Both public and private sectors alike are engaged in the rapid transition to a new digital economy. To succeed, organizations and government organizations must rely on an evolving digital infrastructure made up of free-ranging endpoint and IoT devices, multi-cloud networks, and a rapidly expanding edge. They also need to manage and secure sophisticated and constantly changing applications, real-time transactions, bandwidth-hungry media and services, and workflows that need to span the entire distributed network. As a result, this growing network complexity and expanding attack surface has created a field day for cybercriminals.
Compounding the challenge, according to a workforce development survey, 59% of organizations have unfilled cybersecurity positions, with Frost & Sullivan forecasting a shortfall of 1.5 million by 2020.
According to Fortinet CISO Phil Quade—NSA’s former Director’s Special Assistant for Cyber, and Chief of the NSA Cyber Task Force, “The US Government issued an Executive Order [announced on May 2, 2019] designed to smooth-out the lumpiness of cybersecurity skills across government departments and agencies. Titled ‘America’s Cybersecurity Workforce’, the EO establishes a within-government policy designed to encourage cross-pollenization of cybersecurity workforces. While skeptics might view this as the proverbial ‘rearranging the deck chairs on the Titanic’, it deserves a richer analysis, since it’s action that acknowledges that any organization, large or small, must be objective in understanding its shortfalls and strengths.”
To start this process, Quade continued, “cybersecurity needs to be treated more like a science than an art, and addressing the cybersecurity skills gap in the abstract is only a piece of the puzzle. Good things won’t happen without also using more rigor in planning and executing cybersecurity strategy, and understanding the fundamental elements that it is necessary to optimize around. With full respect for those government professionals whose mission it is to protect the bison and the forests, it’s naive to think that they’ll also take on the attempts by our nation-state adversaries to penetrate government systems, or otherwise, alone, detect and respond to sophisticated cyber attacks.”
To close the cyberskills gap, public and private institutions alike must employ a comprehensive workforce initiative around cybersecurity to create a talent pool that can serve many. What’s needed to take on the converging security challenges of today is the creation of a workforce with a variety of skill levels, and a low barrier to entry, combined with strategic progressions through their professional development.
Ken Xie, Fortinet’s CEO and Founder, explained that: “Becoming an effective security professional requires more than knowing how to deploy and configure technology. It requires combining security theory with practical, hands-on experience. That is something that few certification solutions currently provide. To address this challenge, we need a new approach that combines the resources of private industry and public institutions.”
According to Quade, “Standing against today’s advanced cyberthreats requires expert security professionals who know how to engineer secure environments and detect and respond to sophisticated attacks. And we need to acknowledge that neither the Government nor the Private Sector alone can address the pressing problem of the cybersecurity skills gap.”
There is a need for a work environment that can not only increase the speed at which we develop basic expertise, but also foster an environment where organizations can develop world-class expertise across a variety of sectors and environments, both public and private. Such an environment should also require security experts to mentor novices to ensure they develop the high-end cybersecurity skills and experiences that our digital economy requires.
The development of such a workforce, comprised of individuals with multiple skill levels, will help create a talent pool that effectively spans all sectors. This will allow us to not only arm this workforce with the skills and technologies needed to take on the converging security challenges of today, but it will also enable those individuals to continually evolve their skills so they can address the challenges of the future.
“We need to create a workforce, with multiple skill levels, to take on converging security challenges, to protect our critical infrastructures, industrial automation, autonomous transportation systems, and future healthcare solutions. The new kind of workforce should include Apprentices, Journeymen, and Masters in the combined fields of cybersecurity and physical security, since, increasingly, cyber and physical processes are converging,” Phil commented.
As a start, the security industry must do a better job of identifying and attracting potential cybersecurity candidates, beginning as early as secondary school and continuing through college. The industry also needs to focus on people currently working in IT. These efforts need to also make an extra effort to identify and appeal to women and minorities that have historically been underrepresented in the cybersecurity workplace, and represent a very real solution for closing the cyber skills gap at scale.
We also need to step up our efforts to leverage military veterans transitioning to civilian life. Today’s modern military relies on technology, which means that transitioning military personnel already have exposure to many of the latest IT tools. Plus, military veterans also have a security perspective trained into them—such as chain of command, establishing and monitoring a fluid perimeter, following established protocols, and applying a defensive outlook to the task at hand—that translate directly into the realm of cybersecurity. To that end, the Fortinet Veterans Program (FortiVet) facilitates the transition of exceptional military veterans into the cybersecurity industry by providing professional networking, training, and mentoring to help close the skills shortage gap.
Further, efforts should include funding hands-on training and labs in educational or industrial settings, creating a consortium of organizations willing to work together to cross-train security professionals, and developing a mentoring or apprenticeship program within an organization.
Ken Xie explained Fortinet’s commitment to this process. “The problem we face is that there are simply not enough skilled humans available to properly plan, manage, integrate, and optimize security devices, strategies, and protocols. To help address this cyber skills gap, Fortinet offers a worldwide Network Security Expert (NSE) program, an eight-level certification program aimed at advancing aspiring and technical professionals in their skills and knowledge of today’s modern cybersecurity landscape. In 2016, the company extended the program to educators and students through the Fortinet Network Security Academy (FNSA), facilitating network security education across the globe to help educate, train, and prepare the next generation of cybersecurity experts.”
To date, the Fortinet Network Security Expert program has been integrated into secondary and post-secondary programs, with over 150 Security Academies in place around the world to help produce more entry-level cybersecurity workers.
Finally, we need to accelerate our adoption of automation and machine learning to supplement limited resources, and allow humans to focus on higher-order activities. Even as we ramp up our stable of skilled cybersecurity professionals, the speed and sophistication of many of today’s attacks mean we can no longer rely as heavily on humans to detect and respond to threats fast enough. Automation and machine learning can fill that gap by enabling security defenses to respond in real time.
Ken Xie commented: "Security tools can be trained using machine learning to take over many of the more mundane security tasks, such as patching, updating, or configuring devices. By offloading these activities to an automated system, precious security personnel can be refocused on higher order tasks, such as policy refinement and threat analysis."
As the first cybersecurity company to have been named a founding partner of the World Economic Forum Centre for Cybersecurity, Fortinet is committed to collaborating with global leaders from the private and public sectors on our shared commitment to collectively respond to the growing global cybersecurity threat.
Businesses, NGOs, government agencies, and the owners and managers of critical infrastructures all increasingly rely on today’s interconnected digital infrastructure. And because of this interconnectivity and growing digital interdependence, a major security event could have catastrophic consequences for us all around the globe.
The time for waiting is over. The integration between individuals and organizations is only going to accelerate as things like immersive applications, 5G-enabled devices, and the requirement for on-demand access to information and resources from private and public sector providers begin to drive another wave of transformation that raise the stakes even further.
Learn more about how Fortinet’s NSE Institute provides critical cybersecurity training and education about the security market and its solutions to prepare individuals for today’s rapidly expanding threat landscape, and our FortiVets program that helps veterans transition into civilian life and a career in cybersecurity.