Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[W]e desperately need more cybersecurity professionals. The Bureau of Labor Statistics predicts a 28% increase in the need for cybersecurity professionals by 2021. In 2016, they estimated that there were 100,000 jobs open and Cyberseek suggests there were over 313,000 online job listings between 2017 and 2018.
The shortage is confounded by the lack of women in the cybersecurity industry. The ISC2 report shows an increase from 11% to 24% of women in cybersecurity fields worldwide including in leadership positions. We can also do better by encouraging young girls into computer science fields and into programs such as the U.S. Air Force Association’s Cyberpatriot program which promotes awareness of cybersecurity and teaches middle and high school students to secure computer systems. I bring up this issue because we are leaving out an entire group of people to fill the labor shortage. More importantly, it can help shift misconceptions and demonstrate young girls and women are equally capable of success in technology-related fields, and a diverse workforce can increase productivity. We can encourage young girls into cybersecurity when they see people like them in this career field.
We could also recruit people who are transitioning from non-technology or from other technology careers. I learned cybersecurity mostly on my own, and I have a bachelor’s degree in sociology and a master’s in organizational management. I learned more than 95% of my skills from experimenting on my own and online resources. I encourage more structured approaches even if someone does want to learn it on their own. Becoming a cybersecurity professional occurs just like any other career — practice and a willingness to learn.
I would recommend people start by learning the basics of computer hardware, then move to learn to install Windows, Linux, and Mac OS. Then learn Windows and Unix administration. The Unix administration will help with Mac OS administration, though there are specifics that will need to be learned. After becoming comfortable with those, begin learning computer networking. All of these will provide you a much stronger foundation before you get into learning about cybersecurity. Cybersecurity encompasses hardware, software installation, system administration, and network administration. You’re combining those skill sets to improve the security of computers and computer equipment. The other essential skill to learn is how businesses operate so the basics of business management is needed too.
As a cybersecurity professional, it is easy to become frustrated at how much of what we do involves securing the well-known types of vulnerabilities. That is because organizations are complex in how their processes interact and intersect and there was so little concern for security that the basic controls may never have been implemented.
You will probably find work in an organization that is already well established, as well. Even small grassroots organizations can have complex business processes set up. It works well for them, but trying to secure their computers and network leads to uncovering the complexity of their IT infrastructure. However, cybersecurity professionals have to understand that and learn to slowly implement controls after communicating with those that would be impacted.
We should never go in forcing change. That is not our job. Once we start to learn the vocabulary of business, we can hone our communication skills in context to business operations. We can better determine and assess the risk to the entire organizations or parts of it and communicate it, so business managers understand what we’re saying. We can also better communicate risk to encourage the changes to occur and to reduce the complexity which will help make our jobs much more manageable and could increase improve business operations.
Once you acquire these skills, you must keep them sharp. Technology changes fast, and we need to stay ahead of and keep up with it. We need to use our collective knowledge and skills to help influence legislation around the need for better cybersecurity. More on that in a future article.
I believe following this training path will help you become a better cybersecurity professional. You will not just have technical skills, rather the combination of technical and business skills will provide you a more holistic perspective on what you are protecting: business and customer information and the organization’s mission.