Following the Biden administration’s call to action to address the nation’s biggest cybersecurity challenges, leading tech and infosec businesses have been publicly declaring their intentions to help close the cyber skills gap through career training programs.
Among the latest to go public with their support: Fortinet, which on Wednesday pledged to train an additional million people over the next five years through its through its Training Advancement Agenda (TAA) initiative and Network Security Experts (NSE) Training Institute programs. This followed IBM Chairman and CEO Arvind Krishna promising on LinkedIn to train more than 150,000 people in over the next three years, while also partnering with over 20 historically black colleges and universities to diversity the cyber workforce. Similarly, Google and Microsoft also said they would contribute to various training initiatives and partnerships.
Even if such pronouncements serve as marketing and publicity opportunities for companies to generate some good will, there’s still no denying that every little bit helps. After all, according to a November 2020 (ISC)2 report, the cyber skills gap stands at around 3.12 million.
“When we think about the skills gap, we think about attracting dramatically larger numbers of kids and adults into the cybersecurity world. To do that, we have to make sure they have access to technology, an understanding of what a career in cybersecurity looks like, and a clearly defined path to get there,” said Gary Latham, executive director of the Security Advisor Alliance. “That covers a lot of ground and will require a collaborative, non-competitive response from companies that are used to going head to head in the market every day. I believe that is what we are beginning to see and we applaud that.”
The Wednesday announcement from Fortinet – whose VPN product was the subject of a prominent credentials leak incident that same day – represents a continuation of the company’s efforts to make its training offerings more widely available to the public. Fortinet’s TAA and NSE programs, which includes an eight-level certification program and almost 400 hours of curriculum, were originally available only to its paying customers, but when the COVID pandemic set in, the company made all of it a free service, available to everyone.
“At one point we were seeing a registration every five minutes,” said Sandra Wheatly Smerdon, the company's senior vice president of marketing, threat intelligence and influencer communications. Nearly 700,000 professionals have already enrolled in Fortinet training, and now the company has its mind set on more than doubling that number in the next half-decade.
“Of course, we'll continue to expand all of [our] programs and to promote them,” said Smerdon. “In terms of our NSE training, we continue to add new modules that are aligned with some of the emerging technologies and growth areas that we've seen in cybersecurity.” This includes new coursework that specifically focuses on OT environments.
In response to Fortinet and other firms’ commitment to growing the cyber workforce, Smerdon said it was “extremely encouraging to see companies step up and really put a stake in the ground [and] really try to move the needle and solve this issue.”
“It's long been believed that the only way to solve this problem is for private companies and public organizations to come together. This is not something that academia can fix alone,” Smerdon continued. “So it's only by… vendors coming together and offering this free training, and other programs that many believe we can improve this problem.”
"The good news is that educational capacity for cybersecurity continues to grow through university programs as well as through targeted coursework from companies like Fullstack [Academy] and CompTIA,” added Latha. “And organizations like the Security Advisor Alliance, CyberUp, and others have the ability to generate interest and guide and mentor students. The technology giants can make an enormous difference by helping ensure that every student has access to computers and the internet, and by supporting these programs."
Industry insiders did have some suggestions for how these training programs could improve and become even more effective.
For instance, “I think it’s very important to have resources for various skill levels (beginners to professionals), as well as learning types (synchronous and asynchronous),” said Veer Dedhia, director of academics, cybersecurity, at Fullstack Academy.
Additionally, “I’d like to see how the trainings offered relate to jobs in the industry, and actual student work that demonstrates job readiness. For example, one assignment that our students work on is a cyber incident investigation, and students complete a report that details their conclusions along with citations of evidence. This is exactly how a SOC analyst is required to document investigations, and showcases how ready a student is to be effective at filling one of [these jobs.”
Moreover, “I’d like to see results on hiring people who go through these trainings,” Dedhia continued. “How are these companies changing hiring practices to account for experience and skills that come from trainings instead of degree programs?
Todd Thibodeaux, president and CEO of the nonprofit trade association CompTIA, applauded businesses’ response to Biden’s call to action, but opined that the biggest contributor to the skills gap is not lack of available training.
“Having a few extra companies step up is meaningless if they aren’t acting on the core challenges limiting people from coming into the cyber field in the first place with the biggest among them being the ‘confidence gap,’ said Thibodeaux. “Individuals have been brainwashed into thinking careers in cyber require STEM, computer science and a college degree, but this is very far from the truth, and it leaves the majority of otherwise great candidates feeling a lack of confidence in their ability to be successful in the field.”
“Ensuring user compliance, penetration testing, cyber analytics, network administration, cloud administration, server and application management and ongoing oversight and maintenance of an organizations cyber infrastructure account for the majority of cyber work done on a day to day basis, and none require computer science or advanced math skills,” Thibodeaux continued.
Rather than creating more of their own training programs, Thibodeaux encourages companies to partner with organizations such as CompTIA and others “who’ve been developing industry vetted, vendor neutral programs for 30 years” and then “encourage employers to drop college degree requirements for cyber positions since they aren’t needed,” and “ensure potential candidates know they don’t need a STEM background to work in cyber and stop positioning coding as a prerequisite to a cyber career.”
