Cyber terrorists are plotting a biological attack on the British government. All that stands in their way is a group of cybersecurity experts, who must hack into the ventilation systems and locate the weapon before it’s too late.
This scenario is fictitious, of course, designed to allow amateur cyber security enthusiasts the chance to pit their wits against one another in the Cyber Security Challenge UK Masterclass, which took place in London in late November. However, it’s part of an effort to tackle a very real problem: not enough people are entering the cybersecurity workforce.
“We have an awful lot of cyber vacancies, as does everybody else,” says Budgie Dhanda, sales director of security at QinetiQ, the UK-based defense and security business that designed the biological attack scenario. The shortfall is across the board, he says, from software developers to project managers. “There aren’t enough people out there to meet the needs of all the suppliers.”
The talent gap is a global problem. In the U.S. alone in 2014, companies posted 49,493 jobs that require Certified Information Systems Security Professional (CISSP) certification, a major cybersecurity qualification. However, only 65,362 people are CISSP certified in total, and most of them already have jobs, according to an October report from U.S. defense giant Raytheon and the National Cyber Security Alliance (NCSA), a public-private partnership that promotes Internet security.
Raytheon and NCSA focused on the younger generation, commissioning Zogby Analytics to survey 18 to 26-year olds in 12 countries around the world on their attitudes toward careers in cybersecurity. The survey found that perhaps the most important step in closing the talent gap is making millennials aware that there is such a field and that it's growing.
“The perception—mostly fueled by the movie industry—of people sitting in dark rooms in front of glowing monitors is not what the cyber profession is all about,” says David Wajsgras, president of Raytheon’s Intelligence, Information and Services business. “We need to do a better job at communicating what we do. We are engineers, policy makers, critical thinkers, and innovators.”
Wajsgras outlined a range of ways in which the cyber industry and government were working to boost awareness among young people. He said they were aiming to enlighten teachers and career counselors about jobs in cyber, as well as getting cyber professionals into classrooms with children of all ages to run hands-on activities “and show students how it’s an exciting field to be part of.”
The Cyber Security Challenge UK, which is funded by the British government and private companies, conducts a range of programs with young people. Robert Nowill, chairman and director of the organization, highlights CyberCenturion, a competition for 12-18 year-olds that has them analyze a virtual computer for possible vulnerabilities. CyberCenturion is modeled on CyberPatriot, a similar program in the U.S.
There is also an effort to convince older people to switch careers, whether they work in a related tech field or something else entirely. Peter Clarke, the winner of the Cyber Security Challenge Masterclass in London, is a 38-year-old network engineer for a car dealer. He can now choose from a range of prizes worth over £100,000, in training, university courses, and access to industry events. Entrants to previous competitions have been offered jobs with companies like QinetiQ, or even the UK's Government Communications Headquarters (GCHQ), an intelligence service.
“Computer scientists [and] web scientists are difficult to attract because there is a lot of competition for them, and getting those CVs in the door is a struggle,” says David Cole, managing director of Roke Manor Research, an electronics engineering consultancy. “Therefore using events like [the Masterclass], which is recruitment with a difference, is a showcase to demonstrate that the UK needs the sort of talent that is on display here.”
The Raytheon/NCSA report also identified a talent "gap within the gap": far fewer women than men are entering cybersecurity. The survey found that, globally, 33% of young men said they were more likely to consider a career in the field than they would have been a year before. That figure was 24% for women. The report suggested that much of this has to do with communication: 66% of women said that no teacher or counselor had ever discussed careers in cybersecurity with them, compared with 57% of men.
“We’re not attracting that huge swath of the population into considering this as a career,” says Nowill. “The ones who do come in are really successful, they’re some of the best people. So if we can open a door and a window into getting more people into this career, that’s a great thing to do.”
You may not end up saving the royal family from a biological attack, but the necessary skills are the same.
“We worked very hard with the [Cyber Security] Challenge to come up with what we thought was a hypothetical but potentially realistic scenario,” says QinetiQ’s Dr Dhanda. “It may not necessarily be in a defense or a national security context, but the same skills [the Masterclass finalists are] learning now are just as applicable if you’re in a bank or a big retailer or a telco.”