Who are the gatekeepers for cybersecurity in the world of education? Within colleges and universities there are many technologists who are cybersecurity experts and who have training and certifications to prove it. There is also a significant population who have cybersecurity skills and do work within distributed divisions, colleges and schools at the research universities. The amount of experts filling cybersecurity roles shrinks at the smaller universities and community colleges. While many at the K-12 level know security rules and have skills, identifying a community of K-12 cybersecurity experts is the real challenge.
The annual (ISC)2 Cyber Workforce Study for 2021 reveals part of the mystery. Among cybersecurity workers, job satisfaction overall is strong with the study showing 77% which is significantly higher than the pre-pandemic 2019 survey (66%). Job satisfaction among those in education cyber roles stands at 69% which is lower than retail (83%), manufacturing (82%), IT services (80%) and telecom (72%) among others. The question for many education leaders to answer is why are the education cybersecurity workers dissatisfied?
Education has the perpetual challenge of competition for the top talent. Pay is a significant issue considering the average cybersecurity salary in North America is almost $120K according to the (ISC)2 survey. According to a 2021 education survey conducted by Western Governor’s University, after “some years of experience” and perhaps some additional education or certifications, an average cybersecurity analyst in higher education earns a salary of $95,000. Of course, that’s likely after that worker obtains a bachelor's degree or multiple certifications (required in 73% of job postings).
What is left is to consider is how cybersecurity and IT leaders in education are challenged to create and sustain the flexible and encouraging work environment at their educational institution. According to a Spring 2021 article in Government Computing News, these challenges could include the continuing string of breaches and exposure of sensitive data, malware attacks or ransomware. As the article noted, the challenge is serious as many endpoints deployed during the pandemic to remote learners and workers lack the most recent Microsoft security updates exposing them to over 1200 product vulnerabilities.
There should be no illusion that education cybersecurity is a relaxed environment and not much of a work challenge. Some of the larger K-12 school districts have more “users”, meaning students, faculty and administrators, than the average global commercial conglomerate. Higher education governance is often widely distributed and entertains many opinions of what effective and efficient cybersecurity should look like.
Compensation and work environment are like opposing teams on the football field. While one team’s offense pushes the other team’s defense around, the crowd of fans in the stands are entertained and happy – until they are looking at the opposite team’s offense making gains and their defense losing ground. The perceptions of security are congruent with the attitude of those users and their influence on the professional cybersecurity staff. Territorial influences abound. Historically, what central IT and the central security team want to do to improve security is often met with little care or only passing interest by those distributed IT players. That is until something happens and they cannot access data due to ransomware or they are made aware of a cyber vulnerability that fits their technology.
When that moment happens, the CISO or any cybersecurity manager needs to be ready. If you know one those IT experts who doesn’t fail in that moment of glory, especially if they have any related background like risk management, legal studies, or IT program management, encourage them. If you find they are ready to make the jump into the education cybersecurity workforce, you have work to do. No doubt you could help them fill one of the 2.72 million unfilled cyber jobs from recruiting firms like Dice. Show off those job roles and position descriptions you have available or displayed on LinkedIn. Create a keyword search string like “cybersecurity jobs higher education” or “university cybersecurity jobs” which should lead them to an extensive list of opportunities – over 650 in a recent search this author tried.
There are many cybersecurity or information security and privacy roles that could be a fit for those interested in joining a career field with role definitions that could closely match their skills. Be the CISO that uncovers the diamond in the rough with the education and experience in line with many of the entry level roles and help them work their way up from there. Or, help them get ahead by opening up your massive reference library and help them study to earn one of the many industry certifications before applying. Consider the free training offered by the SANS organization.
As a CISO, you are their concierge who can show the best people the right path. Yes, it will require continued study and experiences to keep current with technology, threats, vulnerabilities and policy. That’s the game worth playing.
For anyone interested in a career in cybersecurity, getting the inside scoop from an education cybersecurity analyst is also a good start to establishing a mentoring relationship. Success can come from seeking a mentor who has been in cybersecurity and education for more than just a few years. Most university mentors have a mix of higher education, plus commercial or other public sector roles. Another source is the Cybersecurity Mentoring Hub which has a number of useful resources for the job seeker and potential mentors. Mentors have been there and likely have made the transition into an education cybersecurity career similar to the one you might be considering. A good mentor can show the way and help avoid choices that are not helpful while promoting opportunities that are.
Another resource for mentoring and training for career transitioning into cybersecurity is the Fortinet Training Institute and the Fortinet Training Advancement Agenda (TAA). While not specifically focused on education, these resources form an ecosystem of public and private partnerships to further address the skills gap by increasing the access and reach of important and useful cybersecurity certifications and training.
Education leaders recognize that veterans can be a useful resource for their cybersecurity teams. Often bringing maturity and useful “soft skills” to the table, veterans also understand the value of education and in being part of a team providing a much needed and useful service.
The National Initiative for Cybersecurity Careers and Studies provides information for those military veterans looking for a career in cybersecurity. Transitioning and former military should also consider the Fortinet Veterans Program which helps turn the natural “problem solver” mindset of a veteran toward careers in cybersecurity.
Education cybersecurity teams are a great place to learn and thrive in the cybersecurity profession. Leaders at the University, college, or K-12 level should invest in having the right talent doing the right work and at the right time. Investing in staff and training will improve cybersecurity and avoid those dramatic costs involved with remediation of breaches or denial of services which can cripple education networks and technology.