America is facing a critical shortage of people trained in cybersecurity. The Cybersecurity Workforce Alliance — a partnership of companies, the government and universities — aims to bridge that skills gap because the country’s future literally could depend on it.
Sounding the call to cyber defenses through “industry-first” planning and collaboration is this opinion piece written by Frank C. Cicio, Jr., co-founder and CEO of iQ4, an emerging workforce-transformation firm and collaboration platform that partnered with the City University of New York, John Jay College of Criminal Justice, the State University of New York at Albany and several cybersecurity professionals to launch the alliance in 2015; Dennis Paige, Robert Francis and Roseanna T. Blum, supervision group of the Federal Reserve Bank of New York; Gopal Padinjaruveetil, chief information security officer of the Auto Club Group in Michigan and chairman of the Advisory Council Board for the CWA; and William Squires, an iQ4 and RANE network intern, who is at present a sophomore at the University of Southern California and co-author of iQ4’s response to the White House’s recent NIST Request For Information on cybersecurity. The views expressed are those solely of the authors and do not represent those of their employers and/or the Federal Reserve Bank of New York or the Federal Reserve System.
Two years prior to being appointed as Securities and Exchange Commission chairman, Jay Clayton, David Lawrence and a host of cybersecurity experts wrote a 2015 Knowledge at Wharton opinion piece calling for the creation of a cross-functional cyber-threat commission, similar to the 9/11 Commission, to coordinate the rising need for information sharing and collaboration that would strengthen industry’s cybersecurity defenses.
Last month, in his first public speech as head of the SEC, Clayton re-emphasized the need for coordination between companies and regulators to thwart cyberattacks, noting that he and his fellow financial regulators are closely collaborating “to improve our ability to receive critical information and alerts and react to cyber threats.”
Quietly, but with great effect, the regulatory community has been gearing up public-private partnership efforts to be proactive on cyber threats and has now successfully engaged academia. Indeed, fellow financial regulators at the New York Federal Reserve Bank and its member banks, the Securities Industry and Financial Markets Association, companies and local colleges in New York have created a workforce-engagement model — the Cybersecurity Workforce Alliance (CWA). Its goal is to address the weakest link in our cybersecurity defenses: the skills gap.
A June 2017 report from Cybersecurity Ventures is projecting 3.5 million unfilled cyber jobs within the next four years. Veteran investor Jim Rogers and academic Robert Craig Baum opined in Fortune last month that higher education’s continued failure to provide a skills-ready workforce “will likely burst with the force of all previous catastrophes combined — a shock wave so sudden, so large, that it gathers the full force of the savings and loan, insurance, energy, tech, and mortgage crashes, creating a blockbuster-level perfect storm.”
“Nowhere is the workforce-skills gap more pronounced than in cybersecurity.”
But the new CWA engagement model, emerging in the same pro-active manner that Clayton and the regulatory community have been calling for, can help solve this problem. The Alliance has enabled tripartite partnering among the public sector, private sector and academia to solve the gaping — and growing — cybersecurity skills shortage. And collaboratively, a scalable model has taken hold, which helps to align higher education and industry, and provides a sustainable means by which to accelerate cybersecurity readiness in entry-level candidates.
Since its inception in January 2015, the Cybersecurity Workforce Alliance has engaged over 600 corporate executives across a broad swath of industries. Within the education sector, the program alerts students to careers available in cybersecurity and provides an accelerated pathway to reach them. For employers, the program maps the specific skills students need for mobility or up-skilling to advance their careers. In essence, the model creates predictable career pathways while ensuring a “load balance” of resources needed by industry players to maximize productivity and employee retention.
Mind the Gap
Nowhere is the workforce-skills gap more pronounced than in cybersecurity (Forbes estimates the current number of unfilled jobs in cybersecurity at 1.4 million). And advances in technology such as artificial intelligence, IoT, autonomous vehicles, data mining and the like will only widen the gap between workforce-ready students and industry. How did we get here? According to Baum and Roger, it’s academia’s fault:
“Disturbing patterns of unsustainable economic activity have emerged over the last decade. College and university budgets rely on inflated real estate investment, deny the short- and long-term effects of student loan defaults, accept the rise in tuition above the rate of inflation as normal, and expect a downsized part-time faculty to help subsidize inflated tenure track and endowed tenure budgetary lines. The insatiable upper administrative appetite for high salaries, job description absurdity, and low accountability adds endless layers of compulsive, prideful incompetence to an already unstable education business model that believes it simply cannot crash.”
Whether a crash comes or not, the CWA’s success belies the need for higher education to shift to a bottom-line mentality in order to create a sufficient supply of cyber workforce-ready graduates. Rather than pointing fingers, the CWA put its finger on the pulse of industry by understanding that the skills gap problem has been more about market misalignment than academic malfeasance.
For the CWA, subscribing to an industry-first philosophy provided the needed recalibration to begin to close the skills gap. Being industry-first does not suggest that the needs of the private sector would precede the needs of academia in order to improve the real economy and job prospects for graduates. Instead, industry-first defines itself by asking, ‘What are the private sector’s specific needs and what information can industry supply to academia about the expectations of new graduates?’ As such, being industry-first can be defined as providing a taxonomy of the specific description, identification, nomenclature, and classification of private sector job roles and responsibilities needed to model a curriculum — at the beginning of a student’s tenure.
Accordingly, industry-first becomes an aligning force for both the private sector and higher education, paving the way for the extension of the workplace into the classroom. Thus, what industry can offer higher education is a current set of existing cyber standards, such as what has been created by the National Institute of Science and Technology (NIST) and the National Initiative for Cybersecurity Education (NICE). These standards could then be used to help detect, isolate and remediate cyber intrusions. Nevertheless, these cyber standards have not yet been tapped to help develop and retain skilled workers through awareness of available careers, education and training.
“The alliance has been able to expand to over 600 enterprise members, representing major financial institutions, consulting firms and Fortune 100 companies.”
What is taught, then, are workforce essential skills based on real-world, regulatory standards that are applied to the private sector daily. These essential skills include team-based problem solving and collaboration; oral and written communication; advocacy and leadership. Mentors are deployed via the CWA from the private sector along with teachers from the institutions. Since the private sector has a good understanding of workforce categories, specialty areas, work roles and the required knowledge, this information could be transferred to higher education.
A further benefit of the industry-first alignment is that it creates an industry-academic-regulatory feedback loop that can advance societal knowledge. Based on a CWA framework, alliance, university and private sector members jointly recommend improvements to the NIST and NICE governmental standards, which were later adopted. Government is learning from industry, which is learning from academia in an expanding virtuous cycle.
Big, Beautiful Data
The CWA approach helped to develop a software platform and curricula so that the program can scale rapidly and nationally. Each college or university that adopts the specific modules gains insight, transparency, and a definition of the skill sets and roles valued by industry, all through the technology platform.
It is now possible to collect robust data and build meaningful metrics around assessments — including for initial proficiency and career progression — based on student and team self-assessments at the beginning, middle, and end of each course in order to encourage careers in cyber-related areas. Moreover, CWA mentors provide weekly student progression assessments. Metrics can ultimately gauge outcomes, from how many students get internships — and jobs and in which sectors — to entry-level pay levels. These metrics track the following:
- The number of students entering courses, participating states and schools, and the initial awareness of cybersecurity as a career (astonishingly, currently only 1%);
- The extent of employment or internship experience prior to the course (currently only 5%);
- The number of college students with cyber-related internships (currently 61%);
- The number of graduates with jobs or internships in cyber roles (currently 33%); and,
- Real-time data concerning student engagement on the platform and course (currently averaging nine posts per student and 93 words per post), including the number of student-initiated, critical-thinking discussions.
With that knowledge, and course-work that directly aligns with industry needs, the nation can become better protected by training more people to get into cybersecurity-related positions in order to close the acute hiring gap. As a result, the alliance has been able to expand to over 600 enterprise members, representing major financial institutions, consulting firms and Fortune 100 companies.
The specific data submitted by nearly 400 students that have been involved in the CWA curriculum to date is truly breathtaking. Out of 167 graduates, 103 or 62% have jobs. Of these, a startling 30% hold positions in cybersecurity. According to The Wall Street Journal, 1.9 million students graduated in May 2017, and only 15% of those graduates got jobs or internships. Ninety-nine percent of those who enter the CWA course are not aware of cybersecurity opportunities in the profession, and an astounding 95% had never had any real-world work experience beforehand.
From the data now available, the CWA has for the first time produced academic transcripts that are recognized by the National Student Clearinghouse (NSC), just like any other accredited course from an institution of higher learning. The NSC and its alliance partner, iQ4, were awarded the 2016 first prize for best practice for their efforts in “extending the capacity of higher education to scale the output of verified workforce-ready graduates.” Many of the CWA alumni are female, minorities, veterans and the first college students from their families.
At the minimum, the CWA expects to generate at least 100,000 workforce-ready, entry-level cyber professionals within four years, if the program scales nationally. With a proven model, the program now is engaging with higher education decision makers nationwide to explain how the program benefits all sides while helping to alleviate the nation’s acute shortage of experts.