students are exposed to high-resolution videos and graphics that give them a sense of what a real “hack attack” is like. They also use the immersive software to learn how to spot and prevent digital assaults.
The company is led by Mozano, who is also part of USD’s growing cyber program.
He’s trying to change the way students are taught in hopes to drawing larger numbers of people into the field quickly.
“Unfortunately, presenting technical training in an aesthetically pleasant way does not seem to be a high priority among course material developers,” Mozano said.
“Certain academic fields in mathematics and engineering are infamous for presenting material in drab, monotonic, esoteric, non-interactive manners.”
Analysts said that compounds the problem because cybersecurity already suffers from an image problem.
The field pays well, but many computer-science students would rather create new products and technologies for Apple and Google than design and operate systems that spot, resist and mitigate a widening variety of attacks.
“Computer science is sexy. Cyber isn’t,” said P.K. Agarwal, regional dean of Northeastern University’s Silicon Valley campuses, which teach cybersecurity.
“Cybersecurity can be a high-stress job where you can get fired if things go wrong, and no one pats you on the back if there were no problems overnight,” he added.
Analysts said the industry needs to jazz things up and highlight job opportunities.
“The chances are excellent for graduates of homeland security and cyber security degree programs to enter the job market directly out of college,” said Lance Larson, assistant director of the Graduate Program in Homeland Security at SDSU.
“The reality for recent graduates is that they need a degree, experience, and certification; this is really the perfect trifecta for graduates to have a powerful job seeker portfolio.
“At San Diego State University’s Graduate Program we are requiring students to intern, starting with our 2018 graduate class, to allow students to gain practical experience required for the job market.”
San Diego-based National University also is emphasizing practicality.
“One thing we do to improve students’ skills and make them more marketable is provide opportunities to work with local small businesses and nonprofits to conduct free security assessments as part of their final Capstone project,” said Chris Simpson, director of National’s Center for Cybersecurity
“Students who gain experience from this applied learning and who have the opportunity to network within the tech community have shared with us how well-prepared they are for the job market.”
The staffing shortage is serious enough that, “The president should … train 100,000 new cybersecurity practitioners by 2020,” the Commission on Enhancing National Cybersecurity said on Dec. 1.
The shortage also means “you’ll see more things like the Tesco attack, which targeted bank accounts (in England), and a greater risk to health-care records and everyday devices like your phone,” said John Callahan, director of cybersecurity programs at the University of San Diego.
“In the digital age, this is potentially the greatest period of risk that consumers have ever faced.”
There’s special concern about ransomware, a type of malicious software that hackers can use to remotely take control of computers, including those in automobiles. In most cases, victims have paid money — from hundreds to tens of thousands of dollars — to regain control. For example, hackers carried out such an attack against Hollywood Presbyterian Medical Center in February, forcing the hospital to pay $17,000 in ransom.
The U.S. Justice Department estimates there are about 4,000 attempted ransomware attacks each day against individuals, companies and the government, and that many of them are successful.
“Based on FBI statistics, bank robbery in the U.S. is a $40 million a year problem, whereas cyber criminals using ransomware are making over $200 million per quarter,” said Cobb at ESET.
“And while a handful of bank robbers are shot dead every year, there are no reports of cyber criminals ever being killed in the commission of a crime,” he added.
The federal government and the military began to significantly ramp up their efforts to fight cyber attacks about a decade ago. Security firms and a wide range of companies did the same.
The results have been mixed.
Analysts said most cyber attacks, including some pretty sophisticated ones, are blocked or minimized. But hackers have quickly adapted to every method used to stop them, leading to damaging and embarrassing breaches amid an ongoing game of cat and mouse.
Earlier this year, hackers stole digital spying tools thought to belong to the super-secret National Security Agency. Hackers also stole data from the Democratic National Committee and Hillary Clinton’s campaign in an apparent attempt to influence the presidential election.
In late November, a hacker disabled the fare system for the San Francisco Municipal Transportation Agency, forcing it to give commuters free rides until proper operations were restored.
Experts said these kinds of intrusions underscore the need to develop a huge professional class of cyber professionals — and to market the field as a noble and dynamic domain where well-regarded, highly valued specialists defend precious assets and protect the public’s safety.
“Some people think of cyber as the I.T. guy, which is wrong,” said Callahan at the University of San Diego.
While the staffing estimates vary, analysts agree on the huge need for qualified workers in the cyber industry.
Northeastern University’s Agarwal estimates there are 100,000 of these unfilled jobs nationwide. Peninsula Press, a journalism program at Stanford University, puts the figure at 209,000. Cyber Seek, an industry-government coalition, said the number could be about 350,000 when including positions that require at least some cyber abilities.
The job descriptions range from security analysts to network engineers to software developers to risk managers. Some lower-level positions pay as much as $70,000 per year, and management positions can hit $235,000 or higher.
Experts are eager to see the applicant pool widen, and they’re looking for specific types of candidates.
“The best cybersecurity professionals think like criminals,” said Domini Clark, an Idaho-based recruiter at the recruiting company Decision Toolbox. “The joke in the industry is that superstars have an ‘evil bit’ in the code of their personalities. They know better than to have a high-profile online presence. ‘Paranoid’ is too strong a word, but they tend to be hyper-cautious and some take pride in operating in ‘stealth mode.’”
Those people tend to be coveted, so low-ball employment offers just don’t work.
“(Some) companies are doing lip service, not willing to fund the important roles that are necessary for the growing security issues,” said Kirsten Bay, chief executive of the firm Cyber adAPT in Half Moon Bay. “There is a desperate need for technologists who can speak at both the engineering and board levels, candidates who can understand technology and yet speak to the business case for security.”
Clark at Decision Toolbox agrees, noting: “About half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard H.R. job description of duties and requirements, it will wash out among all the other background noise … (Candidates) want to do intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.”
©2017 The San Diego Union-Tribune
Visit The San Diego Union-Tribune at www.sandiegouniontribune.com
Distributed by Tribune Content Agency, LLC.