A new survey commissioned by Raytheon in conjunction with the National Cyber Security Alliance (NCSA) has some interesting titles including:
Latest Raytheon research on millennials finds rising interest in cybersecurity careers and
Report finds high schools not addressing student interest and employer demand as National Cyber Security Month begins
The survey included responses from 1,000 adults in the U.S. aged 18 to 26 completed from Aug. 27 to Aug. 28, 2014. Take away summary messaging included:
- Sixty-three percent said they were not sure or did not know the typical range of responsibilities and job tasks involved in the cyber profession.
- Sixty-four percent of respondents indicated they did not have access to computer classes in high school to build the skills necessary for cyber careers, including computer science.
- The millennial generation’s interest in a cybersecurity profession presents a golden opportunity for parents and educators to build on this awareness by introducing cybersecurity topics with millennials and younger generations. Or as Harrington states, “Both the private sector and educational institutions need to help inspire millennials to join our next generation of innovators and cyber defenders”.
The survey indicated that millennials are increasingly becoming more aware of their need to stay current and continuously update the security of their own devices. Indeed, this supports other studies that show a growing awareness across the age groups of C3® (Cyberethics, Cybersafety and Cybersecurity) awareness. In my own studies, I have also seen a growing trend in students moving beyond the “me” mentality; there’s a growing recognition that we have a shared responsibility to make the U.S. a safer and more secure place. Cyber security is not a local problem; it may impact you locally, but the issues and threats are global.
The survey also indicated that respondents were not sure of or did not know the typical range of responsibilities and job tasks involved in the cyber profession. This is interesting for two main reasons. First, “cybersecurity” has only recently been in the public eye (in terms of career options). So for adults ages 18-26, this would be a reasonable answer. It would also be an explanation of why eighty-two percent say no high school teacher or guidance counselor ever mentioned to them the idea of a career in cybersecurity. Secondly, the survey broke out specific job titles such as app designer/developer, entrepreneur, social media professional, computer software engineer, scientist, lawyer, and college professional, but listed cybersecurity professional as a standalone entity. So the question is, aren’t these job titles part of the cybersecurity workforce? Is listing cybersecurity as a standalone job title accurate?
Indeed, this was the impetus for the National Initiative for Cybersecurity Education (NICE) developing the National Cybersecurity Workforce Framework (the Workforce Framework). The framework helps define the cybersecurity workforce and provide a common taxonomy and lexicon by which to classify and categorize workers. The National Cybersecurity Workforce Framework classifies the typical duties and skill requirements of cybersecurity workers. The Framework is meant to define professional requirements in cybersecurity, much as other professions, such as medicine and law, have done. [Learn more]
The Framework organizes cybersecurity into seven high-level categories. Within each category there is a list of specialty areas. In total there are 32 specialty areas of cybersecurity work and the framework provides a description of each. The Workforce Framework also identifies common tasks and knowledge, skills, and abilities (KSA’s) associated with each specialty area.
Another interesting survey finding highlights that 64% of respondents indicated they did not have access to computer classes in high school to build the skills necessary for cyber careers, including computer science.
Several earlier studies give another view into this issue. For example the ATE Student Success: Building a Diverse and Entrepreneurial Workforce gathered 2 and 4 year Cybersecurity/IA faculty input into what skills were needed most for students to succeed in their programs. The leading skill sets were not programming or computer science curriculum, but math and soft skills like writing (English) and communication skills. Sometimes we get so excited about something that we forget the backdrop the effort is situated in. if we only have $10 to spend where do we spend it? Better efforts to increase written and communication skills or getting students to program?
Some have argued that it is a misconception that students who want to go into cybersecurity MUST first have a strong foundation in computer science and/or programming. Now, I totally understand the reason behind this opinion, and should state up front that I’m all into programming—I encouraged/pushed by own kids to take computer science and programming in high school, and all of our after school and summer programs include a fair share of programming, however, we have to also ask ourselves; could we be turning off some students if we mandate programming? Is understanding of networking or other skill sets just as valuable? I ask this question, as our own records have revealed some interesting results. Teachers have enrolled in our Cybersecurity Education CTE Academy. The original target audience included educators teaching computer science or Cisco/networking courses. One of the first courses the teachers were to complete was the Security + course. Not one computer science teacher could complete the course on the initial try. Supplemental training was needed to give them the networking and hardware background to feel comfortable in the course.
The National Research Council’s report, Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision-Making lists several conclusions that should be considered:
Conclusion 2. Although the need for cybersecurity workers is likely to continue to be high, it is difficult to forecast with certainty the number of workers required or the needed mix of cybersecurity knowledge and skills.
There are many indications today that demand for cybersecurity workers will continue to be high, but it is notoriously difficult to measure or forecast labor supply and demand for any field, especially one that is as dynamic and fast moving as cybersecurity. Moreover, there are several factors that may affect future need.
Conclusion 3. The cybersecurity workforce encompasses a variety of contexts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context.
Cybersecurity is a field that encompasses more than one kind of work and more than one occupation or profession. Some kinds of workers may come to be considered as professionals, but the committee believes that the field may also include a range of personnel and functions that are best not considered as professionals, much as many other fields contain both professionals and other workers who are not formally professionalized, including some who are designated as paraprofessionals. For example, there are today large numbers of people within organizations who have responsibility for cybersecurity functions, such as frontline IT support staff, for whom there may not be any formal education or accreditation requirements.
Conclusion 4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce.
- Attackers target organizations and individuals as well as machines and networks, so cybersecurity is inherently concerned with human adversaries and behaviors of those in the organizations they target. Protecting cyberspace thus involves human, behavioral, psychological, and economic factors and management expertise as well as technical skills and knowledge.
- Cybersecurity is a function of organizational policies and processes as well as technologies. As a result, people are needed who understand the organizational context—mission requirements, business processes, and organizational culture.
- Cybersecurity work often involves teamwork and collaboration across organizational boundaries. Soft skills, which include the ability to work in teams and facility with oral and written communication, are essential in many roles.
As a result, education, training, and workforce development activities that focus too much on narrow technical knowledge and skills may discourage participation by people with much-needed nontechnical knowledge and skills, may overly concentrate attention and resources on building technical capability and capacity, and may discourage technically proficient people from developing nontechnical skills. The result would fall short of delivering the workforce the nation requires.
I want to highlight some key points that should be made as I can see the handwriting on the wall—the report indicates a need for cyber professionals (something we have known for some time) and the need for students to be aware of the pathways (again something those of us in the trenches already have recognized). However, before we spend millions to develop career pipeline awareness programs and/or resources, we should first look at what has already been done. In doing so, we marry survey data and the needs identified with existing efforts and programs that can help address the knowledge gaps. We must look at the holistic environment to get deeper answers and examinations of the data being raised by instruments such as the millennial survey.