It’s Week 4 of National Cyber Security Awareness Month (NCSAM), and this week we’re highlighting cybersecurity as a viable and rewarding profession and engaging people in pursuing cybersecurity careers. According to a study by the Center for Cyber Safety and Education, by 2022 there will be a shortage of 1.8 million information security workers. It is essential that we graduate students entering the workforce to fill the vast number of positions available and use technology, safely, securely, ethically and productively. By growing the next generation of skilled cybersecurity professionals and training those who are already in the workforce on cybersecurity, we can start to strengthen our defenses.
As part of this week’s efforts, Raytheon and Forcepoint – in collaboration with the National Cyber Security Alliance (NCSA) – released their 2017 survey of Millennials around the world, Securing Our Future: Cybersecurity and the Millennial Workforce. This survey examined millennial attitudes toward cybersecurity, online safety practices and interest in cybersecurity education and careers. I recently had the opportunity to talk with Valecia Maclin, Raytheon’s director of cybersecurity programs, and Carolyn Ford, director of global government security at Forcepoint, about the study, their perspectives on the findings and how we can promote the growth of a skilled cyber workforce.
MICHAEL KAISER: How did Raytheon and Forcepoint come to partner on this study?
VALECIA MACLIN: In three years, the millennial generation will make up half of the workforce. That deadline means we need to understand millennials’ attitudes toward cybersecurity if we want to create the workforce necessary to protect our critical infrastructure and way of life. Both Raytheon and Forcepoint recognize this need and have been investing in programs to support and grow the workforce of the future.
CAROLYN FORD: Forcepoint and Raytheon share a commitment to build awareness among the next generation entering the workforce that cybersecurity is a rewarding, challenging and noble career field. Forcepoint’s view on security is that businesses and governments absolutely need to focus on human behavior as the means to remediate risk in the workplace; as such, it made sense for us to join forces on this year’s millennial survey. This also speaks to our mutual recognition that changing the cybersecurity workforce landscape requires partnership among industry, government, higher education institutions and others.
MK: What are your top takeaways from the study this year?
VM: We are still seeing flat interest in the cybersecurity profession among young adults, even though their awareness of cybersecurity issues and career options has been increasing. Role models, from parents to peers to practicing professionals, are key figures young people depend on to encourage them to choose cybersecurity careers. One troubling finding was that U.S. young adults are losing trust in the integrity of our electoral system, just as they are growing old enough to vote, and are blaming cyberattacks. Forty-three percent of respondents believe cyberattacks influenced the results of the 2016 election.
CF: As digital natives, millennials consider themselves cyber savvy, and 75 percent acknowledge that as individuals they are responsible for keeping themselves safe and secure online. However, more than 60 percent report they don’t practice safe cyber hygiene, and they regularly click links that may not be legitimate and broadly share personal information online. In contrast, a 60- to 70-percent majority is extremely concerned with personal data being compromised or collected in ways they are unaware. In many ways this group is a study in contrasts, which also creates security challenges for today’s workplace with the evaporating line between personal and work device use.
The findings from this year’s survey reinforce the symbiotic connection inherent between people and the data they access at work. Even the most cyber-savvy person doesn’t always practice safe cyber hygiene – they want data when they want it from anywhere they happen to be. A company must protect both its critical intellectual property (IP) and that IP’s intersection with people, as this is where it is both most vulnerable and valuable. A company that has a lens into both can better protect against the headline-making data breaches – be they from accidental insiders or malicious outside attackers – that have become commonplace today.
MK: This is the fifth year of this study; were there any trends of note – good or bad – regarding how we’ve progressed in cybersecurity workforce development?
CF: One of the trends we found interesting was that millennials engage in seemingly higher-risk behaviors with less concern about the consequences than they did five years ago. For example, 87 percent reported using PIN protection for their phones, yet there was nearly a 20-percent increase in the number of respondents who give out their passwords to non-family members. And 76 percent reported using public Wi-Fi more today, yet there was a 13-percent decrease in being extremely concerned about malware and identity theft online.
VM: Educators are continuing to improve students’ awareness – 70 percent of millennials reported that their high schools prepared them to use technology safely in the workforce, up from 55 percent in 2013. Additionally, the number of young adults who said teachers had talked to them about cybersecurity as a career option tripled from 2013 to 2017.
Unfortunately, young adults’ online habits show increased risk of exposing them and others to cybersecurity threats. Four years ago, 66 percent of millennials had connected to public (no password required) Wi-Fi in the last month, but that figure rose to 77 percent in 2017. Additionally, the number of respondents who had shared passwords with non-family members in the last year shot up from 23 percent in 2013 to 42 percent this year.
MK: In the past, the study has revealed some gender gap issues around interest in cybersecurity careers and/or competencies gained in high school. How did we do this year on these issues, and were there other issues related to gender that need to be highlighted?
VM: The disparity between men’s and women’s interests in cyber careers is widening drastically. In 2014, 40 percent of men and 37 percent of women said they were more likely than they were a year ago to consider a career to make the internet safer. In contrast, this year 48 percent of men – but only 31 percent of women – made the same statement. This underscores the need to reach out to girls at younger ages about how rewarding a career in cybersecurity can be. I recently attended the G.I.R.L. 2017 convention hosted by the Girl Scouts of America and led a session with the U.S. Department of Homeland Security to show girls ages 12 to 18 that they can be cyber superheroes when they grow up, and I find strong interest when young people are engaged.
That’s why, for the last couple of years, we have been looking into whether high school classes have prepared students to pursue degrees in cybersecurity or a related field of study like computer science. Last year, 42 percent of men and 32 percent of women said they received adequate preparation. The gap widened in 2017, with men reporting more progress in this area than women. The good news is 51 percent of men say they feel prepared to major in cybersecurity, but only 37 percent of women also felt prepared.
MK: Not surprisingly, the study shows that parents play a significant role in giving career advice to young people; however, there seems to be a confidence gap in young people’s belief that parents could guide them into a career in cybersecurity. What does study say about this, and what should we be doing to help parents understand the pathways to cybersecurity careers?
CF: First and foremost, it’s important that parents recognize interest and aptitude. For instance, is your child hacking their own toys? Do they enjoy puzzles or taking things apart and figuring out how to put them back together?
Additionally, getting involved in the industry while still in school is important for understanding the cyber career path ahead. For example, competitions such as Panoply, Center for Infrastructure Assurance and Security (CIAS) at the University of Texas (UT) San Antonio, National Collegiate Cyber Defense and the Air Force Association’s CyberPatriot competition are great ways to learn more about – and get more involved in – the cybersecurity industry. These events are also a lot of fun!
MK: Year over year, one of the big findings in the study has been that there’s a lack of knowledge of the typical job responsibilities of someone who works in cybersecurity. How do we overcome this awareness gap?
VM: This gap is closing, but we have a long way to go. Just more than half (52 percent) of respondents say they know the typical range of responsibilities and job tasks involved in the cyber profession, up from 37 percent in 2014.
Cyber competitions offer many benefits to young people. Raytheon sponsors the National Collegiate Cyber Defense Competition, in which 230 college teams participate in live exercises to defend a network against real-time threats. The events expose students to cyber professionals so they can network and learn what’s involved in these jobs. Participating in contests gives them a chance to see if they like cybersecurity and might be good at it.
CF: Industry, government, higher education and nonprofit institutions have to work together to raise awareness and bring more people into the cybersecurity field. Additionally, supporting critical research programs that help us better understand the continuously evolving global cybersecurity threat to individuals, businesses and our communities will also be key to evolving cybersecurity workforce requirements to keep pace with this explosively growing field.
MK: The study also shows that there’s a disconnect between the skills young people want to use in their jobs – including problem solving, communications, programming and management – and their understanding of cybersecurity jobs, which tap many of these same skills. How can we better communicate to young people what cybersecurity entails and how it may line up with the kinds of jobs they want to pursue?
CF: In some ways, it starts with the industry. Today there is a talent gap; however, the industry can’t continue hiring people and building products based solely on today’s model. After all, you can’t prototype innovation. Looking ahead, the industry needs a cybersecurity workforce that has both technology expertise and an understanding of people’s behaviors to create products that understand behavior as well.
In addition to the expected engineering and computer science cybersecurity career paths, when we look at the evolution of cybersecurity data scientists, human behavior researchers and behavior analytics specialists will be shaping how the industry identifies and assesses human-centric cyber risk, both outside and inside an organization. And it’s important to consider diverse thinkers in cybersecurity hiring; for example, a person with a law degree and deep experience researching and writing insights briefs would bring a lot of value as a security analyst.
Additionally, learning specialized skills such as cryptographic and obfuscation techniques, malware analysis, identity management and ethical – or what we call “white hat” – hacking will always be in demand. Today a growing number of universities offer cybersecurity degree programs to develop such skills as part of their curricula – such as the UT system. In fact, UT San Antonio was one of the first universities in the United States to offer a cybersecurity degree program across its business, engineering and science colleges.
MK: The workforce issues in cybersecurity go beyond any one company and government – these are global concerns. What are your ideas for industry, government and nonprofits to work together to create a talented pool of people to pursue these careers?
CF: Our growing worldwide shortage of cyber skilled workers is leading us collectively into a precarious situation where there are few employees who have the skills needed to protect nation-states against malicious hackers.
At Forcepoint we are continuously evaluating how we can be agents of change to build awareness among up-and-coming generations of opportunities within the cybersecurity industry. As an example, Forcepoint recently initiated a partnership program with several universities in the U.S. and Europe that are building new cybersecurity curriculums to help support research, internship and graduate programs for the next generation looking to gain experience in the security industry.
There are also a number of nonprofit organizations that government and industry should be working with to develop more resources for the future and create a safe space for innovation. One that Forcepoint has worked with recently is Girls Who Code.
VM: Studies like ours help the industry better understand the scope of the problem and track progress. These studies consistently show that reaching young people in middle school, high school and college is the key. We’re trying to create a climate similar to the one President John F. Kennedy fostered in challenging the country to go to the moon; Kennedy’s plea to the nation led to a great interest in science and aerospace careers. Our recent efforts to promote careers in cybersecurity will be especially important for this generation as the Internet of Things becomes more prevalent. Students need to see they can have a future in securing the devices they use every day.
Check out the full study here, and visit Raytheon and Forcepoint’s websites for more resources and information on cybersecurity careers. We’ve also created an infographic on cybersecurity careers and their many benefits and a primer for parents on guiding their kids toward careers in protecting the internet. Throughout the rest of October, follow the #CyberAware hashtag on social media for the latest insights, tips and resources to use this NCSAM and to join the conversation. For tips on how you can be safer online and protect your personal information, visit staysafeonline.org – and follow us on Facebook and Twitter for year-round cybersecurity advice and news.