Potential Solutions at the Right End of the Cyber Talent Pipeline
19-May | Written by Edward Pereira
For years we have been told that there is a severe shortage of workers with cybersecurity skills and experience, both in Canada and internationally. Most studies have described a crisis in terms of hundreds of thousands, even millions of job vacancies, depending on the scope of the study. In 2016, ISACA Vancouver and Carmel Info-Risk Consulting undertook an unprecedented look at the problem in British Columbia specifically, by analyzing what was happening upstream from the reported problem, [i.e., at the left end of the cyber talent pipeline] where students’ wallets meet tuition fees, and young minds meet visions of potential careers.
If this were truly a global problem that was also affecting British Columbia, what were our educational institutions doing to attract more young minds into the field of cybersecurity and privacy?
At the time, evidently not much. Our 2016 study used a typographical methodology, scanning some 901 course descriptions offered in all IT and computer science programs in the province, and found that only 13.9% of them contained even one of our 14 basic terms (e.g., “cybersecurity” and “information protection”). And none, 0%, of 465 programming courses descriptions reviewed, contained words (e.g., “secure coding” or “OWASP Top 10”).
Snapshot of the Province’s Cyber Talent Situation
In the summer of 2021, more than five years on, ISACA Vancouver and Carmel Info-Risk took the unique opportunity to take a second snapshot of the province’s cyber talent situation. While high-profile security breaches had preceded the first study, like Target Corp., Sony Entertainment, and The Home Depot and even the Stuxnet industrial attack on Iran’s nuclear program, the threat landscape globally, had worsened substantially since. Notable attacks, breaches or ubiquitous software vulnerabilities that had been announced since the 2016 study and white paper was published, included: (1) WannaCry in 2017, the largest cyberattack in history up to that point, (2) The Meltdown and Spectre vulnerabilities, two nearly impossible-to-fix flaws at the microprocessor chip level, (3) numerous breaches at Facebook including those associated with the 2016 US Federal elections and Cambridge Analytica, (4) the Mirai Botnet attack, the largest coordinated attack in the era of Internet-of-Things, and of course, (5) the evil SolarWinds supply chain attack of late 2020. And this short list only scratches the surface of course. From this list alone, it would appear, the core cybersecurity fabric the Internet’s success has been reliant on was showing its wears by 2021, and a second look at the cyber talent pipeline in British Columbia seemed like a worthy idea indeed.
What we found in our second but identical ‘typographical’ study of postsecondary course descriptions in IT and computer science programs across British Columbia was disappointing. While the number of such courses increased in absolute terms by 59% to 1433 from 901, reflecting the increased importance of technology in our daily lives, the percentage of such courses that mentioned anything to do with cybersecurity or privacy, even in passing, actually fell slightly to 12.7 % from 13.9%. And once again, the number of programming courses that help train application developers, which increased from 400 to 935 in absolute terms, apparently failed to introduce important concepts such as common software coding mistakes, vulnerabilities and secure coding practices, or privacy and information protection.
British Columbia Cybersecurity and Privacy Eco-System
In our 2021 study, we also decided to explore the broader cybersecurity and privacy eco-system in BC, to look for more clues to a better understanding of the systemic cyber talent shortage. We found that the Canadian federal government actually had accomplished quite a bit in the years between 2016-2021, mostly centered around the 2018 announcement of a $500 million multi-year investment that spawned the IRAP business subsidy program and the creation of In-Sec-M to administer it, a threat intelligence exchange program between public and private sectors called CCTX, a cyber certification brand, CyberSecure Canada, for the everyday Canadian small and medium-sized business to strive for, the public revelation of the international cybersecurity mission of the ‘Five Eyes’ within Canada’s intelligence program, and finally an extensive public-facing website and awareness program dedicated towards promoting the importance of cyber security, through the Canadian Centre for Cyber Security (CCCS). It was on its website, cyber.gc.ca, that we observed a tremendous set of public resources, including a list of cyber programs at postsecondary institutions across Canada. Any reasonable inaccuracies or omissions aside, it was interesting to note that only 3 institutions in BC of 76 nationally appeared to have a cybersecurity program of any kind on this list. Given that BC makes up more than 10% of the Canadian population and has a notably burgeoning technology sector, it seemed to corroborate our own findings that BC was punching under its weight class and not offering much of a pathway to a cybersecurity career for young budding students.
It was at this point that the authors re-visited the numerous theories abound that attempted to explain the dearth of mythical cybersecurity candidates. In particular, the 2021 study and white paper made two major observations that suggest government and industry could do better to improve the cyber talent pipeline in British Columbia, and perhaps, this may apply in other jurisdictions.
Observations
Our first observation formed while hypothesizing that over the last several years, many companies have rushed to buy security technologies, such as endpoint, cloud, and network security products. All of these products have created an enormous amount of analytical data that should serve not only to monitor the IT environments of organizations both small and large, but also to predict unusual cybersecurity behaviour in real-time. Sophisticated stuff. Many are even using artificial intelligence. However, the authors believe much of the data has gone unseen by human eyes, and most importantly not acted upon, and it would have been an entry-level or junior cybersecurity analyst that would have been best positioned to sit down and make use of these reams of data. In fact, this would be an ideal role for the BC provincial government to entice businesses to invest in through wage subsidies, while simultaneously offering tax credits or equivalent monetary incentives to students to take up a cyber program of study. Clearly, the third ingredient in BC must be the supply of more postsecondary cyber programs, and recent progress, even since the 2021 study, can be witnessed at Simon Fraser University and British Columbia Institute of Technology, to name a few.
Our second observation came as somewhat of an ‘ah-ha’ moment – a realization that the initial problem, a lack of filled vacancies at employers, at the right end of the cyber talent pipeline, is, at least in part, the employers’ to own. In our analysis, we never found evidence of any kind of business lobby effort by employers in the province to ask any level of government to solve their cyber talent shortage, and we also recognized that the majority of the duration of the cyber talent pipeline itself, was embedded within the organization. The pipeline is the string of cyber professionals moving through their careers, and those careers are much longer than 2-4-year postsecondary cyber programs. From anecdotal evidence in the BC community, the authors concluded that the traditional method of finding cyber talent internally had not really changed in 20 years and needed to be improved dramatically. That is, most cyber professionals appear to an organization after several years in internal IT support roles, or IT infrastructure engineers and administrators. If most of the cyber talent pipeline is in fact mostly embedded within employers’ domain of influence, then, the authors posit that employers would benefit by more clearly illuminating all of the potential internal career pathways to a cybersecurity career for their work forces, and from an ever-widening variety of other roles, including those in compliance, risk, marketing, and auditing.
In summary, at least some part of the solution to employers’ cybersecurity talent shortages may be right under their nose, on the right terminus of the cyber talent pipeline, not at the opposite left end of the cyber talent pipeline where students receive their brief education. Further, a concerted business lobby effort to support more postsecondary cyber programs and students at that left end of the cyber talent pipeline can only help employers down the road as well.