Small Businesses Need an Affordable, Qualified Cybersecurity Workforce

By Alan Watkins and Mike Davis

It’s been said that it takes a village to raise a child. It’s becoming clearer every day that it’s going to take a village (a.k.a., community-based workforce development) to raise a cybersecurity force that meets all of our needs – from major industry power players to small businesses – as well.

But there’s a lack of agreement within the village.

Some claim the reported shortage of skilled cybersecurity workers is just a scam being carried out by certain elements in the government and large corporations. They point to the recent success by DHS to create a pool of around 6,000 candidates to fill current and upcoming cybersecurity jobs as evidence that there is no shortage of cybersecurity workers.

But the consensus backed by numerous studies, including research published by the Center for Strategic and International Studies, estimates cybersecurity worker shortages will range from one to two million by the year 2018 or 2020.

Assuming a talent gap exists and will continue to define the industry for the next few years, the questions become: What types of businesses have the most unfilled jobs? What type of cybersecurity workers are needed and what skills do they need? Does it count toward the shortage if small-to-medium businesses (SMBs) have not yet identified their specialized staffing needs? In general, SMBs (under 500 workers) account for well over 90% of all businesses in the U.S., and therefore, this is a significant aspect in assessing any workforce shortage.

The security profession can’t agree on the positions that will be needed, or even on a common set of job descriptions for SMBs to select from. For example, the NIST/NICE Cybersecurity Workforce Framework (NCWF), considered the authoritative source, lists over 50 positions, while ISACA/ISSA each have their own dozen or so – all with little overlap. This just creates confusion for the hiring organizations. One type of position does not fit all; each organization has its own security environment.

Cyber attacks on SMBs have been increasing for several years – a problem with far-reaching consequences given that SMBs make up the vast majority of all businesses in the U.S. Yet we find that most SMBs don’t have unfilled cybersecurity positions because they don’t recognize infosec as a need for their business. And if they do recognize a need, they may assume they have to hire highly educated, costly workers with multiple alphabet soup-acronym certifications (CISSP, CISM, CEH…) to keep them safe.

So, how can we educate SMBs on their cybersecurity needs, and what’s being done to educate and train affordable, entry-level cybersecurity workers to help protect SMBs?

Many of the cybersecurity training and education programs are geared toward higher level positions, requiring a degree, certification, and years of experience. SMBs don’t have a real need for, or the resources to obtain, those types of positions – they need basic, affordable cybersecurity services which can be performed by cyber workers with entry-level training and skills. Even at that level, the cyber workforce supply certainly needs enhancing. Yet, exactly what types of workers are those? NICE, ISACA, and ISSA have great suggestions, but because there isn’t industry agreement, the end result is confusion and lack of action for many SMBs.

Figure 1

One solution for this would be a standardized entry-level security course that can be delivered in many settings – online, self-paced, facilitated, in-classroom, etc. But ultimately what is needed is to develop an adequate cybersecurity workforce in the U.S. is a joint, community-based approach, focused on a local region, which can provide broad-based benefits. This requires a partnership among academic institutions, workforce agencies, and large businesses to increase skill acquisition and experience (e.g., internship) opportunities for potential cybersecurity workers, and to create synergies for SMBs by making entry level cyber workers available (see Figure 1). One facet of this community-based effort is providing very low-cost or more generally free, entry-level cybersecurity training and education programs for job seekers. This results in benefits for the whole community by seeding the cybersecurity workforce advancement process, enabling the upward mobility of any candidate with a passion for cyber.

In 2015, a small volunteer group of cybersecurity professionals from across the country began working on the creation of a Basic Information Security Course, based on CompTIA Security+ topics. The goal: Help SMBs obtain cybersecurity assistance and to provide any person entry-level training free of charge. The plan is to produce 41 Modules within 10 Lessons, which can be used as stand-alone security training or can be used to augment other formal training, such as that offered in a Community College curriculum. This course, based on the Security+ knowledge levels, can then become the foundation for other security courses or certifications. Unlike other programs, this effort proposes a free, “no strings attached” approach to a common, security basics course which can also be easily facilitated at the high school level.

As an example benefit, one module in the first lesson explains how a cybersecurity worker can implement security controls – focused on both the CIS 20 Critical Security Controls and on the DHS/NIST Cybersecurity Framework (CSF). Being able to implement and proactively monitor these controls will be a huge stride forward for any organization, and especially SMBs. Granted, such an effort will likely take more than just an entry-level worker, but at least that worker can get things started and have a lower human resources cost impact, while addressing basic security issues and reducing company risk.The plan for this training program, once completed, will be to offer it through regional channels using the InfraGard chapters in San Diego, CA, and Houston, TX, as well as potentially through the US Small Business Administration’s Office of Entrepreneurial Education.

There is at least one other national effort to help address the gap in cybersecurity worker skills and market demands which is mapping the curriculum from several cybersecurity courses to the Knowledge Units (KUs) for the DHS/NSA Centers of Academic Excellence (CAE) in Cyber Defense. In addition, there is further mapping of the same curriculum to the Knowledge, Skills, and Abilities (KSAs) in the recently updated NICE Cybersecurity Workforce Framework (NCWF v3) from NIST. Both of these mapping activities will help ensure standardization and consistency in defining necessary course curriculum to meet actual organizational job duty requirements. Students will discover what courses will provide the skills needed for a particular position, and employers will be able to connect with potential job candidates who have acquired the requisite knowledge and skills. This initiative makes it possible for infosec professionals to help minimize the cyber worker shortage.

If you have an infosec background, consider volunteering a little of your time to help with one of these training efforts or to mentor potential cyber workers. Provide internships or a work/study opportunity for college students who are seeking a cybersecurity career. Use your network to help gain visibility and added support for up-and-comers.

It takes a village to train our cyber workforce. Your help can make a difference to students looking to become infosec professionals – and in doing so you will positively impact the overall security of the infrastructure on which we all depend.

About Alan Watkins

Alan Watkins has been an independent Information Security Consultant for 5 years and also an Adjunct Professor at National University for 4 years, teaching online courses in their Master of Science in Cyber Security & Information Assurance Program.

More About Alan

About Mike Davis

Mike Davis is currently the Director and Senior Manager, IT Security (CISO) for a large company in Houston, responsible for their cyber operations and security risk posture. Prior to that he led the Navy’s Information Assurance (IA) / Cyber technical authority efforts.

More About Mike