3 reasons why upskilling the nation’s cybersec savvy won’t solve the skills gap

The White House recently announced its new National Cyber Workforce and Education Strategy & Implementation (NCWES): a mouthful that translates into something along the lines of “Let’s fix this cybersecurity skills gap STAT!”

It sounds like a great idea, at least on paper: Upskill every American by equipping us with “foundational cyber skills,” open up our understaffed and under-pressure cybersecurity workforce to “all workers, regardless of college degree status,” diversify that work force to pull in candidates from underrepresented demographics (specifically, women, people of color and disabled persons), and get more Americans into jobs with decent pay. 

A CISO’s take: Nice try. It won’t fix the skills gap, though. 

Earlier this month, after Contrast CISO David Lindner had noted the Biden administration’s new initiative in his CISO Insights column, we had a chat about whom, exactly, the plan might convince to jump into cybersecurity. 

Unfortunately, from a CISO’s perspective, the answer is that the plan misses the point. 

What it does do

Biden’s initiative lays out a slew of efforts aimed at “filling the hundreds of thousands of cyber job vacancies across our nation,” which the administration called a “national security imperative”  that will help the country “to lead in the digital economy.” Among them:

• $24 million from the National Science Foundation (NSF) for CyberCorps®: Scholarship for Service (SFS) awards;
• Four grants from the  National Security Agency’s (NSA’s) National Center of Academic Excellence in  Cybersecurity (NCAE-C) program to support a pilot initiative to develop four new Cyber Clinics at accredited U.S. colleges and universities;
• Stronger outreach from the Office of the National Cyber Director (ONCD) to underrepresented communities; 
• Up to $3,600,000 from the National Institute of Standards and Technology (NIST) for Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects; and, among other things, 
• The Department of Labor (DOL) announced a $65 million award in formula and competitive grants to  45 states and territories to develop and scale registered apprenticeship programs in cybersecurity  and other critical sectors.

What it doesn’t do

The problem, Lindner says, is that the plan doesn’t address the need to create entry-level paths into the field. There are those who are trying to fix the lack of entry-level jobs, he says: He gives a shout-out to Contrast Director of Information Security Naomi Buckwalter, who, every Sunday, shares an entry-level cybersecurity job she’s run across. Buckwalter is dedicated to the mission: She has authored a LinkedIn Learning course, Attracting Cybersecurity Talent: Hiring and Retaining Talent, that promises to help organizations to spot hidden potential, dispel common myths about cybersecurity job applicants, rethink technical interviews and more. 

Brava for the effort, Lindner says, but the entry-level cybersecurity jobs out there aren’t at startups. Rather, they’re slog jobs, he says: “They're not the tech-heavy, fun, fast-paced organizations.”

Why aren’t there any twinkly, fun, tech-heavy, entry-level jobs at shiny startups … like, say, Contrast? And what is it about the NCWES program that isn’t addressing the real problem? 

Why the president’s NCWES initiative won’t move the dial

Lindner offers a few reasons why the bill won’t help solve the skills gap. Basically, his rationale fits into two categories: a.) There simply aren’t enough cybersecurity entry-level jobs out there, and b.) the NCWES initiative won’t have much luck convincing people to get interested in the field if they’re not already in technology. 

1. Sexy startups don’t have the time to train entry-level workers.

“We need people who can come in and contribute yesterday,” Lindner says. “We’re understaffed, and we don’t have [sufficient] budgets. The time it requires to build up someone is seen as a big blocker.”

Technically, entry-level cybersecurity jobs do exist. The problem is that the so-called entry level jobs “feel more like you need two to three years of experience doing something in tech,” he continues. “That's tough to swallow.” (See item 3 below for an example.)

When it comes to his own career, he considers himself lucky. His start was working on a mainframe writing PL/I. He hated it but says that he learned quickly how to network,

got transferred into networking, started building and managing web architectures, and thereby got a good grounding in how the Internet works and how traffic flows. He went on to get a Master’s degree in the field and fell in love with web application security. 

Fortunately, his employer supported all of it. “Thankfully, I worked for a company at the time that allowed me to. They had a very good internal transfer system when jobs would open up, and they're very good about saying ‘Hey. you've got really good networking experience. You understand the web. We're going to move you to the security team.”

He’s never looked back. 

Unfortunately, such companies are in the minority these days, when new hires need to hit the ground running, instead of working their way up into cybersecurity, Lindner says. 

1. Many/most people just don’t care. 

Another reason that the CISO thinks the initiative won’t upskill all Americans is that most people don’t care about cybersecurity until it becomes a problem. An example (stop me if you've already heard a hundred versions of this one): Recently, hackers hijacked the Facebook account of Lindner’s friend, a dance instructor. Somebody — a purported “friend” — had messaged her on Facebook, claiming that their own account had been hacked; could she help her friend get back in? 

Lindner’s friend complied, and in doing so lost control of her own account to a hacker who’s using it to sell random garbage and to hook other victims. 

“She doesn’t care about security. Can the government fix that?” Lindner ponders. “I don’t think so. The initiative sounds good, but people don’t care about cybersecurity until it’s a problem. The government isn’t going to make people care about security. It’s not going to make people do the job of security.”

1. The initiative does nothing to create entry paths. 

The initiative doesn’t resolve the fact that there are precious few entry paths into the field, Lindner says. To somebody coming out of school with, say, a degree in marketing and some understanding of security, the NCWES initiative might sound promising at first glance. “They probably think it sounds awesome,” Lindner guesses. “‘Where do I start?’ they probably say. ‘Sign me up!’”

But even an “entry-level” job as a remote cybersecurity analyst for MorganFranklin Consulting that Buckwalter posted recently requires “knowledge of and experience employing general cybersecurity best practices,” as well as “baseline experience with tools/bodies of knowledge” in one of these pillars:

• Strategy & Governance, Risk and Compliance (GRC) 
• Security operations (SecOps)
• Identity and access management (IAM)
• Security operations center (SOC) & Incident Response
• Cyber Resilience

The job listing notes that a BA degree in Information Technology or a related field is “preferred.” 

To Lindner’s point, this entry-level job reads more like a job for somebody with academic training in cybersecurity and some experience in the field. How many marketing majors — or English majors, or fill in the liberal arts blank — would likely be qualified for such an entry-level position? 

How do we get that marketing major a job in cybersecurity?

To create a bridge between our hypothetical marketing major and an entry-level cybersecurity job would require money, training and resources, Lindner says. “The NCWES plan doesn't do anything to create entry-level paths now,” he says. 

For her part, Buckwalter recommends mentorship programs, upskilling/reskilling and expanding the talent search. To find out more, check out her LinkedIn Learning course, "Building the Next Generation of Cybersecurity Professionals.” 

It gives security leaders, CISOs and hiring managers a guide on how to attract, interview and train junior cybersecurity professionals for their security teams. 

And yes, the course even covers how to turn marketing majors into cybersecurity professionals.

Read more:

• 7 tips for women to land their dream job in tech
• Recruit qualified internal talent to serve as security coaches
• Legacy AppSec = more time wasted by your scarce cybersec crew
• Stop fretting about the skills gap, start hiring Ted Lassos
• AppSec Instrumentation Addresses AppSec Skills Shortage

Click here for more CISO Insights from David Lindner.