How do you build the information security workforce of tomorrow?

Kevin_AmorinA recurring topic of discussion in the news has been the shortage of available talent in the information security industry. As an adjunct professor at Northeastern University and the Director of Operations at BitSight, this is an area I’m pretty familiar with. A large portion of my work is focused on both developing and recruiting this talent, so I wanted to share a few tips on how best to find and engage the “infosec workforce of tomorrow.”

First, though, I’d like to share a little background information on the role higher education has taken in addressing this challenge. In 2003, the government issued a report, identifying a National Strategy to Secure Cyberspace that laid out several steps they would take to address the need to protect the critical cyber infrastructure in our country. A priority identified in the report was creating A National Cyberspace Security Awareness and Training Program, which was headed by the Department of Homeland Security (DHS). Partnering with colleges and universities, the DHS has sponsored Centers for Academic Excellence in Information Assurance Education, which gives eligible institutions scholarships and grants to help train future professionals. Course work for the Information Assurance (IA) programs includes information forensics, network security, system security, software security, cyber law, cryptography, risk management, and critical infrastructure.

Another area of focus for this initiative has been on the gamification of cyber defense, to engage additional students and universities in practical hands on IA education. The output of this effort is the Collegiate Cyber defense competition - something I am still actively involved in (I serve as a team advisor at Northeastern and encourage my students to participate).

So where is this leading? As you can tell, my role as an educator means my roots in academia are quite strong. But it’s not only for this reason that we place a high priority at BitSight on recruiting from and engaging with the students from local universities. By sponsoring these types of events and building relationships with schools that focus on information assurance, we have gained access to a great pool of experienced candidates. Many of these programs are Masters degrees, which means students often have 1-2 years of intern/co-op experience by the time they graduate.

We recognize that we must spend time honing these skills for industry work, but we see it as a worthwhile investment as we build a pipeline of potential future hires, not just for ourselves, but for the infosec and ops communities at large. We choose our hires and co-ops based on fundamental skills that these schools lay the foundation for, and build up from there.

It’s true; we are very fortunate to be located in Cambridge, MA with access to students at nationally recognized colleges and universities. But, the beauty of these IA programs is that it is available in universities across the country. A lot of their courses are also offered online, and focus on retraining professionals looking to move into security or gain new skills.

All of this goes to show that if a company is willing to make the investment in helping to develop specific skills and talents, there is a wealth of candidates available. You just need to know where to look and have the patience to tailor the candidates to suit your company’s needs.

How is your organization addressing this challenge?