We are by all estimates well over a million cybersecurity professionals short of what we need and racing towards an even bigger shortage in the decade to come. Current approaches are not likely to produce the number of cyber warriors we are going to need to close this gap. Not for want of good intention, but I believe we won’t achieve our intended goal, because the environment has changed and if we don’t recognize this change we may never catch up. There are multiple factors affecting this paradigm shift, but the biggest of them all is the rapidly evolving nature of technology that is moving at lightning speeds and the associated exponential growth in threat produced as a byproduct.
Closely related is what this means for the rapidly expanding competency that cybersecurity professionals will have to possess just to be effective in the future. We have known for decades that cybersecurity is a dynamically changing field affected by changes in the physical environment, changes in technology, the evolving nature of threat and the operational impacts of users. The enterprise is never static, and every change presents a new opportunities and new risks. If we take healthcare as one example of this just the past two decades have witnessed amazing changes in technology adoption, the rise of hyperconnectivity, the increase in the sophistication and frequency of attacks and the endless application of technology to operations, simple and complex. This will move even faster in the future as technologists are already talking about faster processing speeds, quantum computing, artificial intelligence, etc. Making it harder and harder for those who have to secure the enterprise to do that.
In fact, today’s cybersecurity professionals have to be as diverse as the thing they are trying to secure, meaning many different cyberwarriors with very different specializations. Analysts, administrators, engineers, program experts, threat hunters, monitors, architects, etc. Making it all the more impossible for current approaches to succeed. The supply is not going to catch up with the demand one cyberwarrior at a time. That ship has sailed. All the college programs in the land, although important, are not going to get us there. You cannot create a cyberwarrior army large enough, fast enough to solve this problem. We need a different approach.
In today’s and tomorrow’s information technology environment, everyone who uses a computer will need basic cybersecurity skills, and everyone who works in IT will need specific job-related cybersecurity knowledge and we need both general and specialized cybersecurity professionals. Individuals who write code should know how to do so with security in mind. Database developers and administrators should understand the threats associated with what they are doing and how to avoid them. System engineers should understand network security principles and how to apply them to what they do. And on and on. Information system designers, developers, manufacturers, consumers and users need to accept and embrace this basic requirement. Curriculums from the earliest stage where information technology is introduced should include cybersecurity training. Curriculums in career fields where information technology will be critical to accomplishing that skill should include cybersecurity training. No information technology degree should be achievable without cybersecurity as part of the curriculum. We should promote greater professionalization of the cybersecurity field to define specific career paths from the very specialized to the general practitioner to the strategist to ensure not only the expertise needed at the tactical level, but the professionals with the breadth and scope of knowledge and experience needed at the higher levels of responsibility to lead and develop effective cybersecurity strategies and programs.
The gap between the good guys and the bad guys is growing, because we are still trying to solve the problem in the same antiquated way, one cyberwarrior at a time. There is zero unemployment in the field right now, and many of the people filling cybersecurity roles today are only marginally competent. Because not only does it take education in multiple disciplines to be become knowledgeable in the field it takes experience, which can only be attained in time. We are never going to be successful following the path we’re on today. We need to recognize the paradigm shift that has occurred and embrace the new reality. Everyone who deals with information technology has to be part cyberwarrior. Everyone has the responsibility to understand basic computer security skills and the cyber threats that can keep them from accomplishing their mission. In the military we call this awareness of risk operational security and every soldier, sailor, airman and Marine from top to bottom is charged with understanding operational risks so they can mitigate them regardless of their job specialty.
Some organizations are beginning to realize this new reality and are taking steps to change how they approach educating the workforce of the future. One such organization is the University of Texas, which I had the pleasure of supporting recently, who is building a new graduate certificate program within their healthcare curriculum to train members of the workforce to move into healthcare, particularly former veterans. What is unique about this curriculum is that they have integrated cybersecurity knowledge so that graduates of this program not only prepare themselves for a career in healthcare by learning practical skills, but they learn about where cybersecurity is important and why they need to understand it to be successful. Their lab environment is unique in that it replicates the hospital experience, admissions, ER, the smart patient room, OR, radiology, pharmacy, etc. and in each lab cybersecurity will be taught along with the information technology associated with those environments as well as the cyber threats that affect both privacy and security there. A curriculum that teaches not only practical skills needed to work in healthcare, but how to protect patient data and operations. The program has included several experienced healthcare CISOs as contributing staff lending real world expertise to what they are building. These are the type of visionary programs we need more of if we are going to close this gap in cybersecurity skills.
Mac McMillan is president and CEO of the Austin, Texas-based CynergisTek consulting firm.