Benway tells the story of one global technology company whose stringent hiring standards have made it a target for poaching security talent even before that talent shows up for work. "One of their competitors has a policy now that if this particular company makes an offer to any individual, the competitor company will offer that individual 10% more. Sight unseen, no interview necessary, because they know they've made it past that particular bar," Benway says. "That's the kind of thing some of these companies are facing."
One reason it's hard to find people is the maturity of the profession. Roles such as SAP architect or Java developer are mature, well defined jobs with established skill sets and training protocols. By comparison, cybersecurity is relatively new, Jethi says.
Experts agree more education and training is critical to increase the candidate ranks. "One of industry biggest concerns, or criticisms, relative to security talent that's coming out of colleges and universities is that ... the academic learning is terrific, but you really need hands-on experience in cyber security environment," Benway says.
Jethi agrees. While many colleges and universities are trying to bolster their cybersecurity curriculum, in the meantime, "there is no ready pool of talent that you can groom and train," he says. To help address this issue, Cisco is running a pilot program with Duke University and Purdue University. "We're looking for people with engineering, analytical, and data backgrounds and abilities and interest, and we're offering them internships with our security business," Jethi says. The interns work on site at Cisco's security operations centers. "Even while they're in school, the internship allows them to get specialized exposure to the cybersecurity program."
If the pilot goes well, Cisco plans to expand the program to other universities. "They're not experts, obviously, on day one, but they start out with a much better view of what the cybersecurity world looks like and how to prepare to work in an environment," Jethi says.
Within schools, getting students exposed to real-world conditions is a growing priority for cybersecurity educators. UMass's Wilson notes how other fields prioritize hands-on work: "My son is a first year medical student, but already he's doing surgeries a couple of times a week. He has lab courses and he has academic learning. He's getting hands-on experience right from day one," Wilson says. "I think that's an area that we need to do a lot better job of, as far as cyber security is concerned."
The Burning Glass report turned out to be a catalyst for UMass to bolster its cybersecurity academic programs an initiative that's being driven from the school's top leaders. The university also is boosting its research focus. Participation in ACSC is one way that UMass is partnering with industry to develop the criteria for its academic programs. "We recognize that we can't develop curriculum in a vacuum outside of industry," Wilson says. "Collaboration is really critical to anything we do in this area."
Sign up for CIO Asia eNewsletters.