The next cohort of cybercrime fighters may come from an unlikely source. This summer, the Girl Scouts of the USA announced that, starting in 2018, they would introduce a series of badges centered on information security and computer literacy. The goal, the organization stresses, is to prepare its million-strong membership for the jobs of the 21st century.

The move comes not a moment too soon; the cybersecurity sector is facing a workforce gap estimated in the millions. To be sure, the troops alone can’t staff up IT departments facing a severe talent shortfall. The effort, however, reflects just the type of innovative approach required to address the issue—one that not only reimagines how, but also who we train. “We need to be thinking beyond the traditional routes for how people get jobs,” noted Frank Schettini, chief innovation officer at the nonprofit information security advocacy group ISACA. “This problem requires a more creative approach to get people in the marketplace sooner.”

 

Losing the fight

“Troubling gaps have emerged,” according to AT&T’s 2017 Cybersecurity Insights Report Vol. 6, “between the rapidly evolving threat landscape and the resources organizations are allocating to defend against cyberattacks.” Troubling gaps indeed. According to ISACA, there will be a worldwide shortage of two million cybersecurity professionals by 2019. The research firm Cybersecurity Ventures projects that figure will jump to 3.5 million soon after.

This hiring shortfall comes at a time when hackers are more skilled and emboldened than ever. Nearly 80 percent of respondents to AT&T’s Global State of Cybersecurity survey said they’d been negatively affected by a hack in the last year. These breaches can be devastating to the bottom line: The Ponemon Institute, an independent research organization, noted that the average cost of a data breach in 2017 was more than $3.5 million. And these types of attacks are only going to be become more frequent. According to Cybersecurity Ventures, worldwide cybercrime is expected to cost $6 trillion annually by 2021, up from $3 trillion in 2015.

There’s certainly consensus on the need for robust recruitment to meet the challenge posed by the black hats. But growing the workforce isn’t simply a matter of posting more positions online. “It starts with a simple fact that there just aren’t enough qualified cybersecurity professionals to fill the open jobs we have today, let alone tomorrow or next year or the next five years,” acknowledged John McCumber, director of cybersecurity advocacy for (ISC)², a nonprofit membership association for information security. “But that greatly oversimplifies the challenge.” To bridge the gap, he argues, organizations need to do a better job identifying the required skillsets—and helping candidates attain them.

 

A new approach

Education is a big part of the solution. No doubt, the first step toward bolstering the cybersecurity workforce is helping colleges and universities better prepare their students. And that’s going to take some industry buy-in, notes Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures. “The cyber threatscape is changing at a very fast pace, which universities can't keep up with unless they've got a view into it from top cyber experts in the private and public sector,” he said. “Fortunately, we are seeing a hard push in this direction by many big tech and cyber firms.”

But some in the field argue the ivory tower alone won’t save us. “We’ve faced challenges with the traditional way we’ve approached this,” notes Schettini. “We send people to class, have them look at power point presentations and then take a multiple choice exam. But for cyber, is that the best way to learn in this day and age? Book learning only takes you so far.” He argues that performance-based training, whether from vocational schools, certificate programs or even on-the-job skill development may be more important than a diploma from a four-year institution.

Regardless of degree, the ISACA executive contends that continuing education is crucial to sustaining a lasting workforce. “The world is constantly changing on the technology front, especially with cybersecurity,” said Schettini. “Training materials are only as good as when they were created. It really requires a continuing learning process.”

Building out a strong cybersecurity bench isn’t a one- or two-year goal. It will require long-term strategic planning, creative recruitment and collaboration between training institutions and business. But in the meantime, many companies that today face a talent shortage aren’t taking advantage of the resources that are available. According to AT&T’s 2017 Cybersecurity Insights Report Vol. 6, only a third of U.S. companies plan to outsource some of their cybersecurity operations. Such outside groups, however, can be a real asset. “Consultants and managed-service providers have the advantage of specializing in cybersecurity, rather than treating it as a sideline to their core business,” the report notes. “These providers are often able to attract top-of-the-line talent and implement cutting-edge cybersecurity technologies faster.”

Put simply, help is on the way. You just have to know how and where to find it.

For more on the ways organizations can manage the shortage in cybersecurity talent, read Mind the Gap: Cybersecurity's Big Disconnect, AT&T’s latest annual Cybersecurity Insights report.