By Mark R. Smith, Contributing Writer
To find out what’s happening in the cybersecurity industry, all one has to do is turn on the device of their choice. And Google.
The latest stories about viruses, ransomware and phishing are all right there. In more recent times, we’re seeing more stepped-up attacks to mobile and Internet-of-Things devices, as well as cloud jacking, etc. It’s all rampant and being amplified by the rise of artificial intelligence and machine learning.
“If you examine what’s going on in the industry on the macro level, our adversaries are becoming more sophisticated and better funded,” said Gregg Smith, CEO of Columbia, Maryland-based Attila Security. “That issue affects everyone from my mother’s doctor in Maine to the federal government. We’re being attacked hundreds of thousands of times a day.”
And while “as a country and an industry the U.S. is continuing to up its game, so are the Russians, the Chinese and the North Koreans, and they’re highly effective,” said Smith. “In addition, our cyber workforce is more than one million people short. Our allies are short of workers as well and our opponents don’t have that issue. They almost have too many people.”
While industry growth is generally positive, it comes with big challenges in the cybersecurity field.
“Five years ago, in Maryland, we had 150 companies; today, we have close to 700,” according to the Cybersecurity Association of Maryland Inc., Smith said. “While the various government entities, the four-year schools, the community colleges and apprentice programs are becoming more proficient with targeted training programs to boost the sector, we’re still way undermanned.”
“But you can’t change the workforce on a dime,” he said, “especially when you’re dealing with the number of attacks that we’re seeing.”
Just how pronounced has the lack of workforce become in the last decade? “Ten years ago, I paid an entry-level employee $60,000,” Smith said, “but I’m now paying $100,000. The salaries go up from there. The economic impact is incredible.”
Despite the expense, the availability of those financially well-heeled cyber workers is crucial to any business location decisions. “The overwhelming locational determinant for cybersecurity operations is labor,” said Dennis Donovan, principal with Wadley Donovan Gutshaw Consulting, of Bridgewater, New Jersey.
Just how undermanned is the U.S. cyber workforce? Currently, there are 700,000 unfilled cyber security jobs in the U.S., according to Burning Glass, while (ISC)2 (International Information System Security Certification Consortium), an international nonprofit that offers cybersecurity training and certification programs, estimates the global shortage at 2.8 million. Known for its global portfolio of IT certifications, ISACA’s survey revealed that 57 percent of companies have unfilled cyber positions.
“It’s very important to quantify the talent resource base. This starts by determining number of information technology professionals in a market,” said Donovan, “then quantifying requisite skills specific to the operation.”
Those skillsets can include data security analyst, cybersecurity engineer and AWS cloud architect. “Similarly, [it’s necessary to] gauge the cyber graduate pipeline from colleges/universities within a 50-mile radius,” he said. “When selecting office space it is important that the worksite is well-positioned as to where resident skillsets reside.”
John Bellamy, assistant director of Center for Defense and Homeland Security at Fayetteville State University in North Carolina, held that thought. “Computer security is a big issue no matter what institution or company you work for and there is a huge shortage of cyber-trained help,” who added that various organizations, “estimate the need for an additional 500,000 workers in the field.”
In the United States, there are around 879,000 cybersecurity professionals in the workforce and an unfilled need for another 359,000 workers, according to a 2020 survey by (ISC)2. That also partially explains that the salary for entry-level workers in cybersecurity has generally reached a cool $79,000, according to Burning Glass.
And that well-known dearth of talent is also part of another problem.
“There is also a shortage of teachers,” Bellamy said, “but there is good news, too.” We’re making progress in addressing those issues around the country with the establishment of cyber centers. Here at FSU, we have a cyber academy, where we teach seven accelerated non-college-degree certification classes. We will also offer a bachelor’s degree in cybersecurity in fall 2023.”
While it may be surprising that the degree program at FSU wasn’t established years ago, that situation was borne of the shallow talent pool. “It’s taken so long because colleges need to acquire faculty trained to teach the courses,” he said, adding, “though that situation is improving.”
As Bellamy noted, certification classes are critical in working toward solving this massive issue. “You can have a bachelor’s degree in information technology and that degree may get your foot in the door,” he said, “but if you don’t have certifications, you’re back at square one. And that market demand will only grow as we move forward. It’s the certifications that will all but guarantee you a job in the workforce.”
At FSU, students can take an accelerated course (known as Cyber Foundations) and be done in 33 classroom days, which takes about a semester, though its Certificate in Cybersecurity course is an intermediate-to-advanced set of four classes that takes 40 days.
As for early recruitment, Bellamy said that science, technology, engineering and math (or STEM) programs “across the board” are boosting the ranks of students who have the necessary training to move forward. “Traditional degrees are great, but incorporating cyber programs into existing degree programs will better prepare students to help defend our nation’s infrastructure.”
Of course, those programs are constantly evolving. “Today, we’re working to integrate artificial intelligence, robotics and data analytics – which are key buzzwords in any cybersecurity community – into any of our offerings, since they all relate to STEM,” he said. “The requirements and possibilities will only grow more robust in the coming years.”
As for the entrants into the cyber workforce, Mark Sauter, managing director, chief revenue officer for White Plains, N.Y.-based Pickwick Capital Partners, said America’s cyber industry “has grown far beyond the stereotype of tattooed kids guzzling energy drinks as they develop the next great software product.”
“New products are needed, to be sure,” said Sauter, “but cyber services are increasingly in demand everywhere from Fortune 100 companies to rural school districts. It takes human beings to determine cyber requirements, implement them and then manage security solutions as challenges evolve.”
“Even sales and marketing staffers at cyber service companies need basic cyber savvy to drive sales. Not all of these jobs can be done remotely,” he said, taking Donovan’s observations a step further. “Cyber jobs are not created equal and companies must consider the specific types of talent they need, be they genius programmers of new solutions or solid security engineers with people skills to implement client projects.”
One strategy, said Sauter, is “to locate near large customers, hire cyber-capable executives, sales engineers and marketing professionals, and outsource the rest where possible. The common challenge is scarcity of cyber workers in just about every category.”
While the work-from-home trend and growth of the “gig economy” widened the pool of candidates, it also created more competition for talent. “A company is not just vying for talent with other employers in its geographic region, but also other enterprises around the world. For many job categories, business leaders may need to focus more on bringing jobs to the workers than bringing workers to the jobs,” he said.
As Donovan noted, Sauter went on to say that companies can improve their competitive position “by locating near a university graduating cyber workers who want to stay in the area, or around government and/or military cyber organizations with transitioning employees looking for commercial jobs.”
Jurisdictions with strong cyber regulations, and with industries with cyber compliance requirements, such as electrical utilities and energy, can also be productive markets. “Overlay that with demand for services driven by cyber insurance companies, which increasingly require strict security controls before enterprises can obtain affordable insurance,” he said, “or even any insurance at all.”
While Sauter cautioned that not all cyber jobs can be done remotely, Georgia Weidman, founder/researcher for Bulb Security, in Purcellville, Viringia, stated that the industry has always had an image of a discipline that has a physical location, but pointed out that “even before COVID-19 and the work at home revolution, at least 25 percent of its workforce toiled from home; now that number has reached twice that amount.”
And part of what those remote workers (and their colleagues in the office) are doing is figuring out how to address the fact that so many people are using their own devices, be they desktop, laptop, tablets or phones, “that are accessible in ways that bypass traditional enterprise security,” said Weidman.
“[Mobile devices], at least from what I’ve seen from penetration testing and pretending to be the bad guy, are very high-risk targets and offer another access point for hackers. That issue is practically being ignored in the industry,” she said. “Attackers attack however they can and companies and individuals are not comprehending their vulnerabilities. The industry is going to have to address this issue moving forward.”
One issue that is being addressed, Weidman said, is that the market “is already seeing a greater push” for security products for those worker-owned devices that provide security oversight for corporations while still allowing usability as a personal device.
She is also concerned about phishing, which is rampant in email. “The vast majority of users still are not aware that any mechanism that can deliver a website address or a QR code can be used to phish,” she said. “In recent years, we’ve seen it increasingly in text messages, Facebook Messenger and even secure messaging products like Signal and WhatsApp, and graphical platforms like Instagram or Snapchat.”
As the market moves toward augmented reality, virtual reality and the Metaverse, “where the end-user doesn’t necessarily know that an object they’re perceiving is in fact a URL,” Weidman said, “the potential for, shall we say, virtual phishing is definitely concerning.”
She’s equally concerned about ransomware. “I worry that we might see a huge increase in scale. The newsworthy attacks have been against things like pipelines and municipalities; however,” she said, “imagine more broad-based attacks that weren’t simply economic in nature, but instead designed just to create chaos.”
“People’s cable, DSL and fiber optic gateways are very low-hanging fruit,” said Weidman, “and a bad actor could easily disrupt the home and office Internet of entire regions if not entire countries.”
A Fish Tank?
Overall, while progress is being made, there are obviously more challenges along the bumpy road to solving the cyber industry’s problems. “The challenge is that we build higher walls,” said Smith, “and our opponents build longer ladders or better tunnels to work around them.
“However,” he said, “the great thing is that the venture capitalists and private equity communities see the growth potential in cybersecurity and are investing. But the more screens and devices the public, government and industry use, the more opportunities there are for the bad actors.”
So is the modus operandi to build a bigger moat or bigger wall?
“Companies have to consider all of the new satellite technologies and how dependent we are on them,” said Smith, “because the bad guys attack the satellites as well as your devices, your car, your appliances, your home and anything connected to the Internet.”
“And the more connected we get via the Internet of Things,” he said, “the more threats we’ll receive. For instance, several years ago hackers even comprised the network at a Las Vegas casino after gaining entry via a connected fish tank.”
Bio: Odenton, Maryland-based Mark R. Smith joined Expansion Solutions after having written about site selection among the vast number of topics he has covered in the business universe. That part of his career began in 1993 when he joined The Daily Record, a Baltimore business and legal publication, where he delved into the worlds of economic development and commercial real estate, among numerous other industries; in 2003, he was named editor-in-chief of The Business Monthly, another Maryland publication that covers the scene in the Baltimore-Washington Corridor counties.
Concurrently, he’s written at length about the film and video industry for a variety of publications, and about his other loves, including music, sports and leisure.