The Cyber Talent Shortage Emergency: How We Can Fix It
By Mark Davis
Mark Davis runs the official cybersecurity bootcamp of New York City, Fullstack Cyber Bootcamp. In this post, Mark talks about the national cyber talent shortage, and shares some thoughts on how it can be fixed.
A couple weeks ago, Jeanette Manfra from the Department of Homeland Security said that the lack of cybersecurity talent in the United States is a national security threat.
“It’s a national security risk that we don’t have the talent regardless of whether it’s in the government or the private sector,” said Manfra. “We have a massive shortage that is expected will grow larger.”
The cyber talent shortage is historical in scope, and in scale. It’s analogous to events in World War 2, when the U.S. initially lacked the resources to effectively contribute to the allied effort.
At that time, the U.S. found that it had to recruit and train millions of troops, as quickly as possible. So we built 68 new training bootcamps around the country:
We are now facing the same problem that we faced in World War 2 -- we need to put soldiers on the battlefield, at scale, as quickly as possible -- but this time the domain of warfare is cyberspace.
The cyber talent shortage is solvable, but only if government leads the effort with modern ideas and rapid execution -- like it did in World War 2 -- and works closely with academic and industry partners.
This is actually happening in some places already, most notably in New York City with the Cyber NYC project:
Cyber NYC is a $100M public/private partnership between a range of institutions, including:
- Government (the project is led by the New York City Economic Development Corporation)
- Industry (companies like Google and Goldman Sachs)
- Academia (institutions like Columbia, NYU, Cornell Tech and Fullstack Academy)
- Investors (VC firms like JVP)
One of the goals of the Cyber NYC project is to create 10,000 new cybersecurity jobs in New York City. The idea (at a high level) is that those additional security professionals will help protect the city (and its 8,000,000 residents) from attack in cyberspace. In order to do that, New York City needs to do two things:
- Train thousands of people to have advanced cybersecurity skills
- Then help them get hired by local employers (government and industry) to fill the large number of open positions
In the rest of this blog post, I’ll talk about each of these areas in more detail.
Training people in cybersecurity
Cybersecurity is a complex field that requires advanced technical training in order to become a competent practitioner.
There are different ways to learn the required skills, and they each have different associated timescales:
Like we learned from our World War 2 analogy -- and as we can see in the chart above -- the quickest way to train experts is through full-time bootcamp programs that minimize the training period to about three months.
That’s why Cyber NYC funded and helped create the “official cybersecurity bootcamp of New York City”. It’s called Fullstack Cyber Bootcamp:
New York City announced the cybersecurity bootcamp in October 2018, then the academic team at Fullstack spent almost a year developing its comprehensive curriculum (including both offensive and defensive security) before the school opened last summer.
The academic team worked closely with local employers (government and industry) to understand the skills that were needed most in New York City, then designed the curriculum to teach those skills. You can see the resulting curriculum summarized in the course poster for Fullstack Cyber Bootcamp:
The program is built to transform a beginner with no previous technical experience into a well-rounded cybersecurity professional. These professionals are immediately hirable and are more than able to hit the ground running with any security team. This is because the curriculum is taught in an immersive, hands-on bootcamp environment that is academically rigorous.
To ensure the Bootcamp meets the above standard, it must:
- Frequently update its curriculum to keep pace with an ever-changing threat landscape.
- Continuously drive awareness to a diverse pool of talent across the area it serves, and inspire a wide array of people to pursue careers in cybersecurity.
- Be financially accessible to as many individuals as possible through means like income share agreements.
Filling the open cybersecurity jobs
It’s not enough to simply train people, though.
The government also needs to create a steady and reliable “cyber talent pipeline” where local employers can hire recent graduates from the cyber bootcamp -- quickly, easily and cost-effectively.
For example, the team behind Cyber NYC has created an “ecosystem” of employer partners, including the private sector (often engaging at the CISO level) and other government agencies (like NYC Cyber Command). New York City works closely with the employer partners to make sure they know about Fullstack Cyber Bootcamp, and the steady stream of cyber talent it produces.
Next, Fullstack makes it easy for employers to hire the talent by attending regular hiring fairs, and by using a free online platform where employers can “browse available security talent” and contact them directly for interviews.
One key aspect to maximizing the hiring rate (or “outcomes” in industry jargon) is ensuring that there are no recruiter fees to hire bootcamp grads. At Fullstack Cyber Bootcamp, we don’t charge recruiter fees to employers – we serve simply as a matchmaker, connecting employers and grads with each other, with minimal friction.
Government should also create an apprenticeship program for cybersecurity, which would have to happen on a state-by-state basis. For example, it would be great to see New York State add cybersecurity to its list of approved apprenticeship trades:
In each state, an apprenticeship program could be created where (for example) employers could hire cybersecurity bootcamp grads for 6-12 months at an annual salary of $75k. Then, if the apprenticeship goes well, the employer can hire the apprentice.
The cyber talent shortage is a national security threat.
And it’s historic in scale.
The problem is solvable, but only if government leads the effort with modern ideas and rapid execution -- like it did in World War 2 -- and working closely with academic and industry partners.