Building Cybersecure Culture through an Age-Old Technique: Apprenticeships

Building Cybersecure Culture Through Apprenticeships.jpg

By Charles Eaton

Earlier this year, the CompTIA Cybersecurity Advisory Board released a white paper, “Building a Culture of Cybersecurity[note: link opens a PDF], that highlights cybersecurity threats, issues and considerations – especially in terms of concerns that are most important to corporate executives and boards of directors.

As the brief’s authors wrote:

For many organizations, there needs to be an important shift in mindset. Security can no longer be thought of as a technical problem with a technical solution; it must be treated as a critical business concern.

The paper articulates six guiding principles for building a cybersecure culture within an organization. First and foremost is: Integrate cybersecurity into your business strategy. And a critical element of strategy for businesses around the nation across industries is acquiring and retaining talent.

But in that realm, many organizations face a workforce crisis – a cybersecurity skills gap. In my ITSP article “Busting the 7 Myths about Cybersecurity Careers,” I explain that researchers predict cybercrime will more than triple during the next five years. Meanwhile, analysts also project that the number of cybersecurity professionals employed to keep cybercrooks at bay will not come close to keeping pace with this threat. During the same period of years, research indicates that the number of unfilled positions in cybersecurity could surpass 3 million globally, creating a talent fissure that could cost businesses $6 trillion.

Corporate leadership isn’t turning a blind eye to this potential cybersecurity catastrophe. Per CompTIA’s “Evolution of Security Skills” study, 33% of companies surveyed report that security is a significantly higher priority for them now than it was in the past, and 49% expect that security will be a significantly higher priority in coming years.

How will businesses of all shapes and sizes meet this rising demand? The road to finding and keeping cybersecurity talent will be neither short nor smooth. Corporate America — indeed, the international business community — has years of work ahead of it addressing this mission.

In the short term, some companies are hiring or partnering to meet cybersecurity needs, but the most common approach is to improve the existing workforce. For technical workers, CompTIA researchers found that 60% of companies use training to build security expertise, and 48% pursue certifications. Many companies also extend training to the general workforce. Ongoing programs that measure knowledge can improve security literacy for employees who are increasingly using and procuring technology.

Of course, when challenged with a daily offensive of cyberthreats (Juniper Research forecasts 146 billion data records will be stolen during the next five years, with the U.S. bearing the brunt of the onslaught), organizations understandably scramble for cybersecurity candidates who have experience and skills that fit their immediate needs.

But this exclusive emphasis on the end of the talent pipeline could become self-defeating. Without taking a proactive course to develop other candidate channels, a company’s ability to hire qualified cybersecurity experts is subject to the vagaries of market forces. Employers must reach outside the existing cybersecurity talent pool if they intend to tackle today’s cybercrime epidemic with due urgency. Plus, companies confronted with this cyber-siege today can’t afford to wait too long for tomorrow’s talent to develop. They need accelerated training methods, too.

At CompTIA, we believe that one talent accelerator is a time-tested technique for rapid skills development: apprenticeships.

Apprenticeships enable employers to tap three plentiful sources of cybersecurity talent in fairly short order:

1) Skilled Workers in Other Fields

Per a study shared last summer by the Wall Street Journal, about 87% of professionals now working in cybersecurity did not start there. Nearly a third (30%) came to their positions from fields outside technology, such as marketing, finance and the military. Fully a third of chief information security officers (CISOs) and other upper levels in cybersecurity today started with roles outside IT departments.

These findings suggest that many companies need look no further than their own ranks to find viable cybersecurity talent. Moreover, they can focus within their own workforce for worthy mentors to nurture this talent. But even if they find pickings slim in their own backyard, the likelihood that they can find good prospects just down the figurative industry street appears high.

2) Groups Currently Under-Represented in IT

Our organization’s career program, IT-Ready, offers eight weeks of intensive, classroom-based education and training free of charge. We seek students from groups currently under-represented in the IT industry, including unemployed, under-employed and displaced workers, women and ethnic minorities, and veterans and their spouses. Participants learn skills that include building a computer from parts, installing software, troubleshooting problems and setting up and managing networks. We also instill softer professional skills, such as effective communication, customer service and job interviewing.

At the end of the eight-week program, IT-Ready students take our CompTIA A+ certification exam and are encouraged to pursue other CompTIA credentials, such as Security+, free of charge for as long as 12 months after graduating. In short, in a year or less, IT-Ready is delivering competent candidates to the job market that can either contribute to cybersecurity efforts immediately or backfill positions as current employees move up the career ladder.

3) Students Under-Trained in College

In our 2017 study “Assessing the IT Skills Gap[note: link opens a PDF], 87% of the 600 U.S. IT and business executives surveyed across a variety of industries agreed with the statement “Colleges are not sufficiently preparing students for today’s jobs” — including cybersecurity, which ranked among our poll’s top five IT skills gap areas.

Companies can apply the apprenticeship solution to this channel, too, by creating what we call “sustained internship” programs. In short, college students (and sometimes qualified high school candidates) work as interns for the same organization summer after summer with the promise of a full-time position upon graduation. This approach lends a real-world immediacy to cybersecurity awareness and other technology training often lacking in classroom settings. In Chicago, our home market, we have collaborated on this approach with Accenture, Cisco and IBM.

So, whether focusing on talent inside or outside an organization, apprenticeships can supply companies with a more predictable, sustainable pipeline of applicants, while providing new cybersecurity workers with necessary experience, education and mentorship. In other words, apprenticeships can lay the building blocks of cybersecure culture. Through these types of programs, businesses can overcome the scarcity of security professionals and prepare their workforce and businesses for today’s – and tomorrow’s – cybersecurity challenges.

About Charles Eaton

Charles Eaton leads three philanthropic endeavors for CompTIA, the world’s largest IT trade association: Executive Vice President of Social Innovation, CEO of Creating IT Futures and NextUp, the organization’s initiative to inspire young people to choose technology careers. The second edition of his book, How to Launch Your Teen’s Career in Technology: A Parent’s Guide to the T in STEM Education, is available on Amazon in English and Spanish versions.

More About Charles