photo-dave - Fotolia


Improving the cybersecurity workforce with full spectrum development

Eric Patterson, executive director of the SANS Technology Institute, explains why it's time to rethink educational development to strengthen the cybersecurity workforce.

There have been many exciting conversations during the past year about the standards and methods by which we are seeking to effectively address the personnel shortfalls of the cybersecurity workforce. Very appropriately, a large part of these conversations has focused upon the persistent need for entry-level practitioners.

With approximately 1 million unfilled jobs in the field currently, and a projection of approximately 6 million open jobs by 2019, the focus on the front-line members of the workforce is critical. Draft NIST Special Publication 800-181, titled "NICE Cybersecurity Workforce Framework (NCWF)," is surely known to most of us, and is a first step toward defining and addressing that shortfall.

Eric Patterson, SANS Technology InstituteEric Patterson

However, in the rush to address the largest need of the cybersecurity workforce, we should also consider that there is not just an opportunity, but an equally pressing need, to simultaneously consider and define the professional standards and credentials for the leadership of this rapidly growing workforce.

In my own experiences communicating with information security leaders, or aspiring leaders, I've very much come to appreciate the rapidity of the growth experienced in this field. We all likely know someone who rose up through the ranks over a period of time, building and expanding their skills along the way in the school of hard knocks. We may also know the leader who has several advanced degrees, some of which may not be in a technical discipline.

We know the leader who has superb technical skills, but may not be as equally comfortable communicating with the C-suite or navigating budgets and human resources. We may also know the leader who is a superb executive, but who may not have strong technical chops, and is sometimes at a loss when interacting with their own team.

Each of these types of leaders has a role to play, and each can be successful in the right organization at the right time. However, as the industry, training organizations and higher education focus on the work needed to create a literal army of entry-level practitioners, is it wise to leave the concurrent formation of their leadership to the emerging and shifting landscape that has gotten us this far? Maybe, but not entirely.

SP 800-181 routinely references leadership, primarily in the sense of how the publication might be used by leaders to assess, acquire, develop, measure or train their workforce. Deeper within the document, there is the NWCF category of Oversee and Govern (OV), which describes the layer of the workforce intended to provide "… leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work."

SP 800-181 goes on to broadly identify and describe the OV specialty areas of Legal Advice and Advocacy; Training, Education, and Awareness; Cybersecurity Management; Strategic Planning and Policy; Executive Cyber Leadership; and Acquisition and Program/Project Management, as well as to identify the Work Role ID of Executive Cyber Leadership. The document isn't clear on if all of those skills are hypothetically embedded into one mere mortal.

According to a recent survey, 70% of respondents indicated that they felt that a bachelor's degree was a minimum credential for entry into a professional entry-level position in cybersecurity. Yet, according to that same survey, only 7% of the top universities around the world offer a technical cybersecurity degree at the undergraduate level.

Organizations such as the National CyberWatch Center, a nonprofit clearinghouse funded by the National Science Foundation, are working hard to develop curriculum standards at the level of two-year degree programs. However, it would seem to be difficult for the same to occur at the level of four-year degree programs, at least in the U.S.

The nature of the liberal arts education model, with its wide-ranging exposure to various departments, does not leave much room to move beyond the theoretical, and into the broad and deep technical skills needed by a future leader across the various fields of incident response, incident handling, digital forensics and penetration testing, let alone adding public speaking, accounting and leadership theory into the mix.

The narrower focus of graduate programs allows for more to be achieved in this direction, and the corresponding emergence of a multitude of cyber master's programs is ongoing.

Finally, as a field of technical study whose velocity of change is by no means slowing down, universities face a conundrum across all levels of education in keeping tenured faculty current in their own skill sets in this technical and fast-moving field.

Even if we solve for all of those issues across a broad landscape, how do we begin to think about the right mix of sufficient technical skills and some grounding in the softer, but frequently more difficult, skills of communication, finance and leadership? Is the industry right to expect educators to provide the well-rounded professional who is fully prepared to excel and lead, or does the industry itself need to play a more active role in leadership development for its cybersecurity workforce?

Given the ongoing pace of evolution of both the cyber threat landscape and the available tools, the answers to these questions will surely bend, and sometimes break, our preconceived ideas and our existing models for how leadership development is done in other fields. But by ignoring the sequential development of a model for producing leaders for the cybersecurity workforce, we are most assuredly consigning that workforce, on a wide scale, to years of less than optimal effectiveness, as we wait for leaders to organically grow and emerge.

About the author:
Eric Patterson is the executive director of the
SANS Technology Institute. He has more than 25 years of experience in the military, government and academia. His military experience includes 20 years as an infantry and Special Forces officer, during which time he deployed to multiple combat zones; managed the training programs for all U.S. Army Special Forces, Civil Affairs and Psychological Operations soldiers, and directed full-spectrum special operations in Eastern and Central Africa. Patterson earned his BS in international relations and a minor in systems engineering from the U.S. Military Academy at West Point, NY.

Next Steps

Find out how enterprises can encourage millennials to enter cybersecurity careers

Learn how to land an entry-level security position

Discover how improving diversity could help close the cybersecurity skills gap

This was last published in May 2017

Dig Deeper on Careers and certifications