This feature first appeared in the Spring 2016 issue of Certification Magazine. Click here to get your own print or digital copy.
Whether people realize it or not, cybersecurity is an integral part of society today. We've become accustomed to doing mundane tasks online — from banking transactions to children's games to locking the doors to our houses. By and large, most people outside of the security community are focused on the convenience that technology offers, without considering its potential security vulnerabilities. I believe that society's level of awareness has risen to some degree, due to the high-profile nature of headline-making security breaches that seem to occur daily.
Increased awareness, however, isn't enough. The problem is that technology is simply advancing faster than our ability to secure it. We also aren't producing enough qualified people to help secure the technologies upon which society relies. According to the 2015 (ISC)2 Global Information Security Workforce Study (GISWS), which surveyed nearly 14,000 security professionals worldwide, there is a shortage of IT security professionals in the workforce. By 2020, the absence of qualified professionals could result in as many as 1.5 million IT security jobs going unfilled.
GISWS also found that the average age of the workforce is 42, with just six percent of information security professionals under the age of 30. This makes the lack of trained professionals a longstanding problem without a near-term solution. Further, it is important to note that the study doesn't take into consideration attrition rates related to retirement and people leaving the profession due to burnout, which exacerbates concerns about the lack of available, qualified professionals.
So where do we focus? As a first step, we need a strong, cohesive effort to raise students' awareness of cybersecurity as a career option. We need to inform those on the front lines of students' education — teachers, school counselors, mentors, parents and guardians — about this specialized industry, which consistently commands high salaries and has a near-zero unemployment rate.
It is essential to incorporate security into the education system in a manner that ultimately delivers qualified graduates. I also believe, however, that all students should be educated in the basic principles of information security — because everyone plays a role in the security posture of families, businesses and ultimately society.
When we look to the education system as it is currently structured today, it's difficult to imagine fulfilling the depth of the need to develop enough skilled and qualified professionals, because the traditional Science, Technology, Engineering and Math (STEM) disciplines frequently do not incorporate security training.
This is increasingly problematic given that consumers, early responders and law enforcement officials are regularly using more products with embedded systems that reach across electrical, software, mechanical and chemical engineering disciplines.
According to a report from the National Student Clearinghouse, between 2004 and 2014, there was an increase in STEM degrees awarded at the bachelor's, master's and doctoral levels in computer science, engineering, and physical and biological sciences. Unfortunately, this increase hasn't made a notable impact on information security. O Net Online, a partner of the American Job Center, lists just one STEM discipline for security — information security analyst.
This isn't to say that efforts aren't being made to integrate cybersecurity into curricula around the world — there are many such efforts in motion. As we all know, however, any new national education initiative requires funding. A prerequisite of that funding, naturally, is that the program has to make it onto the government's list of top priorities.
The good news is that government officials are taking notice of cybersecurity concerns. As security breaches continue to pepper the news headlines, affecting millions of innocent people — including those working in governmental agencies — national leaders have taken notice and are starting to develop programs.
In the U.S., the National Security Agency (NSA) and the Department of Homeland Security (DHS) have created the NSA/DHS National Centers of Academic Excellence (CAE) in Information Assurance (IA)/Cyber Defense (CD). This designation is given to schools based on academic criteria designed specifically for cybersecurity education. Designated institutions have the opportunity to show that they have a quality security program with an IA/CD focus areas.
The National Initiative for Cybersecurity Education (NICE) is another example. Offered through the U.S. government's National Initiative for Cybersecurity Careers and Studies, NICE provides a way for teachers to access a variety of available resources to help develop curricula and incorporate cybersecurity into lesson plans.
Expanding efforts such as the CyberCorps: Scholarship for Service program, designed to fund full-time students studying information assurance in exchange for government service following graduation, will help government agencies meet their IA/CD needs and also attract a greater number of students to the field and better prepare the workforce of the future.
Universities in the United Kingdom now have access to the country's first higher-education cybersecurity learning guidelines for undergraduate degrees. Upon completion, the degrees are referenced with the British Computer Society, the chartered institute for IT.
These guidelines were developed in support of the government's National Cybersecurity Strategy and were published by (ISC)2 and the Council of Professors and Head of Computing (CPHC). As a result of this effort, 100 U.K. universities will receive assistance in implementing and improving relevant cybersecurity principles, concepts and learning outcomes within their curricula.
(ISC)2 works with academic and higher education partners around the world to support the development of curricula and teaching for cyber, information and software security. Through the (ISC)2 International Academic Program, universities have the opportunity to design a program of resources to suit their particular requirements at the undergraduate and graduate levels, and enhance the professional development of their teaching staff.
These are a few examples of current educational efforts to help recruit students into security. The need is so pressing, however, that we need many of these types of programs to be scaled at a much higher level if we're to gain any traction towards filling the workforce gap.
I also believe that a fundamental-level course on information security should be taught to all students. Inspiration comes from many places, but this type of education would help to make the jobs of security professionals a bit easier, and ultimately it would help to make society safer and more secure.
We need more organizations and educational institutions to get involved, because information security is not only an in-demand career field, but a very lucrative one as well. Computer and Information Systems Security, with a national average salary of more than $100,000, is ranked fourth on the list of STEM Majors with the Best Value for 2015 list compiled by WorldWideLearn.com.
Additionally, GISWS found that the average global salary amongst the information security professionals surveyed was nearly $97,778. When you realize that the median U.S. household income in 2014 was $53,637, you can see that security offers quite the financial incentive.
The career outlook for those in cyber, information, software, and infrastructure security is also bright. With a near-zero unemployment rate and rising salaries, security professionals are in high demand.
Whether you are a teacher, parent, aunt, uncle or mentor, the next time you speak to a child, ask them what they want to be when they grow up. When they respond, tell them about the career opportunities in security. Help get the word out and together we can make a real push to include security as a core part of STEM education.