As a cyber security professional, I spend most of my days speaking with customers and colleagues about all of the nefarious ways “the bad guys” can wreak havoc and how we can best defend ourselves. The topics we discuss often include situational awareness, defense-in-depth, threat intelligence, and new cyber security paradigms we may find ourselves adopting as the Internet of Things (IoT) evolves. I would assert that these are extremely important topics to sort out. But there’s a very important element not being discussed: the question of who will sort them out.
Simply put: what difference does it make if you have the world’s greatest technology if nobody in your organization knows what to do with it?
Cisco estimates that there will be a deficit of one million skilled cyber security professionals over the next five years. By 2015, 90 percent of jobs in the developed world will require some set of IT-related skill. The United States Department of Education reports that just 16 percent of U.S. high school seniors are proficient in math and are interested in pursuing a career in science, technology, engineering, or math (STEM). This at a time when the United States rates an appalling 17th in science and 25th in math among industrialized nations.
How big is this problem? Consider what’s being called the Silver Tsunami, which is the pending glut of baby boomers reaching retirement age. Let’s put aside the effects that this demographic wave will have on social programs in the U.S. such as Medicare and Social Security. From our seat in the information technology industry, the this generation represents a trove of irreplaceable institutional knowledge – the byproduct of decades of hands-on, real-world experience.
At first blush, it would seem that this would be a more relevant topic for human resource officers and recruiters than for cyber security professionals. However, a shortage of skilled professionals defending our networks or innovating to keep pace with the bad guys poses a threat to every organization, including private and public-sector organizations that operate critical infrastructure.
I recently had the chance to sit down with some experts who study the critical infrastructure sector, including our electrical grid. They note that the critical infrastructure sector is rapidly modernizing. And that is creating a huge need for workers with new skills.
|Read Marc’s editorial “IoT Security: We’re doing it wrong!”|
Professor Sharron Gillies, coordinator of the Energy Utilities Program at Quinsigamond Community College (QCC) in Worcester, MA told me that its useful to think of our electrical grid as going “from the 1950s to the 21st century in one big step.” As that happens, utilities are making an extensive investments in hiring and training new employees, with cyber security a key component of contemporary training.
Right now, there are several examples of cooperation among utilities, government, and higher education to develop these important, next-generation skill sets. National Grid collaborates on programs with QCC (also funded in part by a Department of Labor grant) as well as Worcester Polytechnic Institute (WPI) to develop utility-specific skills from linemen to operators to utility-focused cyber security.
The University of Illinois at Champaign-Urbana is partnered with the University of Washington, University of California at Davis, and Dartmouth College under an umbrella organization called Trustworthy Cyber Infrastructure for the Power Grid (TCIPG), which is funded through grants from the Department of Energy and Department of Homeland Security. TCIPG boasts one of, if not, the largest, most comprehensive utility-focused cyber security test beds in the world. TCIPG also develops unique educational tools and games for students K-12; – The Center for Advanced Energy Studies (CAES) is a partnership among Idaho National Labs (INL) and Boise State University, Idaho State University, and University of Idaho. CAES functions as both a research body and an educational body, primarily focused on the nuclear energy industry.
Unfortunately for the utilities, it’s not as simple as investing in programs such as these and then scooping up the newly minted experts as they graduate. They often find themselves competing with companies such as Google, Microsoft, or Apple for the best and the brightest. Isn’t it the reward for helping to secure and improve the nation’s critical infrastructure enough? For some, it is, but graduating students have a range of motivations including the pragmatic need to pay off student loans. Tim Yardley, the Associate Director of Technology at the University of Illinois at Champaign-Urbana, told me he took a sizable pay cut for the reward in working in academia. But not every promising student will be willing to make that sacrifice.
Utilities need to think strategically by getting involved with students earlier than graduation to help build the rapport that may help sway graduates’ decisions on which offer to accept. Specifically, Yardley recommends that utilities include students in projects that leverage their (affordable) skills and offer the students a challenge. In one such case, a student developed an outage tracking system for a utility that mapped outages in Google Maps. This helped improve the utility’s predictive model based on a developed clustering algorithm developed by the student.
The promise of the future – including promising technologies that make up the Internet of Things (IoT)- will not be realized just by innovation in networking, miniaturization and communications. We will also need to shoe up and improve the critical infrastructure upon which the Internet of Things depends. That responsibility rests on all of our shoulders, and it is in our best interest to act. If we do not, then we will not just lose an economic opportunity, but will also put ourselves at risk.