With uptick in attacks, demand for hard-to-find cybersecurity talent grows

HBJ photo | Zachary Vasile ADNET Technologies CEO Christopher Luise at the company’s new headquarters at 400 Capital Blvd., in Rocky Hill. The firm is launching a partnership with national cybersecurity company Cyber74.

Write a Comment

By Zachary Vasile

A recent slew of cyberattacks targeting major employers is pushing companies of all sizes to ramp up their network defenses — and putting a renewed focus on a national shortage of cybersecurity workers, a problem industry figures say they’ve been grappling with for years.

“It’s not necessarily a new issue, but it’s gotten more acute,” said Jim Parise, president of Glastonbury technology consulting firm Kelser Corp. “We’re all competing for talent. And when you see what’s been happening, that heightens everyone’s sense of needing a security posture. So the competition’s only going to get more intense.”

Jim Parise

Cyber threats have been around as long as the computer networks they seek to compromise, Parise noted, but up until fairly recently, the issue was only on the radar of large corporations doing particularly sensitive work.

“It’s the perfect storm,” he said. “The cyberattacks — at least the ones we hear about — have created an explosion of need that really wasn’t there 10 years ago. There weren’t enough people in the cybersecurity pipeline then, and there certainly aren’t enough in the pipeline now.”

Christopher Luise, co-CEO of Rocky Hill-based ADNET Technologies, which is in the process of launching a cybersecurity firm called MachBlue Defense, said a shortage of cybersecurity professionals has been a constant stumbling block for the broader technology sector.

“It’s a challenge,” Luise said. “Historically, there’s been a gap between industry and academia, which has started to tighten up, but there’s still a big lack of resources and a lot of competition for talent.”

Luise said cybersecurity as a field had been somewhat neglected in the past.

“It was thought that there was very little need for cybersecurity experts,” he said. “It wasn’t being addressed.”

According to industry tracker Cyber Seek, there are currently 464,420 cybersecurity job openings in the U.S., including 3,763 jobs available in Connecticut.

Overall, there are 8,048 people in the state employed in cybersecurity roles, Cyber Seek data shows.

Numerous intrusions

Sophisticated cyberattacks against American enterprises and government agencies are nothing new, but the frequency and scale of such intrusions over the last several months has put national security officials and private sector executives on edge like never before.

First was a ransomware attack on Colonial Pipeline, the largest conduit for refined oil products in the U.S., which encrypted customer data. Made public on May 8, the breach forced Colonial’s management to shut down the pipeline to limit infiltration of its computerized equipment. The company reportedly paid a ransom of between $4 million and $5 million to have its data decrypted and released, but it took several days for the system to come back online, prompting widespread panic buying that led to fuel shortages at filling stations across the South.

Around the same time, Illinois-based insurer CNA Financial discovered that a trove of company data had been stolen through a malware program known as Phoenix Locker. The firm resolved the matter without comment, though financial news publication Bloomberg has reported that CNA paid $40 million to an unidentified criminal group to recover its records.

Less than a month later, Russian hackers struck JBS Foods, the world’s largest meat supplier. The company acknowledged paying a ransom of around $11 million through bitcoin after some of its plants in the U.S. and Australia were shut down for at least a day.

Earlier this year, Connecticut had to suspend vehicle emissions testing for several months, after the outside vendor that runs the program — Applus Technologies — was impacted by a malware attack.

All four hacks came amid a constant hum of less-publicized intrusions, targeting entities such as computer manufacturer Acer, Apple Inc. supplier Quanta and, reportedly, the National Basketball Association.

The barrage has sent many companies scrambling to implement best practices and bring their systems into compliance with certain standards, such as the Cybersecurity Maturity Model Certification.

Meantime, state lawmakers recently passed a law that incentivizes companies to adopt cybersecurity frameworks prescribed by nationally-recognized organizations like the National Institute of Standards and Technology (NIST). Companies that enact such policies would be shielded from legal liability if their customers’ data is exposed in a cyberattack, according to the law.

“We’ve had a lot more cybersecurity-related inquiries, people looking for help,” Parise said. “It’s mostly companies that don’t have the resources to do this on their own.”

Workforce development

Developing more cybersecurity talent starts with higher education, where professors and administrators say they’ve seen an uptick in interest in the field in recent years, though still not enough to move the needle for most employers.

Laurent Michel, a computer science professor at the University of Connecticut, said his department has doubled in size in the last four or five years, with around 850 students. But the school’s cybersecurity concentration has grown more slowly, especially compared to subject areas such as machine learning, artificial intelligence, research and software development.

“This is not where students are going,” Michel said. “They’re voting with their feet. They don’t seem to be aware of the opportunities.”

On the one hand, cybersecurity can be a lucrative field (for example, an information security analyst makes an average annual salary of $103,230 in Connecticut, according to U.S. Bureau of Labor Statistics data) especially because the skillset is hard to come by. But cybersecurity workers also face a high-pressure environment where they’re expected to remain constantly vigilant and up to date on the latest emerging threats.

“It’s quite demanding,” Michel said. “They have a hard job, and the fact that there’s not enough of them doesn’t help. It’s not for the faint of heart, and it requires that you continue to learn and adapt to new challenges over the course of your career.”

UConn is seeking to attract more people to the discipline through its cybersecurity lab, which allows students to search for vulnerabilities in simulated cloud and “Internet of Things” systems.

“They’re learning what it takes to defend against cyberattacks,” Michel said. “The thinking is, you have to see the dark side in order to learn to protect.”

Feedback on the lab is positive and ultimately convinces some students to change their majors to cybersecurity. But Michel cautions it will take time to see the results in the professional world.

“It’s a long-haul process, there’s no easy fix,” he said. “It takes several years between the recognition of the problem and the solution. There is always a delay.”

Western Governors University, a private online college with around 800 Connecticut students, has also ramped up investments in its cybersecurity program over the last few years, bringing on new faculty and expanding course offerings. The school currently embeds 14 certifications within its cybersecurity bachelor’s degree track to help graduates get into the field as quickly as possible.

Rebecca Watts

“We’re constantly evaluating our program,” said Rebecca Watts, who serves as regional vice president for WGU’s Northeast operations. “That’s one of the biggest challenges — you’re never done learning. You have to constantly stay ahead of what’s out there. It’s a career-long commitment.”

This summer, in an effort to raise awareness of cybersecurity as a career option, the university is staging a virtual “cyber camp” for high school students. Watts said the goal is to reach communities that have been historically underrepresented in cybersecurity and in the tech world as a whole.

“There may be a barrier because we expect people to know what cybersecurity is without explaining it,” she said. “People might not understand that it’s not a routine thing. It’s constantly evolving, it’s constantly exciting and it’s absolutely critical.”

Luise, of ADNET, said close coordination between employers and schools is a critical step toward ameliorating the worker shortage, not just in the realm of cybersecurity but in technology generally.

“We’ve been working with specific schools, giving them our perspective, for well over a decade,” he said. “And that’s one piece of it, but there’s a broader discussion to be had about workforce development that transcends just cybersecurity. That has to be addressed at the national level.”

Top cybersecurity job titles in CT

There are currently over 3,700 cybersecurity-related job openings in Connecticut, and more than 8,000 people in the state employed in cybersecurity-related jobs, according to industry tracker Cyber Seek. The most common industry jobs in the state include: