Cover Image for CyberKnights Blog Post displays text that reads, "Cybersecurity Workforce Development"

Developing Unconventional Career Pathways for the Cybersecurity Workforce

March 4, 2021 | 5 minute read

In a society undergoing digital transformation, cybersecurity has the potential to save lives and businesses from complete ruin. For years, experts have been sounding the alarm bells for the shortage in cybersecurity talent. Theories seeking to define the shortage range from inadequate talent, to lack of alignment between education and industry pipelines, and misinformed hiring practices. In New America’s Cybersecurity-Initiative report, “Cybersecurity Workforce Development: A Primer”, now Senior Director at the U.S. Cyberspace Solarium Commission, Laura Bate, made the case that, “…no single action, effort, or theory will address the pervasive difficulties of filling cybersecurity jobs. Instead, lasting solutions will require a network of connected policies and community-wide effort.” If we do not band together as a country of innovators and implement necessary policies to develop unconventional solutions to an escalating problem, we will continue to be at the heels of cybercriminals, and not the helm of this great nation. But how do you speed up the development and growth of an industry that is still in its infancy? How do we ensure that existing pathways to a career in cybersecurity are easily accessible for all, and applicable across the many disciplines that need it for survival?

Conventional Vs. Unconventional

Conventional paths for education and entering the workforce have been cemented in society’s approach to preparing individuals for a lifelong career. In the cybersecurity industry, where the talent shortage worsens and the skills gap continues to widen with each year passing, a conventional outlook on career development, sans hands-on experience, is not enough to produce growth and fill cybersecurity jobs. Dr. Ashley Podhrasky, co-founder of CybHer, is on a mission to not only attract, but propel girls and women into cybersecurity. As an associate dean and professor at Dakota State University, her initiatives and hands-on system experience teaching methods, afford students and trainees the realization that they too, can do this. “The hands-on nature provides a first spark of realization for a student who may not have had an interest in technology. By actively solving a problem using tech tools, many students begin to see themselves in this space for the first time.” (Mendez, 2019) Gaining the interest of potential candidates through hands-on experience is an unconventional approach, and there are many other 2-year and 4-year colleges taking steps to introduce new initiatives that hold familiar promise. For example, Purdue University launched its Purdue Cyber Apprenticeship Program (P-CAP) last year, a federally funded, new model for cybersecurity education and employment. In an interview for Future of Business and Tech, Executive Director, Dr. Geanie Umberger, stated “P-CAP is a paradigm shift in education, addressing the needs of employers and adult learners….apprentices can earn a bachelor’s degree while employed in their field of study, gaining simultaneous on-the-job training and mentorship, all while obtaining a degree and industry-recognized certifications.” Benefits of unconventional approaches, like modern apprenticeships and experiential learning, will far outweigh a continuance of less applicable and accessible traditional ones.

“The hands-on nature provides a first spark of realization for a student who may not have had an interest in technology. By actively solving a problem using tech tools, many students begin to see themselves in this space for the first time.”

On the topic of the efficacy of a conventional pipeline, Bate further argues in her 2018 report, “In cybersecurity, as in many other fields, hiring managers would benefit from asking whether a four-year degree is necessary for a given position, or whether on-the-job learning, career technical education through a community college, or other training options may be a better fit.” The decision on which path to take ultimately lies with the individual, but with better alignment between academia and industry, more needs could be met that would provide a greater course of action and dependable structure for industry growth, economic stability, and national security.

Lifelong Measurement and Progression of KSAs

Another initiative that has been growing in adoption, is the NICE Framework. Established by the George W. Bush Administration, back in 2008, the National Initiative for Cybersecurity Education (NICE) began compiling shared knowledge of cybersecurity work into a comprehensive taxonomy that describes the knowledge, skills, abilities, and tasks needed to perform cybersecurity work. “Published by the United States National Institute of Standards and Technology (NIST), the framework offers organizations in the public, private and academic sectors a common language that enables them to speak about and define professional cybersecurity work requirements.” (Rosencrance, 2019) The beauty of such a framework is that it will evolve as the cybersecurity industry and growing workforce develops, as more stakeholders invest in cybersecurity, and as new, emerging technologies shift the pace and tasks needed to secure an environment. The NICE Framework benefits current and future cybersecurity workers, employers, academia, training and certification providers, HR, counselors, and tech providers.

The importance of this framework lies in the KSAs, a list of special qualifications and personal attributes that you need to have for a particular job. “A primary purpose of KSAs is to measure those qualities that will set one candidate apart from the others.” (CDC) If you are an individual applying for a cybersecurity job, especially one at the federal level, knowing your KSAs and being able to give a detailed account of how your experiences relate to specific KSAs requested, signals to recruiters and staffing that they should seriously consider you for the job.

 “A primary purpose of KSAs is to measure those qualities that will set one candidate apart from the others.”

Another advantage of the NICE Framework, if applied to particular processes such as hiring or team management, is that it allows employers, job seekers, and academia to circumnavigate complicated, exhausting, and as Associate Teaching Professor at Tufts University Department of Computer Science, Ming Y. Chow, put it in his Hall of Shame, asinine job descriptions. Every sector of the labor market needs definable markers of competency, be it the knowledge base, technical skills, or abilities in performance. The NICE Framework is evolving, but adoption at an early stage is necessary for interconnected progression of initiatives and policies, which will not only open different avenues to success as a cybersecurity worker, but also, steer the future course of the US cybersecurity workforce.

CyberKnights is a workforce development tool and skills-centric database. We adopted the NICE Framework as the core initiator for current and future cybersecurity workers, employers, academia, training and certification providers to leverage, in their quest for aligning themselves to industry standards. CyberKnights is free for individuals to assess their cybersecurity skills, track and progress their KSAs, and position themselves to be considered by employers, for open job opportunities. Employers can use CyberKnights to take inventory of their internal cybersecurity skills, to expose the gaps and view skills remediation options, including a vetted candidate talent pool. Academia can use CyberKnights to gain visibility into the current skills employers are requiring, and then tailor/offer their curriculum to address the skills gaps.