By Michelle Harven
It’s well documented that there is a shortage of cybersecurity professionals in the U.S., and in particular the federal government. It’s a problem that is worrisome to the government and private companies. There have been plenty of government backed initiatives such as President George W. Bush’s Comprehensive National Cybersecurity Initiative (CNCI) and President Barack Obama’s National Initiative for Cybersecurity Education (NICE), however we’ve yet to see the payoff and some say these initiatives will take years to produce results.
Arthur W. Coviello Jr., the retired executive chairman of RSA, one of the leading companies in the security industry, has been in the business for two decades. He noted one of the biggest problems that the cybersecurity market faces is the lack of sufficiently skilled people.
“A few years ago Forrester Research had a prediction that we would need a couple million more professionals by 2015,” said Coviello. “I haven’t seem them materialize. So, this is a place where we have a critical skills shortage. That’s why I’m so enthusiastic and so encouraging of all of these programs that are developing across the country at colleges and universities training the next generation of cyber warriors.”
ADDRESSING A WORKFORCE SHORTAGE
More educational programs today are addressing cybersecurity than 10 years ago. Many have been established just within the past five years and are still gathering the numbers of what their graduates are doing after completing their degree.
Many cybersecurity programs receive federal funding to help their students succeed. At Northeastern University’s program, students can get up to two years of full tuition and then work for two years in a paid position in government branches like the NSA, FBI, and CIA.
“The Department of Homeland Security is looking to us to build the next generation of resilient engineers and scientists to build resilient cities,” said David Kaeli, professor of electrical and computer engineering at Northeastern University. “The federal government is putting millions into this. So, our government recognizes the threat.”
However, the government assistance isn’t offered to international students who make up a good portion of the computer science program majors. “This raises questions of how can we create a multinational workforce environment that can work effectively in a highly secure environment,” Kaeli said. “It’s something that I think we have to address. It’s also going to help us greatly in the end.”
The need is greater in the federal government because the private sector generally offers more money to its employees. Many professionals coming out of these degree programs end up working at companies instead of government agencies. Kaeli said the people who go to work in the government are the people who really want to help keep the nation secure.
“They see this as a service to their government, and that’s to be respected,” Kaeli said. “They really are just like one of the soldiers. They’re protecting our country and we take that for granted many times.”
Ethan Heilman, a research fellow at Boston University in the computer science department said he wouldn’t want to work for the government for entirely different reasons. “It appears powerful elements of the U.S. government are more interested in sabotaging national computer security standards for bureaucratic gain than making computers and networks safer,” he said, adding, “the exception being NIST [National Institute for Standards and Technology], which seems to act in the interests of public safety.”
Even with the persistent need for cyber workers, Kaeli said he’s seen at least a double-digit increase in the percentage of students going into cybersecurity fields. “Students recognize that if you look at the job opportunities, if you look at technology, this is the number one field where you can get a job.”
While Heilman agreed having more cybersecurity professionals can’t hurt, he believes there are other ways to make cybersecurity more effective. “Cybersecurity professionals are often reactionary to security problems. They often don’t write the code themselves, so they can only attempt to discover and mitigate vulnerabilities,” Heilman said.
He said not only are the professionals not being given the right tools to do their job, but recommendations must make sense to businesses who often find it is not in their financial interest to make changes. He said a more proactive approach to securing data would be best for everyone. “Educate and train software engineers to be more aware of security so that vulnerabilities aren’t created in the first place,” Heilman said, “and pass laws which incentivize businesses to spend money writing secure software.”
A CYBERSECURITY HUB
Massachusetts has recently been given the reputation of being a cybersecurity hub, second only to Silicon Valley. A cluster of education programs, research labs, startups, and businesses operate in the Greater Boston area and in Massachusetts making it a rich market and a hotbed for professionals. With more than two dozen cybersecurity companies and organizations in Boston and over 10 schools that offer cybersecurity programs, it means more jobs and investment.
“I think there’s a good potential for Massachusetts to take a real leadership position here,” said Coviello. He said many of the schools here such as MIT, Harvard, Northeastern, Boston University, and the University of Massachusetts offer rich programs and have great research capabilities, but Massachusetts has even more than that. “We also have the kind of law schools and the kind of social science capabilities within the great universities and colleges in the Boston area and across Massachusetts to deliver the kind of policy changes we need within government,” he said.
Paul Roberts, the editor of The Security Ledger has seen the technology market evolve in Massachusetts since the beginning, when he worked as an industry analyst. “Massachusetts has this real strength in terms of the skill sets around device makers, manufacturers, health care, all these industries that are kind of coming together in that area,” he said. “I think Massachusetts has a lot going for it. There are a lot of opportunities for startups for security companies.”
Roberts said the city of Boston has a rich history in technology, going back to groups like the L0pht Heavy Industries, which was a hacker collective active in the early 1990s that focused on security and one of the first hacker spaces in the country.
Chris Wysopal was one of the original members and is now the Chief Technology Officer (CTO) of a highly successful security company, Veracode. He said being in Massachusetts was one of the reasons L0pht existed.
“Part of our influences was certainly MIT as an early technology innovator around a lot of stuff, and that got people thinking about security,” said Wysopal. “You have to sort of be early adopters of the technology and have that available to you before you start to see the problems in it.”
He also believes the East Coast has a different type of technology culture than Silicon Valley. He said the culture of Massachusetts lends itself to security businesses and more conservative technology startups. “We lean more towards enterprise software, and the culture out in Silicon Valley leans more towards consumer software, your Facebooks, your more consumer mobile companies, your Snapchats, things like that.”
Wysopal said startups like Veracode, Bit9, and Rapid7 are representative of East Coast security software companies, which create software for enterprises and government.
Ted Julian, the vice president and co-founder of Resilient Systems, said these three companies will probably all go public in the next 12 months.
Along with the success of these companies, Julian’s own company has been taking off. Resilient Systems is adding more people to their team each quarter, has expanded its space in Cambridge, has a team in the United Kingdom, and a partnership in the Middle East.
“The Boston area has always been a leader in the cybersecurity field creating firsts in so many industry categories, and I don’t know if there is another sector, certainly business-to-business side that can really make that statement,” Julian said. “The Boston area can go toe-to-toe with Silicon Valley or anybody when it comes to the security business.”
A BOOMING MARKET
It isn’t just Boston; the whole market is gaining more traction everywhere. Julian said it probably has something to do with how much press the big breaches get, how many people are becoming affected by them, and how important security is becoming to companies.
“The truth is in bad economic times when a lot of IT infrastructure may struggle because they don’t have enough money, security companies will still survive because you can put a general purpose IT project on hold for a year, but to not spend any money on security for a year would be a bad idea,” Julian said. “The bad guys don’t go on vacation and when the economy is bad, they’re just as busy and sometimes even busier.”
Many factors are driving the market, said Israel Barack, founder of the Massachusetts-based security company, Sentrix. Barack said the threat of breaches has increased and hackers have more devices to break into. The market is also more educated regarding the impact of cyber threats.
These reasons are much of why the amount of money being put into the industry is growing rapidly. Barack cites an expected $110 billion in 2015, and $155 billion in 2019. “VCs invested close to $2 billion in hundreds of cybersecurity startups in 2014. Quite a few exited at $500 million to $1 billion in 2013 to 2014,” said Barack.
Matt Cherian, the product manager at BitSight Technologies, has seen a lot of growth in the company and in the industry. “I don’t think we are close to the peak in any way, given the underground market and given the demand for this kind of stuff,” he said. “And sometimes it’s not just about the money. There are groups out there that want to make political statements or other statements against certain companies, so because of that I expect breaches and compromises to systems to become more commonplace going forward.”
With the combination of a growing market and more educational programs offering tuition benefits, the cybersecurity workforce will continue to increase at a steady pace. What’s even more exciting for local businesses is that if Massachusetts keeps prioritizing cybersecurity, it could become an international leader in the field, which it isn’t far off from being right now.