Immediately after I successfully defended my dissertation for my Ph.D. in educational technology, I began to think about all the benefits that came along with that achievement. Aside from being regarded as an expert in my field, I relished the fact that my Ph.D. had earned me the right to be addressed as “Dr. Pruitt-Mentle”—or better, Dr. “Mental”—and to select "Dr." from drop-down menus when registering for conferences.
That said, I didn’t spend much time resting on my laurels as I was back at work the following day hosting a “Cool Careers in Cybersecurity for Girls” conference for 150 young cyberwarriors-to-be.
And I loved every minute of it.
Pretty much my entire professional life has been dedicated to motivating and preparing students of all ages to pursue STEM (science, technology, engineering and math) careers. These days, as the lead for academic engagement for the National Initiative for Cybersecurity Education, or NICE, I am consumed with working to fulfill our #2 strategic goal: Nurturing a Diverse Learning Community.
I really enjoy my current position because it allows me to draw from my Ph.D. research on workforce development while also acquiring a new understanding of cybersecurity—the job requirements and breadth of opportunities available, and the various pathways one can take to work in the field. One of the things that I have learned, however, is that there is still no one-size-fits-all approach to filling the growing cybersecurity workforce gap. Instead, multiple strategies are needed. At NICE, we believe that an environment where “cybersecurity is everyone’s responsibility” is the foundation of building a knowledgeable and skilled cybersecurity workforce.
Growing that awareness is what National Cybersecurity Awareness Month is all about. To nurture such an environment, there are numerous resources, including Stop.Think.Connect and OnGuardOnline, StaySafeOnline, NetSmartz, iKeepSafe and Common Sense Media, that you can use to help build and spread greater awareness of cybersecurity among your family, friends, co-workers or employees.
But there are distinct differences among “cybersecurity awareness,” “cybersecurity best practices” and “cybersecurity career awareness.” While cybersecurity awareness is the foundation upon which a strong cybersecurity workforce must be built, it is only the first step toward realizing the full potential of our digital economy.
Our growing dependence on the internet and interconnectedness with technology is not without its challenges. According to an Identity Theft Resource Center and CyberScout report, the number of data breaches in the U.S. tracked through June 30, 2017, hit a six-month record high. These events underscore a desperate need for a knowledgeable and skilled cybersecurity workforce.
Fulfilling that need, however, seems like an overwhelming challenge. The results from the eighth Global Information Security Workforce Study (GISWS) estimates that we will have 1.8 million unfilled cybersecurity jobs globally by 2022. Obviously, cybersecurity careers are a growing segment of the nation’s workforce needs and a great opportunity for both students choosing their future career and adults who are looking for a new career.
While the tech industry struggles to fill jobs with qualified candidates, a second quandary—and a potential solution to the looming shortfall—is how to diversify the cybersecurity workforce now and going forward. For example, the 2017 GISWS Women in Cybersecurity report states that women make up only 11 percent of the information security workforce, and the International Consortium of Minority Cybersecurity Professionals says that African-Americans comprise 7 percent of the cybersecurity industry and Hispanic-Americans only 5 percent.
Clearly, we can do better.
Increasing the STEM workforce has been a priority for the U.S. well before “STEM” became a buzzword. The National Commission on Excellence in Education’s 1983 report, A Nation at Risk, called for a new public commitment to excellence and education reform anchored in higher expectations for all students. This report served as a catalyst for reform and initiatives designed to improve education in mathematics, science, engineering and other technology-related subjects. We must have done something right, as there has been a rise in students seeking STEM degrees. The Higher Education Research Institute freshman survey indicates the percentage of students entering college who say they plan to major in a STEM field has slowly increased and is now hovering at around 31 percent.
But increasing interest in pursuing a STEM degree is only one piece of the workforce puzzle. A National Academy of Sciences report shows that, on average, a little more than half of all STEM undergraduate majors switch to a non-STEM major within the first two years. Research into why students leave the STEM track points to uninspiring content and poor teaching of introductory courses, difficulty with the math required in introductory STEM courses, and an unwelcoming atmosphere from faculty who teach these courses.
Moreover, more than half of those who do graduate with a STEM degree end up not working in STEM occupations. This is because employers know that a STEM education brings with it knowledge, skills and abilities (KSAs) that qualify graduates for a wide range of possible career paths, from research and development to construction, transportation, health care and hospitality.
Thus, increasing the STEM workforce is not just about increasing the number of bachelor’s and advanced degree earners, it’s also about guiding people to, and keeping people in STEM-related careers, as well as improving the way STEM is taught. For those already in the workforce or who are looking for work, seeking associate’s degrees, professional certificates or job training in STEM-related subjects are great ways to get a new job or advance in the one they already have.
One of the ways we’re supporting these goals is through NIST Special Publication 800-181. Also known as the NICE Cybersecurity Workforce Framework, or simply the NICE Framework, the publication is a nationally focused resource that categorizes and describes the different kinds of cybersecurity work done today. It establishes a taxonomy and common vocabulary that educators and employers can use to describe cybersecurity work, irrespective of where or for whom the work is performed. We think that establishing this kind of clarity in terms will help students and others interested in pursuing a cybersecurity career to understand all their options and pursue the right one for them.
There’s also the Cyberseek Jobs Heat Map. Developed by CompTIA and Burning Glass through a grant provided by NIST, the interactive map provides data to help employers, job seekers, policy makers, training providers and guidance counselors meet today’s increasing demand. The map shows cybersecurity career pathways that map opportunities for advancement in the field as well.
In addition to these resources, we have two events coming up in the next couple of months. The annual NICE Conference and Expo will take place Nov. 7 and 8, 2017, in Dayton, Ohio. The event will showcase the work of our community, seek to broaden our audience and impact, and provide a forum for supporters of NICE to get to know one another.
The National K-12 Cybersecurity Education Conference, taking place Dec. 4 and 5, 2017, in Nashville, Tennessee, is an opportunity to increase cybersecurity career awareness among the K-12 community, encourage the inclusion of cybersecurity concepts across the curriculum, and advance teacher professional development.
Besides meetings and conferences, NICE has several other means for building community at the national level. For instance, the NICE Working Group develops concepts, designs strategies and pursues actions that advance cybersecurity education, training and workforce development.
We also publish the quarterly NICE eNewsletter, which, in addition to providing information on our activities, also includes original articles written by members of our community. A monthly webinar series features presentations by experts from our community on new innovations or strategic developments.
And last, but not least, I’m proud to announce that we will be celebrating the first annual National Cybersecurity Career Awareness Week (NCCAW) this November. Held from Nov. 13-18, the week-long campaign will focus on increasing awareness about careers in cybersecurity and building a national cybersecurity workforce as a means of enhancing national security and promoting economic prosperity. We encourage you to visit the NCCAW website to learn more about how you can promote cybersecurity awareness and even pursue a rewarding career in cybersecurity.
Getting more Americans interested in and qualified for cybersecurity-related jobs will require attention to not only growing the traditional pipeline, but also targeting segments of the population that are often overlooked in workforce development discussions: incumbent workers who need upskilling or reskilling, dislocated workers who are trying to find new jobs, and individuals from groups traditionally underrepresented in cybersecurity/STEM fields.
The NICE program has an important role to play in this arena. But creating and maintaining a highly qualified workforce will require a rigorous and multifaceted approach. No single sector of society can respond adequately in isolation from others. Collaboration within and across different levels of government and among government, educational institutions and businesses is needed to strengthen career pathways for students and job seekers. Likewise, no single area of study should be used to supply cybersecurity workers. Drawing from evidence-based best practices from other disciplines, we see that pulling from multiple areas will help us address the shortage of skilled cybersecurity professionals more quickly.
If you are inspired and want to get involved, we invite you to visit our website or nice.nist [at] nist.gov (email) us. There’s a lot of work to be done to fill the growing number of critical cybersecurity jobs. Although we are making progress and experiencing successes, there is much more work to be done, and we invite you to join us in the effort.
Here is what I'm facing. I went back to school at 53 to earn my bachelor's in IT with Assurance and Security as the specialty. I graduated Summa Cum Laude by the way. I have lots of experience with computer (Since 1992) but I can't even get in the door to a cyber career. I wanted to get my certifications, but without the experience the certifications will not happen, as you must know. I can't get an interview. What does a woman have to do to break in? Can't get the job without the experience, can't get the experience without the job. Frustrated!!!
Begin with a contract company and contract positions "to hire." Once you have your foot in the door you can demonstrate your value and expertise and will be able to transition to a full time career.
I speak from experience. I went back to school (BBA with IT emphasis) at 48 after 25 years of being self-employed in a non-tech field. I've been working in Cyber Security since I graduated. You can do it!
Sandra - saddened to hear your account, but there are alternatives to building further experience in Cyber Security - and this path can lead to good IT Security work. I would encourage anyone with a Cyber oriented degree to consider first pursuing IT Security Audit opportunities. There is a dearth (or significant need) for knowledgeable/experienced IT folks with cyber training in IT Security Audit. You may need to pursue ISACA CISA (Certified Information Security Auditor) certification in order to open doors. Security Audit is good work - but it can definitely be a grind (frankly all IT Security jobs can be hamster wheels - interesting work that never ends). The upside of IT Security Audit is that it exposes you to a lot of security operations / processes - while you earn additional certifications (SANS, ISC2, etc) & build experience. Best of luck to you - please persevere as there is a way!
I am an Adjunct Faculty at a local university where I teach a cyber security course. Some in my class are like Sandra. The follow advice I give to my students and it possibly applies to anyone:
1. As to certifications: Please go the the following URL: https://www.isc2.org/Certifications/Associate . ISC2 Associates Program allows those with little to no experience to obtain anyone of the ISC2 certifications. Take a look at the program and see if it may help you.
2. Experience: If one has worked before, you have work experience. It may not be operating a firewall, but you maybe able to apply what you did to functions similar to what are being performed in cyber security. Possibly look to resources at your school or work with someone who is in the field that you trust and rework your resume taking your past experience and translate that experience to areas of cyber security.
Look to doing work for a non-profit, look to internships, look to apprenticeships. Some of these may not pay you a salary, but you do get experience.
3. Professional Networking: Join ISSA, ISACA, or InfraGard and get involved in a local chapter and attend the monthly meetings. The forums allow you to network and that is something we all need to do. Establish a LinkedIn profile.
Do not get frustrated! There are things that possibly you can do. Each person's background and situation is different. I hope you and possibly others find the above advice useful.
The problem I believe you are facing is ageism over experience. I have a degree, years of experience, volunteering in STEM, a 501c3, certs, and I still have a hard time. They will not tell you it is your age, however that is most likely the problem. McAfee Institute has courses that come on sale all the time which can help with certifications. Cybrary is a good source for free courses to start. Career Academy offers all the courses you want for a discount if someone who is registered refers you or if you are part of a group on LinkedIn that gets offered the courses at a discount. I am part of some of the groups. This will help you in getting more of what they look for in the workforce and closer to certifications. If you look into any of the programs, please mention my name.
Joining the NIST groups on LinkedIn is good as well. Hope I helped and I wish you luck.
I both teach CyberSecurity at Wake Technical Comunity College and work for Cisco managing certifications. I advise my students that practical labs are the path to both certification and experience. Think, if you perform a lab you have demonstrated that skill. “Wash and Repeate ...”
The cybersecurity workforce gap is unlikely to be overcome in the near-time, given the exponential growth of information technology gadgetry, devices, systems, and increasing interconnectedness
Davina this is exceptionally good information. And Sandra I will propose you to train yourself with simulators and sit for certification. If you do not get the opportunity for hands-on then best is try it on simulators. Free open frameworks of cybersecurity are available to gain knowledge. There is nothing to feel frustrated practice yourself and sit for certification. This will help open door for opportunities.