By Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CSAP, PMP
ISACA® has conducted research for its annual State of Cybersecurity reports for eight years now. Like other industry reporting, early years were full of grim statistics that painted a woeful picture of a growing demand supply imbalance. We continue to refine survey questions to probe further so we may provide actionable data. After all, simply reporting that the shortage of cyber talent is monumental helps no one. Doom and gloom may sell but fear has not helped. These past three years highlight three themes that call into question whether the ever-growing sea of purported solutions designed to counter staffing shortages and train staff are viable.
Talent Pipeline Is Broken
There is no shortage of programs for those willing to enter the profession. Displaced workers and career changers are targets of a growing number of apprenticeship programs, grants, scholarships and reskilling programs. These programs mostly address today’s problems and, as such, are of limited benefit. To truly influence the shortage of practitioners we must shift focus from specific skills gaps and look at the overarching pipeline.
There are countless programs out there which span university programs, industry training products and credentialing programs. Alternative pathways have surfaced in recent years to include a federal reskilling program, registered apprenticeship programs, as well as many more upskilling or reskilling programs offered by each state’s workforce agency. With so many solutions in the market—some for many years—one would expect the shortage to at least show signs of levelling off. Unfortunately, the opposite has been true.
Within the pipeline is an issue much larger than the greater IT workforce. Soft skills remain the single greatest noted gap for both the current workforce and university graduates – which survey respondents affirm year over year. Probing further, the top three most important soft skills needed are communication (57%), critical thinking (56%) and problem-solving (49%). Attention-to-detail and honesty, 38 percent and 16 percent respectively, are very low for an industry charged with protecting a digital ecosystem.
University programs remain a prevalent albeit imperfect feeder for cyber occupations. Recent ISACA data reveals the top three shortcomings with university graduates are soft skills (66%), security controls (56%) and network operations (39%).
Within the US K-12 education system, there exists heavy focus on standardized testing and science, technology, engineering and math (STEM) education. Unfortunately, STEM education has largely underdelivered and is not a well-defined experience,[i] possibly attributed to the lack of technical class requirements within teacher certification programs. Worse, in a US National Center for Analysis of Longitudinal Data in Education Research (CALDER) working paper, researchers report that “expanded access to STEM courses in high school does not increase postsecondary STEM enrollment or degree attainment.”[ii]
The US State of North Dakota’s K-20W initiative[iii] was first to uniquely tackle the entire continuum from kindergarten through Ph.D. and workforce. At its core, the program capitalizes on deliberate synergies involving state technology executives, academia, technology teams and industry stakeholders. Impacts include awareness training for educators, classroom equipment, and creation of computer and cybersecurity science standards. Hopefully it will cascade to others and motivate changes to teacher certification programs.
The cyber workforce is highly fractured with its countless variations of work titles, work scope and often inflated (and unreasonable) requirements on job postings. Industry has done little to demystify the work. In other words, we largely fail to describe cybersecurity work, which is critical to generating enough interest for current and future needs. In doing so, we continue to alienate many bright minds who enjoy analyzing problems, solving puzzles or questioning the status quo. In its absence is the overarching idea that the typical cybersecurity practitioner is a male wearing a black hoodie in a darkened room who has not seen the light of day for weeks, with empty cans of energy drinks strewn on a desk.
Cyber work can be conceptualized in four buckets – analyst, architect, engineer and support – as each requires varying degrees of technical aptitude. This presents an opportunity to identify core knowledge and skills required within each. Doing so could standardize learning outcomes and assessment for those entering the profession and better define enterprise-specific training plans for new employees.
Of interest, enterprises requiring university degrees for entry-level positions appears to be losing favor, with sizeable decreases across nearly all geographic areas this past year.
Claims of gatekeeping – the act of controlling or limited access to something – are not new[iv],[v] and should be of concern to all. Gatekeeping takes many forms[vi] and may not be intentional but we can no longer ignore it. While many focus on diversity, equity, and inclusion (DEI), we appear to be ignoring generally poor hiring practices. Notable examples include organizational unwillingness to train entry-level staff, laughable job experience requirements and advertising jobs with scope so large they ignore principles of least privilege and need-to-know.
Of immediate concern is the increasing number of graduates of formal and informal programs sitting on the sidelines with skills atrophying because they cannot find work. Comb LinkedIn and you’ll see how pervasive this has become. Industry recognizes the criticality of cyber roles yet despite the many aforementioned programs, there simply is not enough entry-level jobs. As a result, we wasted the time and money of far too many who are seeing their sacrifices gone unnoticed.
Accumulating experience takes time, and many trying to enter the field struggle to find employment after completing programs, which is unfathomable given the large imbalance of supply and demand. It is not appropriate to advocate that all jobs be stripped of experience requirements but hiring managers should re-evaluate all job postings to avoid unnecessarily restricting applicants who could, arguably, perform the job. Hiring managers are encouraged to judiciously use required and preferred knowledge, skills and experience statements. To mitigate the pipeline shortage, the cybersecurity industry must provide means of accelerating the attainment of experience. Enter apprenticeships and performance testing.
Performance tests provide a viable attestation of minimum competency. According to the Performance Testing Council (PTC), a performance test is “an assessment which includes a demonstration that a person can do what you want them to be able to do.”[vii] For those unfamiliar with performance testing, an excellent example is taking a driving test to demonstrate one can operate a car within the guidelines of the rules of the road before a driver’s license is issued. With this understanding, a performance test can fulfill at least portions of experience requirements.
Performance tests are not new. They can be found in academia, construction, healthcare and other industries – to include IT. Performance tests range from low (pencil and paper) to high realism (real-world conditions). Academic writings often refer to these as performance assessments which “can be made more authentic by presenting performance tasks more like those in the real world.”[viii] (Waugh & Gronlund, 2013) Fortunately, technology has greatly enabled the testing industry’s ability to increase authenticity and mitigate errors involving observation and judgement.
Performance testing is not appropriate for everything and, therefore, will not fully replace traditional cognitive tests. In fact, multiple-choice exam items offer many benefits when constructed properly. However, multiple-choice items cannot measure some types of problem-solving and reading ability as a success factor.[ix] Most of us know individuals who are great test-takers but cannot perform the work. Performance tests help address these issues. Performance tests increase exam fidelity and face validity[x] which is the degree to which the assessment appears effective in its stated aims.
IT-related jobs have long required a lifelong-learning approach—something that other occupations are encountering as industries and positions morph to keep pace with the Fourth Industrial Revolution.[xi] It is plausible that the traditional university model is simply too rigid for the speed at which industry and the world is evolving. Higher learning institutions are wise to consider competency-based education.[xii] Formal education serves a purpose but is not the only solution. Overreliance on university education in the United States likely has done more harm than good in the field of cybersecurity.
Emerging technologies are evolving how and where work is done and traditional two- or four-year programs simply cannot keep up with the demand, let alone rapid rate of change. These same emerging technologies will undoubtedly reallocate resource needs, especially in the design and auditing of algorithms. We must become more agile in our approach because legacy thinking and programs perpetuate longstanding issues. How can we reasonably expect workforce education and development programs to succeed when the target is always moving? To that end, we are long overdue to re-evaluate US educational strategy. The shortage of human resources will not diminish until we adequately ramp up digital literacy activities earlier in the academic trajectory and diminish the digital divide that affects so many across the globe. The Fourth Industrial Revolution has upended work so it’s only fitting that we re-evaluate K-12 outcomes. Finally, we must also minimize human-enabled barriers that presently exist within talent management systems.
[i] Honey, M.; G. Pearson; H. Schweingruber; STEM Integration in K-12 Education: Status, Prospects, and an Agenda for Research, National Academy of Engineering and National Research Council of the National Academies, USA, 2014 [ii] Darolia, R.; C. Koedel; J. B Main; F. Ndashimye; J. Yan; High School Course Access and Postsecondary STEM Enrollment and Attainment, National Center for Analysis of Longitudinal Data in Education Research, USA, 2018 [iii] State of North Dakota, “North Dakota’s Cybersecurity Education and Training ‘K-20W’ Initiative Wins National Award,” USA, 9 October 2019 [iv] Miessler, D. The Cybersecurity Hiring Gap Is Due To The Lack of Entry-Level Positions, USA, 21 October 2018. [v] Productions, Security Weekly. “Gatekeeping in Cybersecurity, Part 1 – Naomi Buckwalter – SCW #83”, 17 August 2021 [vi] “Stark Realites.” PwnDefend. https://www.pwndefend.com/2021/10/04/the-problem-with-gatekeeping-in-the-cyber-security-industry/ [vii] Performance Testing Council [viii] Assessment of Student Achievement, 10th Edition, Chapter 6 (Writing Selection Items: Multiple Choice) (p93) [ix] Ibid. [x] Oxford Dictionary [xi] Schwab, K.; “The Fourth Industrial Revolution: What it Means, How to Respond,” World Economic Forum, 14 January 2016. The Fourth Industrial Revolution bears velocity, scope and systems impact resulting from a fusion of technologies blurring physical, digital and biological spheres. [xii] Western Governors University, Competency-Based Education, USA, 2020
Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CSAP, PMP is director of professional practices and innovation in ISACA’s Content Development and Services department. In this role, he leads emerging technology, information technology, information security, privacy, and risk thought leadership initiatives relevant to ISACA’s constituents. He serves ISACA® departments as a subject matter expert on information security, spearheads innovative workforce readiness solutions and related performance assessments. Brandt is a highly accomplished US Navy veteran with nearly 30 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Formal education includes an MSED in Workforce Education and Development from Southern Illinois University and BS in Cybersecurity from Champlain College.