Workforce demand for information security analysts is projected to grow 28 percent from 2016 to 2026, much faster than the average for all occupations, the U.S. Labor Bureau of Statistics reports.
This growth in jobs, however, is not being matched by an equivalent growth in the number of people qualified to fill those positions – not even close.
The nonprofit Center for Cyber Safety and Education has been forecasting a global shortage of 1.5 million skilled cybersecurity workers by 2020. The organization, which credentials security professionals, now has upped that estimate to a 1.8 million worker shortage by 2022.
“This is reflected by the extraordinarily high number of professionals across the globe who indicate that there are not enough workers in their departments,” the center said this year in its latest report, which found a third of hiring managers plan to boost their security teams by at least 15 percent.
One reason is that the number of security incidents is escalating, according to Vigyan “Vigs” J. Chandra, professor and coordinator of the network security and electronics technology program at Eastern Kentucky University.
Meanwhile, the use of internet web robots or “bots” – automated software scripts that can operate from nearly any network-connected device – is on the rise. For example, Wired magazine recently reported that the Reaper IoT botnet has infected more than 1 million networks.
Cybersecurity is an increasingly serious problem for businesses and individuals, with constant change in the field of information technology making the definition of an adequately skilled worker a moving target.
“Technology changes quickly. Cybersecurity changes rapidly,” said Joe Danaher, chief information security officer for Integrity IT. “You must have the ability to adapt. As in most industries, true innovators in IT are self-motivated to learn, curious, adaptable and creative thinkers.”
Kentucky schools are responding
It all factors into the strategic calculations of colleges and universities across Kentucky. Public, private and for-profit alike, higher-education institutions are rapidly creating and expanding programs to educate and train people for the profession, as well as leading the way on myriad other ways to address cybersecurity.
In late November, the University of Louisville won a $580,000 federal grant to expand training for cybersecurity specialists.
The grant, from the U.S. National Security Agency and the Department of Homeland Security, supports two interdisciplinary programs among three UofL schools: the J.B. Speed School of Engineering, the College of Arts and Sciences, and the College of Business.
The first program will teach cybersecurity measures to public safety employees, and the other will use off-the-shelf hardware and software to design new cybersecurity teaching methods.
The two new programs are an extension of UofL’s Cyber Security Initiative, which also offers a graduate certificate in network and information security. They are designed for advanced computer professionals as well as students majoring in disciplines other than computer engineering and computer science. Taking a multidisciplinary approach, the credential includes courses from both the computer engineering and computer science departments.
UofL founded its own cybersecurity lab in 2008. Open to students wanting to research security-related topics, the lab’s claim to fame is that it was the site of the world’s first research in “artimetrics,” a field of study aimed at identifying, classifying and authenticating bots, software and virtual-reality agents.
“We are all geared up to enhance our cybersecurity education offerings and help fill the skills gap in this area of national priority,” said Adel Elmaghraby, professor and chair of the Speed School’s computer engineering and computer science department and principal investigator.
UofL’s work in cybersecurity has been recognized before. In 2014, the U.S. Department of Homeland Security and the National Security Agency designated UofL a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE); that designation recently was extended through 2019.
Creating a bigger worker pool
Meanwhile, the NSA’s Centers of Academic Excellence in Cyber Operations Program is intended to “broaden the nation’s pool of skilled workers capable of supporting a cyber-secure nation,” according to its website.
The NSA recognizes three Kentucky schools as CAE-CDE: UofL, Northern Kentucky University in Highland Heights, and most recently the University of the Cumberlands in Williamsburg.
NKU offers a cybersecurity certificate in both traditional and online formats. The certificate includes knowledge of a broad range of technologies as well as an understanding of government laws and policies related to computer crime. It is designed so that students have a demonstrated understanding of NSA-specified core knowledge units of computer security.
Down in Williamsburg, the University of the Cumberlands offers both associate’s and bachelor’s degrees in information technology that integrate technical skill and general education knowledge.
“One key differentiator for our program is that many of our courses are mapped to industry certifications,” said Donnie Grimes, chair of UC’s School of Computer and Information Sciences and vice president for information services. “Since employers use certifications as a way to validate knowledge, our graduates will have a much easier time getting jobs. They will also command much higher starting salaries.”
New Ph.D. program
One of the newest cybersecurity programs is a Ph.D. at Campbellsville University, which began just this October. Designed for working adults, the management program allows students to specialize in one of three areas: cyber technology management, leadership management, or human resource management.
“This is such a relevant area, said Patricia H. Cowherd, dean and professor of the School of Business, Economics and Technology.
The course description reveals why. Students take classes in disaster recovery/business continuity, legal and ethical issues, and evolving issues in cyber warfare. Students do everything from learning to defend information and computer networks from attacks, to repairing a company’s technological infrastructure after an attack, to developing a disaster recovery plan.
Designed for working adults, the three-year program is mostly online but does have a once-a-year residency requirement during which students have workshops in topics such as APA formatting, library resources and how to access university services.
The Ph.D program is an outgrowth from the school’s established master’s program in information technology management.
Those in the field should plan on furthering their knowledge in as many ways as they can, according to Danaher.
“Upon graduating, experience is key. Standard classroom learning is not enough,” he said. “The best IT employee has experience in incident response along with a foundational knowledge of technology and practical application. Internships, apprenticeships and real-scenario lab work are critical aspects of technology training programs. Certifications are a valuable expectation in order to advance in the field. For a cybersecurity focus, you must add a sound knowledge of networking, exposure to security tools, and an understanding of Python programming language.”
Getting into the field
While Campbellsville’s Ph.D program is the only doctorate-level program, there are numerous entry points into the cybersecurity field. Most offer a certificate, undergraduate or graduate, in a specific area.
The Kentucky Community and Technical College System offers many of these programs. Each of its 16 colleges has an information security or a Security+ AA/AS degree and/or certificate program, according to Mary Hemlepp, senior communications strategist for KCTCS.
The Security+ certificate is a single course designed to help students pass the CompTia Security+ certification exam, a recognized first step in the tech world. KCTCS’s information security specialist certificate is more involved, although it still allows students to focus on tech issues without completing general education courses.
It can be difficult to differentiate programs using the cybersecurity nomenclature. Programs at many schools are more focused on traditional information technology with some cybersecurity coursework added in as the issue and the jobs related to computer security have become a booming concern in recent years.
EKU, for example, offers a bachelor’s degree in network security and electronics. It is a more traditional program that prepares students to provide computer and network administration expertise for software users in a broad range of work environments.
Since 2011, the university in Richmond also has offered a computer forensics and security concentration within its computer science degree program. It is one of only two national accredited undergraduate digital forensic programs in the United States. (University of Central Oklahoma is the other.) Coursework concentrates on the growing area of computer system administration, database security, network security, computer forensics, information assurance, and related security techniques.
“To prepare our graduates to protect computer networks now and in the future, we require (them to learn) a combination of both software and hardware tools and technologies,” said EKU’s Chandra. “Our programs are attempting to do so through structured learning activities at the bachelor’s and master’s level.
“The master’s program in applied engineering and technology management with a concentration in network security management (AETM-NSM) allows graduates to plan, implement and analyze computer network systems with an emphasis on security considerations, solve technical problems, and manage projects,” he said. “The MS (AETM-NSM) provides opportunities for expanding the computer network security skillset needed by network managers for maintaining existing computer networks and for integrating with legacy ones.
EKU offers an accelerated 3+2 program that allows students to earn both a bachelor of science in network and security electronics and a master of science AETM-NSM degree within five calendar years.
“Undergraduates with proven academic ability entering the 3+2 program take specific graduate-level classes, which are counted in both their undergraduate and graduate degrees,” Chandra said. “EKU also offers a concurrent graduate enrollment option, which allows undergraduate students to take a much broader selection of graduate-level classes.
“Following approval by our professional advisory committee earlier this semester, we are planning on an updating our BS degree program to reflect our focus on cyber systems as well as network security and its management in the upcoming academic year.”
Stairsteps rather than acceleration
Rather than dual-track acceleration, Sullivan University’s College of Information and Computer Technology, with headquarters in Lexington, uses what it calls a “stairstep” approach. It started with certificate programs and has continued to add courses and degrees as needs have changed. This allows students to build a foundation of technical skills and then add higher-level skills such as cybersecurity.
The university offers certificates as well as bachelor’s and master’s degrees. Undergraduate options include the cybersecurity administration certificate and the cybersecurity professional certificate, according to Julie King, Sullivan’s dean of the College of Information and Computer Technology.
“We offer a lot of classes in Security+ certification,” King said. “Often, students earn a certificate and then come back for an associate degree and then a bachelor’s degree, and ultimately a master’s degree. If they already have a degree in another area, students come back and focus on the cybersecurity aspect.
“We have seen a lot of statistics that show more demand than people (with qualifications) to fill the jobs in cyber-security. That’s why we went in this direction. We want to prepare as many students as possible in security. It looks like a really good area to find employment.”
Learning cyber skills online
Sullivan is one of the many schools that offer degrees online. Sullivan’s associate degree in computer network security and forensics is an example. It covers programming and basic software and hardware components as well as courses in forensics needed to recover and decrypt data. Sullivan offers a bachelor’s degree in computer network security and forensics online as well as a master’s degree in cybersecurity.
Virtually all of the certificate programs are offered online. In addition, many universities offer specific programs online. For instance, the University of the Cumberlands’ master’s degree in information systems security is entirely online. At EKU, both the bachelor’s and master’s programs can be done online.
With a field that is literally changing every day, ongoing education is also becoming essential. In addition to degree programs, Northern Kentucky University (NKU) has offered a cybersecurity symposium for the past 10 years. The symposium brings together IT and security professionals and security and privacy attorneys for a one-day event focusing on cybersecurity challenges, legal issues, risk management, and best practices.
NKU also offers degrees, of course, including a cybersecurity certificate that is focused on the essentials of secure networks, databases and operating systems.
Likewise, Western Kentucky University (WKU) in Bowling Green runs the WKU Small Business Accelerator, which has produced Millstone Labs, a provider of cyber forensics software and hardware to law enforcement.
WKU also offers a multidisciplinary graduate degree program in homeland security sciences, a multidisciplinary approach including physics, biology and chemistry to detect, quantify, prevent, and decontaminate chemical, biological, radiological, nuclear, and explosive (CBRNE) threats. The program features a hands-on, real-world research component.
Coming soon to a computer near you
Cybersecurity is not the only aspect of computer science set for explosive growth.
“The field of networking is getting set to see its next big boom with the emerging Internet of Things (IoT) where more and more devices get Wi-Fi enabled and are able to communicate over the network,” said EKU’s Chandra. “There is a need for preparing students to handle both the electronic and computer aspects of these technologies. The background in electronics we provide for students along with use of device hardware and software will enable them to learn the management and security of smart devices. With the upcoming IoT allowing for more devices to connect to the internet, the need for grads who can work with both electricity/electronic devices interfaced with computer/network systems is likely to grow by leaps and bounds.”
Debra Gibson Isaacs is a correspondent for The Lane Report. She can be reached at [email protected]