There’s a number that has been quoted a lot by the cybersecurity industry in the past year: 209,000. That’s the number of unfilled U.S. jobs in the field as of March 2015, according to an analysis of Bureau of Labor Statistics numbers. And the demand for cybersecurity workers is expected to increase 53 percent by 2018.
It’s no wonder that security companies and divisions are struggling to defend against increasingly sophisticated cyber attacks—they can’t even fill their own ranks. The demand for experts is such that salaries of senior software security engineers and chief security officers nationwide can top $200,000, which is significantly higher than for other senior IT positions.
With demand so great, the question is where the supply will come from over the next few years. “We’re not moving fast enough on the dearth of talent,” says Bob Brennan, the CEO of Veracode, an application security company in Burlington, MA.
But efforts are underway nationally to strengthen the pipeline at various levels. For college students, the University of Denver started a master’s degree program in cybersecurity this year. The University of Washington’s satellite campus in Tacoma began offering a similar master’s program a few years ago. Several schools in the Washington, DC, area offer degrees in the field, including the University of Maryland and George Mason. And Boston-area colleges such as Northeastern and Boston University have made strides to include cybersecurity in their curricula. UMass Amherst just got a $3 million grant to launch a training center that will offer a certification program in cybersecurity.
All of this is a relatively recent phenomenon. “You’re starting to see it in academia for the first time—they’re teaching [cybersecurity] as part of computer science,” says Steve MacLellan, a startup advisor and investor who previously led the security division of Fidelity Investments.
One new program for senior-level corporate talent is about to launch at Brown University. The school is starting an executive master’s program in cybersecurity this fall. The 16-month program is designed for mid-career professionals who can do most of the coursework online, with a total of four weeks of training on Brown’s campus in Providence, RI, and in the San Francisco Bay Area. Tuition will run $97,500, with various options for financial aid.
The program will enroll 20 to 30 people starting in October, says director Alan Usas. The group of applicants is very broad in terms of background, he says—everyone from corporate lawyers and bank executives to government workers, tech executives, and private equity investors. “It’s really important that there be some diversity in the space,” Usas says.
He knows from experience. Usas was previously chief information officer at the Yale School of Management and assistant vice president for computing and information services at Brown. Before that, he worked in products and engineering at various security startups, as well as Tandem Computers, which was eventually acquired by Hewlett-Packard.
The Brown curriculum will have a strong technical component, but it will also include areas such as human factors, business risk, law, and policy. That mix is important, Usas says, to help executives apply security knowledge at the highest levels of their organizations (say, by taking a board seat at a public company). Some relevant job titles you’ll see these days include board director for cybersecurity, chief data privacy officer, and chief risk officer, he says.
“We think the alumni of our program will have a significant impact in the organizations they go back to,” Usas says.
I asked whether cybersecurity should have been emphasized much earlier in academia. Usas says, “A program like this created 10 years ago would have been relevant then, and we might not be in the same fix we’re in.” In other words, he says, academia “missed the boat.”
Other experts say there’s only so much that students can get from the classroom experience. “When it comes to real cybersecurity, there’s no place you can learn it” in school yet, says Lior Div, co-founder and CEO of Cybereason, a security company based in Boston and Tel Aviv. “In the States, there’s the NSA and the CIA, and that’s it. That’s a shame. We need a new generation of people who can walk the walk.”
Div adds, about the New England ecosystem, “We have great universities here, and we need to draw the talent to be here.”
Indeed, look for more of the region’s schools to ramp up their security training programs and collaborative efforts. MIT, Harvard, Northeastern, UMass, and Worcester Polytechnic Institute are members of the Advanced Cyber Security Center, a Massachusetts-based nonprofit consortium of academia, industry, and government that runs internship and co-op programs for students, among other functions.
Greg Dracon, a venture capitalist who serves on the center’s board of directors, agrees the cybersecurity talent pool is a crucial issue. But he’s bullish on the region as an epicenter of the field. “There is no better place in the world to build a security company,” Dracon says. “Boston has the right mix of talent. It’s an enterprise problem at the end of the day, and that’s where Boston has done well.”