Since President Joe Biden entered the White House nearly two years ago, cybersecurity has remained one of the top concerns of his administration, along with responding to the COVID-19 pandemic and addressing economic issues such as inflation.
While the Biden administration has looked to address cyber threats from Russian cybercriminal gangs and China-linked hacking groups, the White House has also tried to develop new ways to hire more cybersecurity workers to help fill an increasing number of open positions in the private and public sectors.
The lack of skilled cybersecurity workers contributes to the overall risk businesses and government agencies face from the increasing proliferation of cybercriminals and nation-state actors, security experts noted. By one estimate, there are more than 700,000 open cybersecurity jobs in the U.S.
To address this, the Biden administration, through the Homeland Security, Labor and Commerce departments, announced a federal program in July designed to get more workers into cyber. Unlike other federal jobs programs, however, this “120-Day Cybersecurity Apprentice Sprint” focuses on workers and students interested in non-traditional pathways to becoming cybersecurity professionals.
“Through Registered Apprenticeships, and via non-traditional training opportunities for Americans who can help defend our country and make a good living for themselves and their families,” according to the White House announcement. “Training models such as Registered Apprenticeships can allow career seekers to earn and learn at the same time while often obtaining college credit, degrees, and a nationally recognized credential.”
This apprenticeship sprint, which runs now through the end of November, focuses on three specific factors to bring more workers into the cybersecurity field:
- A greater emphasis on non-traditional training for those interested in cybersecurity, such as through trade schools, community colleagues, apprenticeships and other career pathways;
- A way to build a pipeline of career opportunities for underrepresented communities, including women, people of color, veterans and people with disabilities;
- A general push for more cybersecurity awareness training for all workers, whether they are specifically employed in security or another field.
As National Cyber Director Chris Inglis noted last year: “There is an awareness issue that requires us not to make Python programmers out of them but to make sure they understand the nature of this space.”
Can Apprenticeships Help the Cybersecurity Jobs Market?
While it will take years to know if this apprentice sprint will pay dividends, several cybersecurity watchers noted programs such as these—especially with an emphasis on non-traditional training to build up skills—is at least a step in the right direction.
“All reasonably-minded employers agree that we can only win this fight with fresh, creative minds and diverse backgrounds and perspectives. But this requires investment in time, money, and energy. So often these resources are directed toward tangible things that provide the clearest, the safest and quickest path for return on investment, such as the newest technology or the proven senior analyst who can hit the ground running,” Michael DeBolt, the chief intelligence officer at security firm Intel 471, told Dice.
Those employers invested in hiring and onboarding new employees will benefit from novel approaches to cybersecurity. “This apprenticeship initiative will help new employees and make a lasting impact in our ability to fight new cyber threats,” DeBolt added.
The need for workers with a variety of skills is most apparent in the government sector, which relies on a mix of on-premises and cloud-based tools and platforms. This, in turn, requires a workforce with diverse skill sets, said Sammy Migues, principal scientist at Synopsys Software Integrity Group.
“The federal government, especially combined with state and local governments, has so many kinds of ancient, old, aging, current, and modern systems that no one person can take care of it all,” Migues told Dice.
“All these different systems require system, network and cloud administrators with different skills. They each need security teams that understand the different technologies as well as the attackers and attacks they need to defend against,” Migues added. “The systems likely process different classifications of data and require new and different controls, which also has to be understood by the cyber workers. And it’s not all business as usual, between regulations, data breaches, executive orders and everything else. There must be enough cyber workers to handle day-to-day operations and crisis events.”
Sounil Yu, CISO at JupiterOne, added that cybersecurity is a field that naturally benefits from vocational training and an apprenticeship approach.
“Although many cybersecurity workers take pride in their professional status, many of their jobs, as well as the thousands of unfilled cybersecurity jobs, are vocational in nature and could be filled by those with the appropriate level of vocational training,” Yu told Dice. “In vocational schools, students focus nearly entirely on learning the skills of their trade. In this case, cybersecurity. By immersing themselves in a particular field, like cybersecurity, students practice tangible skills they will need and can apply to the workplace. Furthermore, this period of training can happen at an accelerated pace that produces qualified candidates in one or two years, if not faster.”
Is It Enough to Close to Cyber Skills Gap?
While the apprenticeship sprint program is designed to help the public and private sectors, several experts noted it’s the federal government that needs the most cybersecurity pros right now. A recent review by the Justice Department, for example, finds the country’s main law enforcement agency lacks skilled cyber workers, according to the Washington Post.
Alex Ondrick, director of security operations at BreachQuest, has tracked cybersecurity staffing shortages over the last two years and believes the federal government needs to take other approaches.
“The U.S. government has earned itself a reputation for moving and reacting slowly, if at all. When we apply this to the context of ‘hiring in cybersecurity,’ we see that employers are already competing against each other for a pool of candidates and workers, and the hiring process can move fast,” Ondrick told Dice. “If the federal government is moving slower—and usually paying less—than the private sector, then the government will be at a disadvantage.”
For others, these government initiatives must also be part of a longer-term strategy to reduce cybersecurity risks. “We must prioritize what we can do now and what we must do in the near future. We need to fast-track the need for skilled workers in cybersecurity and fast-track them into the industry as the skills shortage is only getting larger,” said Joseph Carson, chief security scientist and advisory CISO at Delinea.