In March 2021, Congress passed the American Rescue Plan Act. This legislation extended several critical federal programs like unemployment and student loan deferral to help citizens continue on the path to recovery after the past year and a half of COVID-19.
A little-known part of this legislation is the $200 million allocated for hiring in the technology and cybersecurity sector. This money is earmarked to support what has become a significant skill and labor gap in the cybersecurity market, one intimately related to the escalating cyber threats we face today.
A Year of Cybersecurity Threats
For the most part, data breaches that have made the front page are those that impact consumers. Attacks on organizations like Target or Sony risk the personal and payment information of millions of people... and yet, these events seem to leave the public consciousness as quickly as they enter.
It's notable, then, when major infrastructural attacks become common knowledge. Just in the past year and a half, several high-profile attacks have threatened critical utility and IT resources in the U.S.:
- SolarWinds: An attack on a cloud and SaaS provider exposed the vulnerability of interconnected users on a platform if security is breached. A compromised patch update led to the potential compromise of hundreds of enterprise users, including Microsoft, the federal agencies like the Treasury Department, State Department and parts of the Pentagon. Even major security players like FireEye (who was the first to report the attack) were affected.
- Colonial Pipelines: The largest pipeline provider in the U.S. found its VPN breached due to a compromised password. This single password, purchased on the dark web, led to the installation of ransomware and a payout of $4.4 million by the company.
- Kaseya: The network management tool released by Kaseya was breached and propagated through client systems, facilitating the emergency shutdown of on-prem and cloud services... but not before hundreds of customers were infected with ransomware. The company announced later that they received a decryption key but did not disclose who the attacking organization was or whether or not they paid a ransom.
These are high-profile cases, but they are hardly the exception. Thousands of attacks occur daily, and an increasing number of these are tied to state-sponsored actors waging cyber espionage against U.S. government assets and national infrastructure.
It seems counterintuitive, then, that there would be a shortage of cybersecurity labor. But, as Gartner reports, the crunch for capable experts is real and growing.
Consider the following insights Gartner published in 2020:
- Between February and April of 2020, there was a 65% surge in demand for cybersecurity jobs in the U.S.
- Throughout the year, companies reported that cybersecurity jobs were very difficult to fill, with an average of one qualified candidate per job.
- Cybersecurity job openings remained open for 60 days on average.
Additionally, David Shearer, CEO of nonprofit organization (ISC)2, stated that there simply were not enough cybersecurity professionals on the market to combat foreign threats. "We are outnumbered," he said in an interview with CNBC, which has a cascade effect of encouraging even more hackers to attack systems with a sense of impunity.
What Is the Solution for the Labor Gap?
The Biden administration has started us off on the right foot, by prioritizing hiring and resources in the industry. This makes sense, considering the challenges agencies and contractors face in protecting sensitive data. But there isn't a single solution to the problem at hand. It will take several approaches, addressing different problem areas, to jumpstart interest in cybersecurity.
Some of those approaches include:
- Cultivating talent from a diverse pool of applicants. Companies can start outreach programs in several different, underserved labor pools, and encourage individuals who normally avoid technical fields to invest their energy. A labor gap could be an effective way to develop workforce pipelines with a potentially huge pool of female, Black and Hispanic engineers.
- Working hand-in-hand with universities and community colleges. Students in computer science and engineering are pouring out of colleges, and yet we still find ourselves looking for cybersecurity experts. Businesses with real-world insight can bring attention to this issue and speak to students about the value of this market. Likewise, internships and intern-to-hire pipelines could create a steady stream of trained security specialists from colleges while promoting a curriculum that addresses modern-day problems.
- Analyze company culture. Cybersecurity, and IT in general, can be extremely stressful to even high-level professionals. Creating a culture of support and professionalism can go a long way towards keeping veteran security people on your team and enticing the next generation through your doors.
- Offer continuing education stipends or programs. A large part of the labor problem is that the skills needed to successfully prevent attacks are highly technical, and they change and evolve every day. Working with your people to keep them trained will not only benefit your organization but the industry as a whole.
National Cybersecurity Is a Shared Responsibility
As we are learning, the cyber defense of the nation isn't an individual problem. It is a shared one that we all have the power to solve. That means supporting our companies and our IT infrastructure while cultivating the next generation of professionals that can fight on the next big front in cyber warfare.
Ready to empower your cybersecurity and compliance objectives? Contact SecureStrux to learn how our managed security services can help.