New research on the cybersecurity industry paints a worrying forecast. Two-thirds of security professionals have considered leaving their current positions or the industry entirely, according to a report by Goldsmiths, Symantec and University of London. This research has set off alarm bells for hiring managers: Why do people with highly sought-after cybersecurity skills now admit they have second thoughts about continuing to work in the industry?
Bob Duhainy holds a doctorate of IT and has served as a core faculty member of computer networks and cybersecurity at Walden University for the past eight years. His industry experience prior to his academic career, including the design and security of high-speed networks, informs much of his current research projects that focus on cybersecurity talent, skills and awareness. In this Q&A, Duhainy discusses the factors contributing to the cybersecurity skills shortage and strategies to help close the gap.
Editor’s note: This transcript has been edited for length and clarity.
What strikes you as the most important finding of your current research?
Bob Duhainy: The most important research has been on the shortage of cybersecurity skills and talents that we’re experiencing in the industry right now. There is growing concern that it poses challenges to communities in the United States and across the globe — specifically in the European Union. The shortage of cybersecurity skills is due to rapidly changing advancements in technology and the rapidly changing threat landscape [due to] the growing use of mobile technology, IoT, cloud computing and data centers.
No individual or organization is immune to cyberattacks. Even the U.S. National Security Agency [NSA] constantly works under suspicion that they already have been breached. They also are not immune.
What factors contribute to the cybersecurity skills gap, and under what circumstances do you think it will improve?
Duhainy: Research I’ve came across suggests [taking] a wide approach to cybersecurity in a more diverse operating environment. Some researchers suggest that cybersecurity teams must be diverse — from different cultures, political views and so on — to prevent or be proactive about cyber-risks.
In my experience, hiring, recruiting in IT — and, specifically, networking — [can help]. For example, if we try to feed the cybersecurity industry, we look at current IT-skilled people working in industries such as networking, software development, systems engineering, financial and risk analysis, as well as security analysts.
Each and every feeder role has specific requirements or skills. For example, networking skills may include system administration, firewalls, routers, Linux or iOS operating systems and VMware skills. If this role with these skills is fed to cybersecurity, their existing skills can be enhanced on the job through internships or through open source software, like virtual machines, available through the NSA and (ISC)². Organizations can do this to train and enhance the current skills and leverage their current skills.
What is your response to the recent report by Symantec, Goldsmiths and the University of London, which found that two-thirds of cybersecurity professionals considered leaving their jobs or the industry?
Duhainy: Based on my experience and personal opinion, it is [due to] the lack of skills to tackle specific cyberattacks. I’ve seen individuals in the CIO positions, even in CISO positions, without the required skills, training, certification or educational background.
Bob DuhainyWalden University
For example, with the Equifax breach, the CIO had a degree in music and had no skills whatsoever in cybersecurity. This is just one simple example, but I’ve seen so many. That’s why they are leaving, because they don’t have the specific skills to tackle cybersecurity.
Do you think recruiting new talent needs to happen at higher education institutions or earlier?
Duhainy: It should have happened a while back. We’re working on it in educational institutions, absolutely. Yes, most recruitment should occur at the college level and even at the high school level.
Like I mentioned, organizations have [individuals with] the current skills in IT, networking, risk assessment. They can grow individuals who are working for them [into employees] with advanced skills in cybersecurity.
I’m personally working with the NSA on different training curriculums, certifications, courses, webinars. I also work with the FBI’s InfraGard. They provide access to webinars on cybersecurity skills and risk assessment. Students are exposed to training, certifications and the knowledge that they need.
Is the federal government working on any projects to offset the cybersecurity skills shortage?
Duhainy: There are some strategies to overcome the barriers to expansion. There is a government study called the CIA Diversity in Leadership Study. It examined the lack of or absence of inclusivity, opportunity, promoting diversity, integrating talent and enhancing the recruitment process of cybersecurity professionals.
The government is working extensively with industry to recruit, promote the talents. The (ISC)² Cybersecurity Workforce Study of 2018 noted that there is a likelihood of a cybersecurity workforce gap of 1.8 million by 2022. This is basically a 20% increase from the forecast made in 2015.
Are there concrete diversity goals that companies and institutions should be striving for in terms of recruiting women?
Duhainy: I would say women remain significantly underrepresented in the cybersecurity workforce. I know there’s a trend towards recruiting and training women in cybersecurity, but there’s a need for more female cybersecurity professionals. The industry needs more females because they need more focused, on-task [people] to get the job done. If we’re talking about diversifying cybersecurity, we need to start including more women.
[Many] organizations lack a sufficient number of cybertalent to combat cyber-risks in today’s evolving threat landscape. One of the recommendations is that [companies] start looking into women in cybersecurity. Hiring practices should target talented, innovative, motivated women and minorities.
What do you think are the biggest challenges that face security leaders today?
Duhainy: It’s the sophisticated types of attacks that we’ve been seeing, including artificial intelligence, cryptocurrencies, IoT and machine learning — these are the biggest challenges.
What I would recommend [to cybersecurity professionals] is to keep their skills up to date and always seek to better themselves and what they do. Always think proactively. Always think that you are under attack.