Cybersecurity workforce shortage

CREATES GOLDEN CAREER OPPORTUNITIES

As demand increasingly outstrips the supply of cybersecurity workers, UIUC preps people to fill the need.

The world is rushing into an increasingly automated future—and cybersecurity risks are rising accordingly. Alarmingly, there’s an enormous gap between the number of cybersecurity professionals needed to protect our systems and data, and the all-too-small pool of professionals who exist to fill that need.

 

HOW BIG IS THE GAP?

Today, in the U.S., about 1.1 million people are employed in cybersecurity jobs—while over 660,000 cybersecurity jobs stand empty. The global situation is even more dire: a 2022 study estimated the global cybersecurity workforce at 4.7 million workers, with another 3.4 million jobs remaining open.

The workforce shortage offers a unique opportunity for well-prepared students to launch lucrative careers upon graduation. UIUC faculty and staff have therefore been pursuing a myriad of initiatives to help students learn about, and ramp up towards, successful careers in cybersecurity—and also to help existing professionals update their knowledge and skills.

Cybersecurity Opportunities for UIUC Students

The core of UIUC’s cybersecurity educational efforts is a broad array of course offerings—but UIUC also offers a range of other scholarly, extracurricular, and research opportunities. As Information Trust Institute (ITI) senior associate director Dominic Saebeler puts it, “We are trying to educate students about the breadth of opportunities that exist while also providing opportunities for them to pursue practical skills that will encourage employers to invest in them.” 

Over the last few semesters, UIUC has offered over 50 different security-related technical classes, ranging from frequently taught, large-enrollment courses to occasional “special topics” courses in which faculty present the latest hot-topic work in their areas of expertise. 

While those technical courses are mostly in Computer Science (CS) and Electrical & Computer Engineering (ECE), dozens of non-technical security-related classes are also offered across campus. Lack of adequate “soft skills” is often cited by employers as a weakness of new cybersecurity graduates, whose knowledge tends to be narrowly technical. In units ranging from Global Studies to Information Sciences to Business Administration and beyond, UIUC students have opportunities to explore everything from technology ethics to data privacy to terrorism. 

Further, UIUC’s course offerings are continually revised to reflect the evolving cybersecurity landscape. For example, the foundational CS 460/ECE 419 Security Laboratory course is being rebooted in Fall 2023 in dramatically overhauled form. According to Casey O’Brien, ITI’s assistant director for cyber defense education and training, the new course will take a bold, operations-oriented approach. “Based on provided design specifications, students will implement, administer, and troubleshoot real systems running real software,” he says. “It’s a classic engineering approach.” 

To help students develop CVs that stand out to future employers, ITI recently introduced a Certificate in Cybersecurity that undergraduates can earn while working towards their degrees. The Certificate requires completion of three cybersecurity-related courses plus a relevant extracurricular activity, and was designed to align with typical CS, ECE, or Information Sciences curricula. 

Another ITI offering is the NSF-supported Illinois Cyber Security Scholars Program (ICSSP), which awards generous scholarships to undergraduate and graduate students. In exchange for tuition and a significant stipend plus other benefits, students commit to working for 1–2 years in government security jobs post-graduation. 

“I think ICSSP is a great program because it really allows undergraduate students an opportunity to get into this field of study without having to spend any more years or money at the University,” says Masooda Bashir, ICSSP’s director and an associate professor of Information Sciences. 

In addition to the academic opportunities, at any given time, scores of security-related research projects are in progress, presenting undergraduate and graduate students with rich opportunities to get involved in hands-on work. 

Extracurricular activities are available as well. UIUC’s HackIllinois competition, for example, has grown to be one of the largest and most highly regarded hackathons in the U.S. SIGPwny, a student-run UIUC organization focused on information security, holds weekly seminars, and members engage in friendly competitions and cybersecurity research. UIUC also has a chapter of the national Women in Cybersecurity (WiCyS) organization; it hosts weekly meetings on topics of interest and presents cybersecurity-related games at UIUC’s annual Engineering Open House.

Helping Professionals Take It to the Next Level

On campus, ITI is the locus of outreach to current cybersecurity professionals. Multiple programs are already running or in development, and ITI plans to continue expanding its workforce outreach. An important example is the On-Ramp Cybersecurity Training Services Program, which is being pilot-tested by ITI’s Critical Infrastructure Resilience Institute (CIRI). CIRI’s executive director, Randy Sandone, who is also ITI’s associate director for infrastructure business development, describes On-Ramp as “a 21st-century adaptation of the land-grant mission.” For decades, UI Extension experts have gone out to Illinois farms to advise farmers on agricultural best practices, and soon On-Ramp teams will go out to organizations to “address the problem of cybersecurity best practices from the tactical, operational point of view within real-world cyber environments.”

On-Ramp Cybersecurity Training Services Program

“...address the problem of cybersecurity best practices from the tactical, operational point of view within real-world cyber environments.”

ITI’s Critical Infrastructure Resilience Institute (CIRI). CIRI’s executive director, Randy Sandone

An On-Ramp team will go to an organization and walk its employees through a national-standard cyber risk management process. The program will provide resources and train personnel to understand requirements, to assess the organization and its systems against those requirements, and to manage the activities necessary to bring them into conformance with national cybersecurity standards and best practices. 

In a separate effort, ITI will soon release three fee-based, online courses developed by Casey O’Brien that will offer current workers the same content presented in regular UIUC classes, but repackaged for the new audience. For example, one, starting in Spring 2024, will offer an equivalent of O’Brien’s new ENG 498 course, Foundations in Secure Networking for Cyber-Social Systems. “It’s really a secure networking course, but the unique spin on it is that cyber-social portion,” he says, meaning that the technical content is situated within the context of organizations and human factors. 

Another ITI effort is the NSA-funded Regional Coalition for Critical Infrastructure Protection, Education, and Practice (ReCIPE). Led by Iowa State University, ReCIPE is building a Midwestern regional coalition that will equip cybersecurity workers to better protect critical infrastructure. It is preparing to run training exercises that will use real electrical utility gear and address problems that electric co-ops actually face—an improvement over the standard approach of presenting exercises with generic equipment and scenarios. 

“Playing the Long Game”

One barrier to workforce expansion is lack of awareness among middle-school and high-school students who are starting to make choices that will shape their future careers.

Bashir pointed out the disconnect between the fantastic career opportunities in cybersecurity and student awareness, even among UIUC students. “A lot of students, when I talk to them, they’ve never heard of this field of study, and they don’t know that it’s even an option,” she says. “To me that means we need to do a better job of letting the next generation of students know about these topic areas, and how important they are.”

What’s the solution? As Saebeler puts it, “Playing the long game may be the best approach.” He suggests that not just universities, but even individual businesses could reach out directly to local schools to talk to K-12 students, “not just about what they do, but why what they do is important.”

UIUC efforts in youth outreach have been growing. For example, in the summers of 2022 and 2023, UIUC offered a RoboScape Cybersecurity Camp, which was a one-week residential camp for high-school students. Also in 2022, UIUC released DarkSky Investigations, a free online game aimed at middle schoolers. It provides an immersive environment in which players explore the cybersecurity of an energy delivery system.

Today, for young people interested in cybersecurity, the sky is the limit. The only challenge is to ensure that young people recognize that opportunity in time—and UIUC is making a difference. As Saebeler says, “We think that progress is being made and awareness is growing.”