Scarcity of Cybersecurity Expertise

Scarcity of cybersecurity experts is a real problem that can be quantified and described---but not one that can easily be solved. Limited resource availability, the basis for our entire economic system, is ordinarily a problem of finding raw materials or advanced machinery, not one of hiring the workers we need to defend our assets---but with more than one million cybersecurity positions unfilled worldwide, currently-identified cybersecurity needs could not be met if every employee at GM, Costco, Home Depot, Delta, and Procter \& Gamble became security experts tomorrow. Those one million positions span all industries, specializations, and requirements, and include approximately 25,000 non-military positions in the United States' federal civil service.

This resource problem is too large and cannot be solved by individual corporations, leaving countries to confront this issue with essentially two options: import existing talent from other countries, or educate new cybersecurity talent.

Importing talent seems like a simple solution: find the experts and entice them to immigrate temporarily or permanently. Currently, the United States has two major avenues to import cybersecurity talent. Trade NAFTA Status was implemented to permit low-friction labor mobility for certain professions---but the list of acceptable professions is out-of-date, meaning that cybersecurity professionals must demonstrate other skills, like software development or management consulting, in order to be eligible. The other avenue is the H1-B Specialty Occupation visa. At current levels, this program supports 20,000 Master's degree holders and a further 65,000 Bachelor's degree holders to immigrate to the United States yearly (renewals are allowed indefinitely). To be eligible, companies must assert that they are unable to hire the required expertise from within the United States and must look elsewhere. The majority of H1-B visas are issued primarily for cybersecurity-related positions. The issue with importing talent is that the talent pool is finite; these experts do not magically appear. By importing cybersecurity talent from one country, it benefits one country and weakens another. It may create a shift in target for those seeking to damage complex systems to a different country. However, the net effect to all participants in the global economy remains unchanged.

If importing talent is a zero-sum game, then educating talent must be the answer. Many countries have one or more government-supported educational initiatives to identify and train cybersecurity talent. The problem here is twofold. First, these programs cannot scale quickly or effectively enough to meet the current demand. Although there are good examples of educational initiatives, like those in the United Kingdom---with one program to produce cybersecurity PhDs, and another to give students a two-year post-high-school ``Foundation Degree'' program to ready them to enter the workforce---these programs are insufficient; producing just 66 PhDs and 100 Foundation candidates per year cannot even meet the UK's demand, let alone that of the rest of the world. In addition, once these candidates graduate from their programs, they will still need years of experience to produce the level of expertise that makes them assets and leaders in the community, so while these programs are encouraging, they are wildly insufficient. The second problem with educating talent is that cybersecurity practitioners need a significant amount of varied field experience, in addition to a good school education, to be able to create necessary new solutions (rather than simply maintaining existing infrastructure). There is no shortcut to field experience, and there is no ``boot camp''-type training that can create an overnight cybersecurity practitioner. The field simply comprises too broad a base of knowledge, and too many areas that are not yet repeatable practice, for training to be quick and repeatable; in addition, being great at securing complex systems relies on an artistic approach to unique infrastructures and problems.

If nothing changes in this space, we face a future with an increasingly competitive "bidding war" for talent between companies and countries, where the countries that have yet to engage an accelerated training capability will be forced to rely on importing talent. This, in turn, further exacerbates an insular approach to cybersecurity that unintentionally creates a multitude of smaller, less securable country-level networks. The solution: through sustained cooperation in training, labor mobility and efforts to share both infrastructure and talent across national boundaries, the global economy can succeed both in securing systems, and in promoting safe, continued growth and utilization of interconnections between mankind at a scale never before seen.

James Arlen is the Director of Risk and Advisory Services at Leviathan Security Group in Seattle, WA. More information about the dangers of forced data localization can be found at http://www.leviathansecurity.com/cloudsecurity.