Closing the cyber skills gap

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec Institute. Today's guest is Kathleen Hyde, Chair of Cybersecurity Programs at Champlain College Online. We're going to be talking about a topic that's currently a big part of InfoSec Institute's initiative for the coming years, namely finding new and innovative ways of closing the cybersecurity skills gap. Kathleen has been dealing with the issues underlying the skills gap for years, so we're going to see if we can pass on some suggestions that employers, or would be cybersecurity experts, can apply in order to bring up the cyber workforce.

Kathleen Hyde is the Chair of Cybersecurity Programs at Champlain College Online. Her areas of interest and expertise include insider threat detection, emerging threats and defenses, digital privacy in surveillance and cybersecurity for educators. Kathleen, thank you for being here today.

Kathleen Hyde: Thank you for having me.

Chris: So let's start off with the big question. What, in your opinion, is the biggest cause of the cybersecurity skills gap at the moment?

Kathleen: Well, actually I think it's a combination of two things. First, the advancements in technology that we've seen in the last decade or more, but certainly in the last few years as we have IoT devices coming to the market. But also how we're utilizing that technology. So we went from business uses to now everybody using it and being attached to a smartphone 24/7, both for personal as well as work use.

And so I think what's happened is that we're barely able to keep pace with the rapid evolution of IT. And when we can't keep pace with that, how are we supposed to keep pace with the security and all those things? So that's one of the reasons, and basically the reason why I think that we have this skills gap is we've just had this explosion of technology, the explosion of need for qualified people, and it's created this giant gap.

Chris: Yeah. That brings me to a question I had saved for a little later, but because of the speed at which up to the minute knowledge changes the current sort of wisdom is that up to date knowledge has a shelf life of about two years. So that every two years half the knowledge goes away or becomes obscured. So is the issue bigger than just getting people onto the skills treadmill so they're staying fresh? What do you think the strategy can be to simultaneously get people interested in cyber, but also just not have it be this endless quest to keep pace, keep pace, keep pace?

Kathleen: Well, I think one of the things is that we have to look at keeping pace is for the first step. We're not even keeping pace and keeping pace as that first step. And then getting ahead of it is really going to be about training people to think basically ahead of the curve, and to think like the adversary and then anticipate what they're going to do. And certainly we have technology that's going to help us with that.

As far as the two years, I would say that sometimes I wake up in the morning and I roll out of bed and I grab my smartphone, and I look at it and I go, "Oh goodness. There's something new". And it happens a couple times a week. So I don't even know that the two years is an adequate, or an accurate, assessment.

But I think that one of the things we have to realize is basically that we need to have professionals with a broad range of skills. Really don't need to be tailoring to niches. And so if people have that broad range of skills, as things are changing they're going to be able to basically change with the times. And it's going to be easier to retrain or re-skill somebody as the technology changes.

The other thing, too, is I think that a cyber [inaudible 00:03:46] skill, or cybersecurity professionals in general, tend to be people who like challenges. So rather than getting completely stressed out by it, what they do is they go, "Oh great. Something new I have to explore. Something new I have to do". And the people who come to cybersecurity as a field, whether they're coming from IT or they're re-skilling from something else, maybe HR, and they're coming into cyber on a compliance side, they're basically coming in with that mindset of expectation of, "I'm going to have to retrain myself and I'm going to have to have a new career periodically" because that's what's going to be required of the job.

Chris: Do you prefer recruiting people from a tech side versus a non-tech side? You said there seems like there's almost two types of people who come into cyber. The ones that are more aimed towards HR problem-solving type things versus people who just like the guts of the machine and stuff like that. Do you think that some of it can be closed by suggesting a cyber career to people who might have been thinking, "What about English or history" or something like that?

Kathleen: Oh absolutely. Absolutely. I think that what it comes down to is there's a certain type of person with certain soft skills that are desired in the industry, ample problem solving and communication skills. Because, again, getting back to that I get up in the morning and there's a new breach, you're constantly dealing with having to problem solve. And having to figure out what has happened, how it's happened, what's new, how we're going to close that vulnerability.

And so if you have somebody who has those skills, whether they're in IT now or they're in HR, if you're really looking for somebody who has that basic core skillset, and then you're teaching them, and giving them the knowledge of those concepts of IT and then building on top of that the security end of things. So what I typically see in cybersecurity, and there are tons. I mean, literally cybersecurity impacts every facet of every organization. I mean, we're all collecting data in HR. We're collecting data basically on the systems that we're using for production and manufacturing, that we're using for shipping and logistics.

So it's one of those things where it touches every part of that. So there really is a place for everyone in cybersecurity. Now what I typically see are we've got the information assurance side of things, and then we've got the operation side of things. Those tend to be two different skillsets. The assurance side, you typically are policy compliance. That type of thing. The operations is really where you're doing that hands on, nitty gritty, incident response. And they do require a slightly different thought process, as well as slightly different person as far as what they want to learn, and the level of learning that's required to do the job.

Chris: Yeah. Speaking on an organizational level, what are your thoughts on the theory that the skills gap isn't as big a thing as a training gap? Under this theory, there's employees that want to be moving up the cyber ladder, but because HR has been conditioned to only accept these sort of unicorn candidates that have the exact degrees and skillsets and experiences, that there's this sort of disconnect. And it's like, "Why can't we find anyone" when you might have someone in your own staff. Is that also an issue do you believe?

Kathleen: What I'm seeing, actually, is that employers are starting to realize that because there's such a deficit in qualified applicants, and that's for a variety of reasons, but because there's such a deficit, they really are starting to look internally. I don't think that it actually is so much a training gap though. You know, just take somebody and say, "Okay, we're going to send you for five days of training with XYZ company, and then you can come back and you can do cyber security". It's not quite that simple because of all of the different facets in the organization that it touches, and all the different things that you might be tasked with doing on a given day.

Chris: So how are educators such as Champlain College creating curricula for cybersecurity education? What are you doing to stay current with the trends? Of all these issues that we're talking about, what are your initiatives within the organization to bring the skills gap up, and also to get new and interesting types of candidates interested and involved?

Kathleen: Well, the one thing that we do is we basically start off with teaching those core concepts of technology information security. That's far away the first thing we start off with. But as far as staying current on things, all of our faculty are practitioners in the field. They're working in this every day as well as teaching. And so we have the benefit of having their knowledge of what is going on. They got up this morning and they had to fly somewhere because they had to be on the incident response team.

And so, really, the big thing that we do is basically we're constantly reassessing our programs to make sure that we're meeting those industry needs by knowing what is needed because of our practitioners, as well as conversations that I have when I'm going to conferences. And I'm speaking to and listening to the CEOs of corporations, and the CSOs of corporations, and also our trade partners that we're working with. They're coming back to us and they're telling us what they need. And they're saying, "We can't find X, Y, Z. We need to have more employees who can do this or do that".

And so we take all of that and we can say, "This is what we need to build in our programs because this is what is going to be needed both now but as well, two to three, four, five years in the future".

Chris: That's great. Do you think that getting kids started and interested in cybersecurity at a younger age is a viable option as well? Do you have any thoughts on some of these emerging charter schools in which cybersecurity or other tech-focused vocational tracks are major parts of the high school curriculum?

Kathleen: Well, I'm going to say that anytime that we can get children interested in science and technology, it's a wonderful thing. For a long time we weren't seeing students interested in those fields, and so anything that we can do that encourage them is going to help us basically build the workforce that we need for the future.

That being said, I don't see that having schools that they're pushing that, or were offering that, and I don't see that as the be all end all. That is not the permanent solution for the skills gap, because when I look at the skills gap, it's really kind of a puzzle. And so having the students in those formative years learn the soft skills, like problem solving and good communication skills so they can talk to the CSO, talk to an end user.

Having them learn that, but also be interested so that when they're making those choices and they're going to college, they say, "Gee, that's what I really want to do because it's going to be exciting. It's going to be a career that I'm interested in". It's just one piece of that puzzle. So the more pieces that we have that we can put together in that puzzle, the faster we're going to, not necessarily solve the skills gap, but certainly we're going to mitigate some of the issues that we're seeing now because of it.

Chris: So within organizations, do you have any sort of strategies for how HR management or C-suite can assess the real skills gap within their organization, and the actual skill level of your staff and the actual skill level of applicants? Do you have an idea of a set of criteria that maybe are not being used right now to determine whether we need someone new or we can train within or what have you?

Kathleen: Well, I think for a long time, and I think for a long time the most organizations were basically saying, "You know what? We have to look outside because that's where we're going to see our expertise". So what they did was they looked at one of the big sites where you could get employment opportunities. And you'd look at the job postings and you'd say, "Oh great. This looks like what we need. And so we're going to just use that job posting".

So when as an applicant or candidate, you're looking for job postings, you see the same thing on all the job postings. You need a master's degree, you need 10 years of experience, and you also need this laundry list of basically certifications, some of which may not even apply to the job. So I think that the biggest thing that organizations need to do is they need to really look at what is that job and what do you need?

You know, can you start with someone who doesn't have 10 years of experience? In the information security it's going to be difficult anyway to find somebody with that amount of experience. Certainly if you're looking for a large number of applicants. We had information security, but it wasn't something that a lot of people were basically going into. Most people were coming from IT and going into information security, cybersecurity. So realistically, the first step is you've got to assess what it is that you need and then you've got to tailor it to that.

The other thing is is that we need to look at when we're looking externally versus internally, is do we have anybody that is a standout? We have somebody that we know we can train and they're going to be valuable to the organization because we know they're valuable now. Maybe they are part of the culture already. They certainly know the culture. One of the big things that happens if you hire a candidate is they may come in and they may look great, they may interview wonderfully, but they may not integrate within your culture. When that happens, it's actually a detriment to your organization. So you have that as well.

So I think the biggest thing is really look at what it is that you want to hire for. And then look for that candidate, whether they're internally or externally. Sometimes, and I think in the vast majority of situations, you probably have that candidate sitting there. They do need some training. They do need some additional academic support, and that would basically allow them to successfully being in that position. The other thing that we can't forget too, as far as assessing skills, is doing regular assessments like phishing tests, things like that to assess whether or not the end users that we have throughout the organization, not just the ones that we're looking at targeting maybe moving into cybersecurity, but all of the end users in an organization are doing what they can to create that security culture.

Chris: So because cybersecurity is not a monolith, it's a variety of types of jobs, different facets and so forth, are there any areas where the skills gap is shrinking? Are there job types within the umbrella term cyber where there's actually lots of people to cover? Or is it just an across the board issue, do you think?

Kathleen: You know, I'm going to say across the board we've got that skills gap where we need people. Not warm bodies, but we need people. We need people who are skilled and who have an interest and an aptitude for this type of work. So I'm going to say we really have across all of the sectors and all the different domains of cybersecurity, we need people.

If I had to pick one where I see it might be easier to fulfill at least certain parts of the skills gap a little bit faster, it would be in the information assurance end of things. And that's just because of being able to have people who are already familiar with corporate policy, they're familiar with procedures, they're familiar with audits, they're familiar with risk assessment. And so then you're bringing them over into cybersecurity so that they can assist the organization with those on a cybersecurity level.

Chris: So, at a college level when you're at the point when you're learning this stuff and you're also starting to sub-specialize in some aspect of cybersecurity, are there any particular skills or areas of specialty that you think students should be focusing on now to really jump into the breach where there's a lot of deficiencies?

Kathleen: I'm going to say that if somebody really wants to get into it, incident response. So those security operations. And as well, basically those higher level functions that we're going to need to be curators of artificial intelligence.

Chris: And for viewers of CyberSpeak here, I would definitely urge you to go back and look at our episode with Keatron Evans who talks about what it's like to have a career in incident response. It is really just a fascinating sort of day-to-day, what you actually do in that job, and where you go, and who you meet and stuff.

So conceivably, a massive change to your company's cyber program. Say you migrate your entire company to the cloud, could result in very fast upheaval of your security department, or massive amounts of retraining, or even replacing most of your InfoSec team. Are there any sort of procedural steps you would suggest for the C-suite when making these massive decisions that would prevent these massive hemorrhages of the security department, or job loss, or retraining or anything like that?

Kathleen: Well, I think the biggest thing to keep in mind is that whenever you're looking at any project, whether it's a cyber project or not, or it's a cloud implementation or not, is really you've got a period of time where you're looking at that project and trying to decide whether or not you're going to move forward with it. That's the time where you should be looking at your personnel and deciding whether or not you're going to need to retrain them.

As far as retraining versus new hires, again, it goes back to culture. If you've got somebody in the organization who's been there and they're part of that organization, I would be looking at retraining and re-skilling them potentially as opposed to hiring somebody new. Now that doesn't mean that you're not going to need to hire experts. If you're moving to the cloud and you have an InfoSec team and they have no experience in cloud implementations, you're doing yourself a service if you didn't hire somebody who could walk you through that. Whether it's basically as a service or you're hiring employees to do that.

But I think that really the big thing is identifying that at the first stages of a project. You don't want to wait until the end of the project and then go, "Gee, we need X, Y, Z to be able to handle this". That's not going to work because you won't have time. And you're also going to find it's going to cost you more money in the long run because you're going to have to seek out that candidate from someplace else and hire them away more likely than not to assist you.

Chris: Right. And it's all going to be under the gun as well. So you [crosstalk 00:17:37].

Kathleen: Exactly. Exactly. And that's when projects fail. And when the project fails, or when the end users start going around those policies that you have in place for security, that's where you're going to end up with those gaps. And then you're going to become vulnerable. Then you risk your reputation, you risk everything with your end users as well as your clientele.

Chris: So let's talk a minute about where companies are looking for candidates. Is it possible that qualified candidates are falling through the cracks because companies are not reaching out properly to them? Or maybe, as you say, not crafting their job description in a way that makes it seem like you could actually do it? If everything's too lofty, then you're getting less applicants. But what are some strategies to ensure that companies are finding the best qualified candidates, and vice versa, that candidates are making themselves known to the right people?

Kathleen: Well, I've got to say, first of all, most people who are in the field don't have time to look. They're so busy working that it's one of those things where when they do move, it's usually because somebody has sought them out. I've seen them on LinkedIn and the companies are using their employees to find, basically, networked individuals that they know of or they've had dealings with. Or they're going to companies they've used with vendors. They may want to have you come work for a company.

So a lot of what's happening is not necessarily on those job posting boards. It's happening behind the scenes where you're looking for a certain skillset, you're tailoring what you need, and then you're going out and you're seeking that person and you're saying, "We want you". Now on the employee side, a lot of when they're looking, it's all done again via networking. So I'm going to say that for the most part, companies, when they're really looking for those qualified candidates, most of that is occurring because of networking. Which is why as an employee, it's absolutely critical for you to advertise yourself and to also basically take the opportunity to network with people when you're at conferences and things like that.

But also a recruiter, that's your opportunity when you're at conferences, look at those people who are speaking. Look at those people who are qualified. Look at the people who are attending because you know that they're doing that continuing education that you want to have in your employee. The other thing too is is that I think that when they're looking for best qualified applicants, they really need to also look at not having it set in stone to use that you need a degree, you need 10 years experience, and you need basically all of these certifications. Some of the best applicants who are going to do the best job don't have those, and you need to be open to the other experiences that they've had. Potentially, for example, academic experience. If they've been in a program with experiential learning and they've done an internship, they're going to have experience. The employers need to take that into account as well.

Chris: Yeah, and boy, dust off your LinkedIn account. It's actually really useful in these cases.

Kathleen: It is. It is.

Chris: Yeah. So one of our big focus here at InfoSec is learning more about the underrepresentation of women and minority candidates in cybersecurity. Do you think the skills gap could be made up by encouraging and bringing candidates from more diverse backgrounds in the industry? And what are some strategies at the HR level to attract women and minority candidates into the InfoSec industry?

Kathleen: Okay. Well I have to say that last year at Champlain, we conducted a study of American adults. And what we did we asked for their opinions on and awareness of the cybersecurity field. And it was really interesting what we found when we said, "What is the role of higher education in all of that"? So we did the study. It's called The State of the Cybersecurity Workforce in Higher Education. And basically what we found is that women are more likely to say they don't have what it takes to be successful in a technical field.

On the other hand, when we looked at the respondents, we had 85% of them saying that they believe that more should be done to encourage women to enter the field of cybersecurity. And one of the reasons that our respondents cited basically for the main reason why more needs to be done to encourage women into the field was that they wanted equality.

So I think one of the things that that survey basically told us was that there's a lack of women in the field and that's due to, not because of the lack of aptitude or skill, but it's really all about communication. You know, traditionally IT, IS, they've been male-dominated fields. I think that we don't do enough to "advertise" that this is actually a field that women can be in. And I think that we need to basically say, "You can have those skills. You probably do have those skills. You may not recognize you have those skills".

And that's one of the things is as educators and as employers, we need to be looking at women and underrepresented minorities. We need to be looking at them and saying, "We see this in you". And we need to be introducing that as an opportunity to them. And I think when we do that, I think they'll actually come and they'll embrace it. And that means that they'll come into the field. We'll be providing them with basically the supports that they need because women and minorities, they do have some different needs. So that's where we can basically fill that skills gap.

The other thing is, is that we basically need to have the women who are already in cybersecurity be reaching out and be basically providing assistance to, and encouragement, really encouraging to say, "This is a great field to work in". I'm a woman. I've been basically in information technology since the '90s. I've been doing information security for a very long time, and I didn't think of that until this fall when I attended a conference and somebody said, "The women need to be lifting up other women". When you get to that point where you're at the top, which I'm chair of a program. I'm somewhat there. I need to be lifting other people up. It never occurred to me. So that's something else that, it's also the women need to be lifting up women.

Chris: That's great. And I'm sort of seeing a through line through several different questions we had here. One of the overarching issues, it seems like, is in the perception of what's needed and what candidates can look like. You know? When you say everything, 10 years of experience, and upper-level degrees, and Master's degrees and all this kind of stuff. But also it's only mostly men. It seems like there needs to be a industry-wide move to re-tailor job descriptions and job opportunities as essentially saying, "You can do this. You have the skills for this. You have the skillset. More of you than you think", because it seems like there's so many people where it's like, "We only got one candidate and we don't know why". You set the bar too high, you know. So.

Kathleen: Well that's right. If you only received one candidate, you're kind of locked into that. A lot of it is thinking outside the box. And especially if you're that person who in HR says, "Wait a second. I know nothing about cybersecurity but they just handed me this and I have to hire somebody". What are you going to do? You're going to go look at job postings. You're going to go, "Oh. This looks like it's about the same. I'm just going to basically take this posting and I'll recycle it. Put my name it and away we go". To a certain extent, it's like doing a project or anything else you do that needs analysis. And then you determine what you're willing to accept, what you can accept, and you can retrain or add training on, and then come up with that perfect employee. Because ultimately that's what you're looking for is the perfect employee, not necessarily the perfect candidate.

Chris: So a recent podcast guest noted that outsourcing security is becoming more and more common these days. And you mentioned it sort of briefly, as well, that CSOs need to understand how to integrate the very real and very common business decision to use security in a box, or security as a service, as kind of a stop gap maneuver. How do you think this will impact the short and longterm skill set issues we've been discussing? Do you think security as a service can act as a measure while employees are being brought up to speed? Or is there the fear that the cost-cutting tendencies towards outsourcing is going to make the whole argument redundant in a few years?

Kathleen: Well I think, again, it's one of those pieces of that puzzle in that security skills gap. So security is a service. It's part of the solution. It will never be the be all, end all. It's not going to be that all of a sudden we're going to have security as a service take over everything. And then we're going to have, basically, enterprises. They're just going to give up their socks. That's not going to happen.

So what I see is basically, and we've seen this before, history tends to repeat itself. Everybody goes, "Great. We're going to all run to the cloud" or "We're going to all run to this as a service", or "We're going to run to that as a service". And it happens. You end up with migrations. And then ultimately after a few years they go, "Oh. That kind of didn't work out quite as we anticipated" and they bring it back.

So I see it being basically that we're going to have that be the be all end all. It'll be part of the equation. I think can it fit right now for some organizations that don't have the ability to either fund or to find the candidates because we don't have them? Their security solutions? Absolutely. But we have to also realize that security as a service is expensive.

If you are a mom and pop, or a small business, that may not be how you're going to go because it's expensive. While you may not have the ability to hire somebody, as well, which means that you're going to be not secure. And that's really one of the areas that we need to look at, basically, is the smaller businesses too, and finding skilled workforce for them as well.

Chris: So as we wrap up today, do the magic wand maneuver. If you were able to wave your arm and solve the skills gap once and for all, what would the actions you take? Is there some combination of fast-track measures, or extraordinary measures that would solve this tomorrow? Or is this just going to be a long-term changing hearts and minds and procedures kind of situation?

Kathleen: Ooh, I like the magic wand. Bing. And then it's done. Everything is resolved.

Chris: We did it. We all did it together.

Kathleen: Exactly. Well, I might be able to do that and find all of the qualified applicants, but I can absolutely assure you that the adversaries would then go, "Oh, wait a minute. We've changed the game". I don't see it being that we will ever totally resolve this issue because we're going to need a skills workforce. Are we going to have the gap that we have now? No. I think as we're basically training people, and we're looking for those candidates who want to upskill and re-skill, we're going to be able to fill a good portion of that.

We're also going to be able to use technology to automate processes so that we don't have as many things that we have to address with, basically, a human workforce. That being said, I don't think it's going to go away. I think that with the way technology is, we're just looking at basically doing a controlled, basically measured response to what it is that we're seeing in the field.

Now we can also do things like building more secure apps, more secure software development, more secure websites, things like that. But ultimately, I don't think that there is any magic wand to solve the problem. I think it's more a question of can we get to a point where we have a workforce that is ready, willing, and sustainable to meet basically all of the needs that we have because of the technologies that we have and we're creating.

Chris: So if our listeners want to find more about Champlain College, where can they find you online?

Kathleen: Champlain.edu. If they wanted to find me, Khyde@champlain.edu.

Chris: Perfect. Kathleen, thank you very much for being with us today.

Kathleen: Great. Thank you.

Chris: And thank you all for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to youtube.com and type in InfoSec Institute to check out our collection of tutorials, interviews, and past webinars.

If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Please visit Infosecinstitute.com/cyberspeak for the full list of episodes. Podcast listeners can go to Infosecinstitute.com/podcast to learn more about our special promotions exclusive to fans of this podcast.

And if you'd like to try our free SecurityIQ package, which includes phishing simulators you can use to fake phish and then educate your colleagues and friends in the ways of security awareness, visit Infosecinstitute.com/securityIQ.

Thanks once again to Kathleen Hyde and at Champlain College and thank you all again for watching and listening. We'll speak to you next week.