Looking for creative solutions to the cybersecurity skills shortage

A pervasive theme at the recent 2018 Oregon Cyber Security Day at the University of Oregon campus in Eugene centered on the cybersecurity skills shortage. In Oregon alone, there are more than 3,000 cybersecurity job openings and not much relief in sight, according to Charlie Kawasaki, CTO of PacStar and vice chair of the Oregon Cybersecurity Advisory Council (OCAC), who presented at the event. The story is similarly bleak on a national level with a shortfall of over 285,000 workers.

In a noon-time panel discussion, Michael Gutsche, a security strategist for Micro Focus International and OCAC member, noted that the skills shortage is especially impactful for smaller companies who lack the resources to compete for talent.

“Big companies are making the investments they need to maintain a high-level of security,” said Gutsche. “But small companies are just trying to stay afloat.”

One possible avenue to plugging the skills shortage could be to start looking outside traditional computer science programs and to encourage more workforce diversity. As attack vectors have pivoted to focus more on people and social engineering, cybersecurity departments could be well-served by pulling employees from other disciplines.

Steve Povolny, head of advanced threat research at McAfee, sees a growing role for people with social sciences and HR backgrounds in developing cybersecurity awareness programs.

“It’s not mainstream yet, but that could be changing,” he noted.

Along the same lines, Leo Howell, CISO for the University of Oregon, said he looks at cybersecurity in the context of a team with marketing people in the mix to build awareness about cybersecurity programs working along side psychologists, sociologists and others with non-traditional cyber backgrounds.

Looking at cybersecurity in this context, “there are many different entry paths into the field of cybersecurity,” Howell said.

Beyond looking into other disciplines, cybersecurity could be well served with more participation from women. “Fact is, we have huge disparity in the make up of the cybersecurity workforce,” said Dennis Tomlin, CISO for Multnomah County and OCAC member. “There are lot of old curmudgeons in the field like myself and we’ve been negligent in bringing women into the field.”

For his part however, Tomlin noted that his team at Multnomah County is more than 50 percent female. On other teams, where women are a smaller part of the team, they often end of feeling isolated, making retention a key problem.

The panel also offered up advice for students and others looking to enter the field. A particular need, according to Gutsche, is in application security. This is a fairly new field, but the need is becoming increasingly acute.

When it comes to landing a cybersecurity job, McAfee’s Povolny urged students and other job seekers to “ignore job descriptions” and apply for jobs they believe they can handle even if they don’t exactly fit the stated requirements.

“We always require college degrees in our job descriptions,” he said. “But half my team doesn’t have one. Always, always apply. We’re looking for passion and a determination to achieve goals more than a specific skill set.”

Now in its eighth year, the event enjoyed strong attendance from public and private organizations as well as a healthy group of U of O students. The 2018 Oregon Cyber Security Day was organized by the University of Oregon Center for Cyber Security and Privacy (CCSP), together with the Department of Computer and Information Science at the University of Oregon.