The current U.S. government cybersecurity skills shortage is well-known, and will likely only get worse over the next few years. There are many fundamental issues that need to be addressed, from government pay scales that lag behind the private sector to the lack of enthusiasm many younger entry-level candidates have when considering a job with a federal agency as opposed to an offer from a shiny, new, fast-growing startup.
Successfully recruiting new candidates to meet the cybersecurity needs at the federal level going forward will require a massive shift in the way agencies compensate and message themselves to potential future employees. Until that happens, how can federal agencies fill in these much-needed cybersecurity roles that are pivotal to protecting everything from critical infrastructure to national security?
The answer could be right in front of them: the people they employ for non-cybersecurity jobs, from HR to physical security guards. What if anyone with an inquisitive, investigated mindset, despite their technology backgrounds, could play a role in cybersecurity?
Cybersecurity professionals generally have started with a traditional technology background and go on to develop highly specialized skillsets refined over years. In the private sector, there is typically less concern if a candidate’s qualifications come from an academic institution or actual real-world experience, sometimes the latter being preferred. At the federal level, however, there remains a more traditional vetting process that limits the scope of potential employees. This rigidness in hiring is one of the major contributing factors to the shortage of cybersecurity professionals at federal agencies. They qualify candidates based on computer science credentials, and glance over those that may have innate characteristics that could make them top-tier cybersecurity workers. If only they had to opportunity to study computer and networking infrastructure …
The role of security in today’s world, though, is no longer strictly in the realm of IT professionals. Security is the responsibility of every employee. As cybercriminals become increasingly more organized and sophisticated, they have expanded their attack vectors to target employees at every level in an organization. A phishing attack on an intern can lead to the same network access and catastrophic consequences as if they successfully breached a C-level executive’s account.
How AI Steps In
If cybercriminals are constantly evolving their attack methods and strategies, shouldn’t cybersecurity professionals be doing the same? I’d venture to assume that the majority of cybercriminals don’t have four-year degrees in computer science. Many are self-taught, very intelligent and skilled at improvising their way breaking into a secured network, whether it is via custom-designed malware or simple social engineering tactics. So, to fight fire with fire, shouldn’t the security industry look to recruit nontraditional applicants with diverse backgrounds that can bring new ideas and different sets of problem-solving skills to cybersecurity that can’t be taught in a classroom?
Until recently, this would not have been possible. The cybersecurity profession requires a certain level of technical proficiency, as it should. An individual who has never studied in the realm of computer science likely cannot set up a firewall, much less penetration test application security, or uncover outbound network traffic heading to Russia.
Today though, new cybersecurity tools are becoming available that bring the ease of use we’ve been accustomed to as consumers—for example, the way we reflexively turn to Google the moment we are looking for the tiniest piece of information debated at a dinner party—to the forefront of cybersecurity. The combination of AI, machine learning and natural language processing now makes it viable to automate certain security procedures and give anyone in an organization the ability to ask questions directly to the data in seconds, without knowing how to write a line of code.
AI technology, despite the futuristic hype it often receives, is still in its infancy. Even so, it is proving to be an incredibly powerful tool to bridge the gap of cybersecurity talent. Not as a replacement, as many fear, but an enhancement that opens up new possibilities, both for masters of the craft and those that had never considered a position in that realm.
Imagine a world in which an English major can graduate from college and land their first job in a cybersecurity role as a threat hunter, based not on technical knowledge but their ability to use critical thinking and curiosity to investigate network anomalies. Or, as I’ve seen firsthand, retired police officers and military veterans transition from their roles in physical building security to become cybersecurity intelligence investigators, utilizing their years of experience in chasing criminals on the streets or backgrounds in military intelligence on the battlefield to pursue the new threat actors in the cyber realm.
With advances in AI that augment human skill sets, federal agencies can look internally to their existing employees and reskill promising candidates that show initiative, a knack for problem solving, a willingness to learn and a curious disposition.
AI will not be replacing the role of a cybersecurity expert anytime soon. It will, however, open new doorways and opportunities to those without a traditional technical background. It will be those people that can bring some much needed outside perspective and insight and move the state of the federal-level of cybersecurity forward to meet the new challenges that will be faced daily.