Posted by Taylor Armerding on October 17, 2018
The original version of this article was published in Forbes.
Cyber security is very obviously a job sector of the future. Official estimates put job growth in the sector at 37% per year, at least through 2022—and that is probably conservative. At the start of this year, there were an estimated half million cyber security jobs unfilled in the U.S. alone.
That’s the good news. It’s also the bad news, for society. Because the main reason cyber security is a job of the future is because the cyber risks of a connected world keep expanding and getting more threatening.
It’s now so last year—even last five years—to refer to the Internet of Things (IoT). It is now, or soon will be, the Internet of Everything (IoE). Encryption guru, author, blogger, and CTO at IBM Resilient Bruce Schneier calls it Internet+ (short for Internet+Things+Us) in his most recent book, “Click Here to Kill Everybody.”
It is a world where pretty much everything and everybody—individuals, companies, governments, critical infrastructure—is increasingly dependent on connected systems, networks, and devices.
And as we all see in daily headlines, those systems, networks, and devices remain insecure, and criminals, terrorists, and hostile nation-states continue to get better and more sophisticated at exploiting their vulnerabilities.
That yields inevitable results: stolen identities, compromised credit cards, emptied bank accounts, files encrypted by ransomware, massive theft of intellectual property, and—more ominously because of the physical risks—hacked smart home door locks, hacked implantable medical devices, intrusions into critical infrastructure, and more.
All of this means there is no end in sight to the rapidly growing demand for white hats who can detect, block, or at least mitigate the unending stream of attacks from the black hats.
But that raises a few other relevant questions, especially during National Cybersecurity Awareness Month. Among them: Is society’s cyber security awareness at a level that will lead us to produce enough skilled workers to fill all those vacant jobs and make the future Internet+ or IoE more of a benefit than a threat?
Certainly it is possible. But if society is going to do it successfully, we have to be aware that, as is the case in most industries, cyber security isn’t just a “job”—it’s a long and varied list of jobs.
Gary McGraw, vice president of security technology at Synopsys, compares cyber security to the medical field.
“You need lots of different kinds of skills to have a good healthcare system,” he said. “Some are EMTs and first responders. You need nurses and doctors of all different kinds—from general practice to brain surgery. And you need different numbers of all of them.”
McGraw said it’s both glib and misleading simply to say, “We need a million more people in cyber security,” because it tends to create an image of all those people doing essentially the same thing.
“You can’t have an effective healthcare system if everybody is an EMT,” he said.
The same is true for cyber security jobs. The number of specialist job titles can be dizzying—data scientist, data security analyst, software security developer, forensic analyst, penetration tester, chief security officer…and that’s just a start.
That raises another relevant question: What is the best way to create the supply to fill the demand for cyber security jobs?
That, experts say, will require something of a cultural shift.
Ksenia Peguero, senior research lead at Synopsys, said diversity would help—a lot.
“I would like to see more women,” she said. “Unfortunately, the field is still predominantly male and predominantly white. More diversity would definitely help to close the security talent gap.”
McGraw agrees. “Women and minorities are underutilized resources,” he said. “It’s a geeky field, and there’s a lot of sexism that leads to inherent biases in hiring.”
But he said the reality remains that “if you go to your typical panel at a conference, it’s mostly men. Yes, there are women involved who can be role models, but we need to make sure that schools aren’t set up to discourage that—it goes for all the STEM [science, technology, engineering, and math] fields.”
Of course, it doesn’t matter who is being taught—males, females, or minorities—if the instruction isn’t effective. And while the current higher education system obviously has universities and grad schools focused on the STEM fields, so far they aren’t generating enough graduates to fill the demand.
Meera Rao, senior principal consultant at Synopsys and another vocal advocate for recruiting more minorities and women, said she thinks more effective promotion of the career prospects offered by cyber security could help close the gap.
“This is one area where we are still lagging heavily,” she said. “We definitely need to do more. We can motivate and inspire young people by talking about cyber security at various schools, by conducting free workshops for school students and through publications highlighting success stories and the bright futures awaiting them in this industry.”
Peguero said it’s going to take more teaching about security at the college level. “And that should come from switching the focus of educators from teaching the next cool language/framework, to teaching developers to write high quality and secure code,” she said.
McGraw said he is still a firm believer in a “broad and deep liberal arts education.” But he said that also has to include deep technical training that includes coding.
In an interview with IEEE two years ago, he said an effective practitioner will need “deep coding experience and be a software person before plunging into software security.”
Amid all those challenges, Peguero remains optimistic. “There always will be security vulnerabilities and we need to embrace it,” she said. “It just means we will need more security professionals in the future.”
Read what some of our consultants have to say about cyber security jobs.
Get the latest Software Integrity news, thought leadership, and more.