The Cyber Workforce, Part 1: Where we are and where we need to be
This is the first in a five-part series that analyzes the current and future state of the cybersecurity workforce. Among other topics, co-authors Bill Brennan and Meghan Good will use this series to discuss how to increase hiring, the role diversity needs to play, and what a successful cyber career looks like.
What does cyber mean in today's society?
Cyberspace is an extension of our physical reality. It has even been defined as the ‘fifth domain’ of warfare alongside sea, air, land, and space. Our devices are more populous than humans and their interconnections are more numerous and complex every day. Like our physical reality, cyberspace is coupled with survival pitfalls and we’re learning how to better identify, manage, mitigate, and respond to them as our knowledge and experience evolves. Even as we master what we know today, we are seeing barriers be broken from cyberspace with effects that deliver real world kinetic impacts. Even Warren Buffett, the well-known business mogul, presented his take on cyber recently, saying “I don’t know that much about cyber, but I do think that’s the number one problem with mankind.”
Cybersecurity as a discipline has come a long way from the days of the Cuckoo’s Egg intrusion of the 1980s, the Melissa virus, the Moonlight Maze, and other risks to early technology adopters. Today, more than 323,000 new pieces of malware, or malicious code, are identified each day. The attackers are innovating as fast if not faster than the technology providers themselves. It is not enough for cyber defenders today to buy a few products and hope for the best. Attackers are moving from utilizing known vulnerabilities to enable their attacks (see the continued life of the Conficker worm) to utilizing malware to learn how to use the inherent elements of specific technology against itself, as we recently saw with the CRASHOVERRIDE malware.
When information systems run everything from our cars, to our lights, to the military systems that keep us safe, it is imperative that we have smart people who know how to protect those systems. The ubiquity of technology means that it will be an enabler to innovation but also the greatest risk to this and future generations.
In this series, we’ll explore what it means to be a cyber professional today, where the workforce comes from, and what makes this domain so unique. We’ll also take a look at some of the things Leidos is doing to address what is becoming a worldwide dearth of qualified staff. Finally, we’ll examine what success means in cyberspace and how Leidos experts thrive at the forefront of this domain.
A dearth of cyber talent
We need a significant number of professionals with lots of knowledge and skills (which we’ll address in part two of this series), but so does everyone else. It takes time to recognize talent, and then help a professional grow and develop more desired skills through experiences. Once developed and performing at a high level of proficiency, there are plenty of other opportunities for that professional since cyber skills transcend industries and geography. This means we need to start the cycle again and continually onboard, train, mentor, and challenge talent. We do all of this at Leidos, but the incoming pipeline isn’t big enough.
Some Reasons For a Cyber Talent Gap
Over the last decade, educational institutions have updated their curricula for cybersecurity programs, some starting as early as Kindergarten, with heavier emphasis in high school and university programs. However, universities are only now embracing cybersecurity as a core degree goal as opposed to a focus area for computer science or computer information system majors. Additionally, a focus on security certifications has taken hold in the United States via the Department of Defense’s 8140 Directive. Later in this series, we’ll discuss the value of certifications for some roles while addressing their limited value in others. Even in cyber, not all jobs are created equal!
Why the authors chose cyber
“Cyber chose me, not the other way around, but the challenges keep me engaged. In college, I was a computer science major and wanted to take every advanced elective. I studied cryptography, networking, network security, databases, operating systems — the works. That broad background helped me form a strong sense of the possibility of modern computing and the challenge of ensuring privacy and integrity within those environments. I find the balance between the two to be intriguing and in a constant state of flux.
“I came to Leidos as an intern and discovered a new environment of talented engineers who were solving problems that are vitally important to our world. It may not always be easy, and it’s certainly filled with frustration, but the outcomes of our work make a global impact.”
“I never intended to get into IT, let alone cyber, but I wouldn't have it any other way. I was a CS major as an undergrad, but not that CS. Communication studies with a focus in organizational communications is what I majored in at James Madison University. I did, however, have a computer science minor and it was a combination of the two that I used to land my first job at Lockheed Martin.
“I was hired into the Information Systems Leadership Development Program with little idea of what my job would entail. Within eight hours of joining the company, I found myself in a proposal room learning about what we called, at the time, information assurance. We were bidding on a job with the FBI called the Information Assurance Technology Infusion program, or IATI — a program Leidos still runs today. The program was born from the Robert Hansen Russian spy scandal that had recently happened and I was immediately hooked.
“I've spent the last 15 years in all kinds of cyber jobs, from supporting law enforcement, to counter-terrorism and the intelligence community, and most recently, as the cyber security leader for the global business unit of Lockheed’s IS&GS before its merger with Leidos. I've visited more than 20 countries in the last six years to talk about cyber solutions and learn about customer challenges in cyberspace. The one indomitable fact from those experiences is that cyber is one of those domains that transcend geographic, mission or cultural boundaries. I have met Australians facing the same challenges as Belgian customers and talked about Omani cyber threats in a SOC in Seoul, South Korea. The challenges that come from this ubiquity and the growing understanding of the risks this creates — risks that must be managed — ensure that no day is like the last. That is what excites me to come to work every day.”