If you’re reading this blog, it should come as no surprise to you that cybersecurity is one of the fastest growing—and most necessary—sectors of the economy. As the world’s business continues to move away from offices and conference rooms, toward browser windows and Slack channels, it has become increasingly clear that cybersecurity expertise needs to be a top priority for businesses and organizations of all sizes.
Cybersecurity Ventures predicted that 100 percent of Fortune 500 companies will have a chief information security officer (CISO) or equivalent position in their c-suite by the end of this year, up from just 70 percent in 2018. But there’s a catch: According to the same Cybersecurity Ventures prediction, the vast majority of these CISO postings will remain unfilled because there just aren’t enough experienced candidates.
Today, a CISO or cybersecurity professional faces pressure on numerous fronts. They must be technically sound and up-to-date on the latest cyber threats, in addition to having the people management and leadership skills necessary to build a strong program while supporting business goals. Lastly, a security leader must also have the business savviness to speak to boards of directors and other executives. There is no straight path to gaining all of these skills and landing in the corner office. A lot of current CISOs fall into this Venn diagram after long and varied careers as IT pros, military officers or business leaders, but as more and more businesses require in-house, high-level cybersecurity expertise, there needs to be a more direct path to the CISO office.
I began to realize the challenges here in the disconnect from lawmakers on the Hill and the technology they were in charge of overseeing. I have been fortunate enough to work for non-technical leaders who all had a curiosity to learn the intricacies of technical issues, but this is the exception, not the norm. I realized that I needed to take this issue into my own hands and help fill the desperate need for cybersecurity talent that can bridge the “business” divide. So in 2018, I joined with a like-minded and multiple-time CISO colleague to co-found a course at the University of California, Berkeley, within their cybersecurity master’s program to help build more leaders in cybersecurity. Talking not just about cyber threats of network strategy, but about the financial quantification, organizational management and legal liability— the “business” side of managing cyber risk.
I’ve continued to teach the class every quarter since and have been consistently amazed by the passion, work ethic and ingenuity of the students I work with. As students enroll in one of the few dedicated cybersecurity masters programs in the country, they are well on their way to successful careers in the space, and I look forward to seeing their contributions in the years to come. But the small cohorts that graduate out of programs like these, brilliant as they are, will not be nearly enough to close the gap between the number of cybersecurity professionals we need and the number of qualified candidates we have.
We shouldn’t rely solely on the Stanfords, Berkeleys and MITs of the world to lead the way in thinking about cyber risk—community colleges and state universities are filled with talented, eager IT students who do great work in the cybersecurity field if they’re given the opportunity to learn. So, too, are our own organizations filled with potential—there are thousands of mid-level IT professionals who could make fantastic CISOs one day, and the leaders of their companies should take note and push them toward continuing education and professional growth.
Wherever the education comes from, it should emphasize not only technical skills, but also leadership and continuing education on cyber threats and trends. As we close the cybersecurity skills gap, we also need to double down on making sure that tomorrow’s leaders are focused on continuous, lifelong learning because the industry will continue to change at a rapid pace.
As a liberal arts major myself who has had to climb the steep learning curve to play ball in the cybersecurity industry, I would argue that the traditional comp sci pipeline is not enough to fill this gap. I challenge my colleagues to reach out to those with diverse personal, educational and professional backgrounds who have a mission-driven attitude and the intellectual curiosity to “learn the tech,” to help us build the next generation of cyber leaders. That means looking beyond a specific degree toward those who are self-taught. It means enlisting strong business or policy leaders to learn the tech. It means pushing educational institutions to integrate cybersecurity programs into non-technical fields like law and business. And, like Yoda said, it means “passing on what we have learned” as teachers and mentors to anyone with an interest and will to secure our digital way of life.
This is without a doubt an exciting time for the cybersecurity sector, but as we become more necessary in today’s networked world, we can’t lose sight of the longevity of the profession and the people who will follow in our footsteps. Building up our education pipeline and doing the work to close the cybersecurity skills gap is the only way we can guarantee a diverse and consistently improving cybersecurity industry for decades to come.