As someone who is a frequent instructor at local technical/trade schools, the question that I often get from my students is, do I really need certifications?  Based on many of my discussions with current and former students, they constantly tell me that they were told they needed to go to a specific school or pay for a certain program in order for them to get a certification that will help them gain access to employment opportunities.  This line of thinking makes since, but it is important for us to dig into the facts.

 

According to Intel’s Center for Strategy and International Studies, 82 percent of companies surveyed believe there is a shortage in cyber security skills.  In that same article, 71 percent of companies surveyed say there is direct and measurable damage to their company because of the shortage of skilled professional.  Based on these numbers it would indicate that there should be ample opportunity for those looking to start a career in cyber security.  However, based on my observations, it is still very difficult for “newbies” to get a chance.  

 

Most companies covet experience, which creates a problem for those looking to transition into this field.  The lack of opportunity for new security professionals creates a cycle where current experienced professionals just rotate from company to company based on the highest monetary offer.  The newbies seeking to become professionals are then left taking very low level positions that can force them back to the industries they left and already know they hate.  These two facts are organically squelching diversity of thought and more importantly stunting innovation because of the lack of new perspective that those new to the industry could offer.  In addition, also stated in Intel’s report, 70 percent of entry level positions require a bachelor’s degree.  If you couple that with the skyrocketing costs of college and the fact that approximately only 7 percent of the top colleges/universities offer degree programs in cyber security, how are we to get “new blood” into the industry? This highlights a major disconnect between demonstrated industry talent shortage and the companies that have cyber security employment opportunities..  

 

So, how can we come through this disconnect?  I have a few thoughts.

1. More Investment – We need more investment, not from the government, but from the corporations that claim they are unable to locate talent.  Because of the documented and demonstrated shortages in security talent, there are more and more technical/trade schools offering cyber security training.  This represents an opportunity for partnership in the form of investment, internship, and direct career placement.  This could be a true, everybody wins scenario.  However, this would require a shift in most corporate policies regarding internship opportunities.  In particular, the policies regarding intern requirements.  In most cases, internships are limited to students at traditional universities.  Corporations need to simply remove that limitation and open themselves up to new non-traditional talent.
2. Partnership with local hiring Managers – Hiring managers must be willing to help destroy the negative stigma of technical/trade schools.  Hiring managers will need to adjust their entry level requirements and reach out to the non-traditional schools to create partnerships.  Those hiring managers should be helping to shape the programs and curriculum that are taught in non-traditional schools.  This will create some real symmetry with regards to having available candidates that posses the skills the corporation needs, and this obviously helps a newbie get a start in the industry.
3. Non-Traditional Schools need to set more realistic expectations –  A common complaint from many students is that they were told they will have an abundance of “real world” or hand-on training.  However, many of the students end up being disappointed, because of unrealistic expectations set during the recruitment process. The recruiters are not clearly conveying to students that this career path is not easy.  It takes dedication and discipline to be successful.  That means that before you get to the hand-on training, there is a lot reading and dare I say homework to ensure you understand the concepts.  These are prerequisites to configuring routers, firewalls, SIEMs, etc…

 

I would love to hear your opinion on the topic, please post a comment and I will respond

 

Citations:

C. (2016). Hacking the Skills Shortage A study of the international shortage in cybersecurity skills (Rep.). Retrieved March 3, 2017, from Intel Security’s – Center for Strategic and International Studies website: https://www.mcafee.com/us/resources/reports/rp-hacking-skills-shortage.pdf