Open Source is Key to Solving Cyber Skills Gap
It might seem strange to say in the land of Silicon Valley and Microsoft, the country where the internet was invented, and the most technologically advanced nation on earth - but the USA has a serious cyber skills gap.
According to the Center for Cyber Safety and Education, around 1.5 million cybersecurity posts went unfilled in 2015, a figure that was projected to rise to 1.8 million by 2022. The same study found that 66% of information security managers reported insufficiently trained staff to mitigate cyber-threats. That's a major problem in an age when data leaks are endemic, and threatening to destroy the reputations of major corporations.
The question is, why has this gap emerged, even though we've known about it for years? And, just as importantly, what is the solution? There's no lack of IT talent in the USA. There's definitely no lack of incentives for companies to invest. So what's holding us back? As we'll see, there could be one very effective solution right under our noses: harnessing the power of the open-source.
Why has a Cybersecurity Skills Gap Become a National Crisis?
Before we look at how to mitigate the skills gap, it's important to understand more about the roots of the problem. Essentially, this is a market failure within corporate America (and the wider world), where skills have been poorly matched with training and investment over a period of years.
Part of the problem lies in the education system. IT professionals are trained to be world-class engineers and specialists in certain packages, languages, or networking technologies. But the system is less capable of training professionals who are focused on cybersecurity.
As cybersecurity expert Marten Mickos reported for Forbes in 2019, only 42% of the US' top 50 IT degree programs offer security components. That needs to change if corporate America wants to create viable career paths for skilled young graduates with a passion for cybersecurity.
Then there's the cybersecurity profession itself. Many people see peers enter the sector, battle against corporate cultures, and take the blame for failings that aren't necessarily their fault. Too often, cybersecurity officers are used as "fall guys" by managers who poorly understand their roles (and limitations). So there's a lack of appetite among young IT engineers to make security their specialism.
What Does the Cyber Skills Gap Mean for Corporate and National Security?
This cyber skills gap isn't just a statistic. The lack of trained cybersecurity professionals is having a damaging impact on US businesses and public organizations every single day, with consequences for every American citizen.
The financial cost of data breaches alone is hugely significant. Some studies suggest that the average cost of a leak amounts to almost $4 million, but many run into the hundreds of millions. And that's just for the company concerned. The effects on customers who have their details stolen make the bill far higher, even before we think about the psychological costs.
Even the NSA has been weakened by the deficit in trained cybersecurity experts, with regular reports about an exodus of engineers. In that case, the problems are multiplied by the loss of morale associated with surveillance scandals.
As foreign cybersecurity threats seem to mount, and private sector hacking expands, these issues are incredibly serious. So what's the solution?
There's No Lack of Talent in the Cybersecurity World
If you talk with most experts active in corporate cybersecurity, they will tend to make the same argument. As Jon Oltsik of the Enterprise Strategy Group put it in a recent NBC interview, "there is more demand for talent and not enough talent out there." In other words, it's a classic market failure, as we hinted above.
In a way, that's obviously true. Millions of posts are vacant, there's a clear and pressing need for more cybersecurity experts, but applicants aren't coming forward. From the perspective of corporate leaders, the solution is to increase pay levels, invest in training, and make workplaces more comfortable for cybersecurity engineers - the usual market tweaks which should help to balance supply and demand.
But what if that's not actually the solution? After all, the skills gap has been in evidence for years, and companies have been trying to attract talent with little success. It could be time to try more creative approaches.
How Open Source Can Help to Solve the Cyber Skills Gap
That's where open source comes in. The open-source community is vast and extremely diverse. Github alone has 37 million users (in the most recent estimates), many of them actively pursuing hacking projects or working on open source alternatives to mainstream products.
If you want to find a specialist in mitigating session hijacking attacks , or a VPN networking specialist, they aren't hard to find. This insight has started to percolate through the corporate world. Instead of recruiting at universities or via traditional employment hubs, forward-thinking HR teams are trying their hardest to recruit devs from the open-source community, but it isn't easy.
The open-source community is anarchic, individualistic, hard to reach, and - often - anti-corporate. But it's where companies will find the most dynamic cybersecurity experts. And it could also be the route to wider cultural transformations that force cybersecurity up the agenda.
Open source could be a way to spread the cybersecurity meme more widely throughout society via free, user-created tools that can be propagated via public schools and universities. With the right strategy, it's not hard to imagine teens embracing open-source experimentation in huge numbers. But is this strategy likely to materialize?
It's clear that old-school recruitment isn't working. So there's little to lose in investing in open-source toolkits, exploring collaborations with open source collectives, and moving to software that isn't dominated by Oracle, Cisco, or Microsoft. With cybersecurity starting to make headlines, and threats rising all the time, opening up cybersecurity to the masses could be the only viable way forward.