Madison firm takes on global cybersecurity worker shortage

Citing a growing skills gap, Infosec has developed a training program to keep cybersecurity pros a few steps ahead of the bad guys.
Cybersecurity Panel

There’s a cybersecurity problem in the U.S. and worldwide, and it’s one that could leave your business unprotected from cyberthreats — a growing workforce and skills shortage.

Madison-based Infosec aims to change that. Infosec has been fighting cybercrime since 2004, working with thousands of organizations and providing training for over 2.68 million students and professionals looking to stay a step ahead of the bad guys. Infosec’s most recent venture is targeted directly at closing the cybersecurity skills gap.

Launched in April 2019, Infosec Skills might just be the most comprehensive cybersecurity training program out there. The program was developed after hearing from IT and security professionals who asked for a program designed to help them learn to build defenses to counter tomorrow’s cyberthreats while laying out a clear path to take control of and advance their careers. What resulted is a 500-plus course program mapped to the NICE (National Initiative for Cybersecurity Education) Cybersecurity Workforce Framework, which contains entry, mid, and advanced cybersecurity roles backed by research into the actual skills requested by employers.

With Infosec Skills and NICE, users get a roadmap identifying what employers want and the tools needed to follow that career path, whether brand new to information security or an established professional.

The platform covers cybersecurity knowledge across 60-plus skill and certification learning paths. Each learning path contains a collection of courses structured to progress knowledge and close skill gaps, along with cloud-hosted cyber ranges, hands-on projects, custom practice exams, and skills assessments.

Infosec skills couldn’t come along at a better time.

According to the (ISC)² Cybersecurity Workforce Study, the current cybersecurity workforce gap in the U.S. is 500,000. That represents a 62 percent increase needed over the current number of security workers. Additionally, the global workforce needs to grow 145 percent above the current number of workers just to get to where it needs to be today.

The ISC2 report further notes that 51 percent of global cybersecurity pros say their companies are at moderate to extreme risk because of staff shortage, and the top concern of security pros (36 percent) is that their staff lacks the skills and experience to do their jobs effectively.

Those figures are backed up by a stark reality that should hit home for any business leader. The Ponemon Institutes 2019 Cost of Data Breaches report shows that the average 2019 recovery cost for a business data breach was $3.92 million; of that number, $1.42 million was from lost business. The average time to discover and contain a breach might be even scarier: 279 days. According to the Ponemon Institutes, 51 percent of the 2019 data breaches were caused by malicious cyberattacks, which also cost more and take longer to recover — $4.45 million and a 314-day lifecycle.

There are many factors at play in the cybersecurity industry skills gap, notes Jack Koziol, Infosec CEO and founder. Some of the main reasons often linked to the skills gap are:

  • The number and severity of cyberattacks and the resulting breaches is skyrocketing. The jobs market simply isn’t keeping up with demand, which will probably continue until cybercrime becomes unprofitable. Cybercriminals are constantly evolving and changing their tactics.
  • Business has been slow to respond to threats and attacks despite all the headlines declaring the most recent data breach compromising the personal information of millions, not to mention millions paid in fines. Many believe adding security leaders and chief information officers at the board of directors level will improve this, says Koziol.
  • Until recently, the industry has not done a great job of defining career paths. “Pay, job titles, and duties are all over the place,” explains Koziol. “High burnout is also a factor. The work is incredibly stressful because security pros are constantly responding to new threats — many describe it like drinking out of a fire hose. There are recent studies showing that the industry is making progress in this area.”

Koziol says in recent years there has been growth in university-level specific cybersecurity programs. The UW System has degree programs now — UW–Stout has the Center for Cybersecurity and Cyber Defense which received a special designation from the NSA. Marquette University also offers a master’s level program now with a cybersecurity emphasis, as does UW–Milwaukee. And several UW schools offer certificate programs in cybersecurity, as well. There are even programs where cybersecurity fundamentals are being introduced in high school and younger with the goal of getting people interested in a career earlier.

Still, the skills gap is growing, necessitating programs like Infosec Skills to fill a need.

“Different businesses require different qualifications and certifications for similar job titles, so it can be confusing,” Koziol explains. “What we hear the most from the pros is they are looking for a way to take control of their career path while developing skills that keep them ahead of the bad guys.

“Content is king, of course, but a popular feature [of Infosec Skills] is that students can train and get hands-on experience anywhere — you don’t need to travel or buy expensive equipment,” Koziol continues. “The pricing plans are also unique in that they’re available in monthly, annual, and team packages, and we frequently offer free trials for anyone wanting to try it out.”

According to Koziol, the main point of developing the program around the NICE Cybersecurity Workforce Framework is that the 500-plus courses are all mapped to specific career standards determined by NICE. It’s important to note that the framework reflects the needs determined by employers with all those open positions and those doing the hiring, he explains.

“For example, there are course paths for cybersecurity analysts, incident responders, and penetration and vulnerability testers,” says Koziol. “A student can click on those roles and get a list of the coursework and certifications they need to best position themselves to get a job in that area or advance in their current position all according to what most agree are the industry standards.”

The curriculum is also in a constant state of evolution, whether that is updating an existing course or adding new ones as new threats emerge, though Koziol is quick to point out that the curriculum is not always in a reactive or catch-up mode. “We and the industry have a lot of smart people on the good side, too, who work to anticipate and stay ahead of the bad guys.”

Perhaps one of the most interesting aspects of the Infosec Skills program is there is no end to what professionals can learn.

A person completing all 500-plus courses and 60 skill and learning paths would be very smart and a formidable opponent to the cybercriminals, but you can’t measure this field of learning only in standard academic measures, Koziol notes. “Once someone completes the 500-plus courses, we’ll have another 500. In fact, we have plans for more than 800 courses to be updated or added in 2020. That’s all part of the ongoing skills treadmill. There is no finish line and most cybersecurity professionals have embraced that culture of constant learning.

“And there’s this,” adds Koziol. “The half-life of cyberskills was about two years in 2011, according to IT World. That means in two years about half of what I know today about cybersecurity will not be relevant.”

Koziol says that companies looking to create or fill information security roles should first figure out which security roles they need and then base their search on those candidates with the skills needed. Infosec Skills, based on the NICE Framework, offers the current standards that have been set for the specific roles in the field.

Having said that, Koziol notes CompTIA's Security+ certification is the most popular entry-level cybersecurity certification in the world and recently hit 500,000 holders worldwide. “It’s a common requirement for jobholders. What we stress is that every individual and every organization has their own unique skills gap, which is why we build skill assessments into our learning paths, so they can continually assess their skills and identify gaps throughout the organization and work to constantly improve that baseline rather than just meet it.”

Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.