Hacking the Cybersecurity Demand Curve

The daily drumbeat of cyber crime appears to have no boundaries. Recent testimony to the Senate Finance Committee revealed that hackers compromised up to 100,000 FAFSA (Free Application for Federal Student Aid) applicants, leading to the suspension of the online tool last month. A February 2017 attack on more than 60 universities by a Russian hacker known as Rasputin came on the heels of assaults on a wide range of institutions from the United States Postal Regulatory Commission to the Rhode Island Department of Education. Of course, these examples don’t even include the events of the 2016 political season. As terms such as “password hashing” and the “fuzzy hack” enter our lexicon, both established institutions and non-traditional training providers are rapidly attempting to respond to one of the greatest employment and skills gap of recent memory. Currently, the Bureau of Labor Statistics (BLS) reports that 209,000 cybersecurity jobs remained unfilled; recent forecasts suggest there could be 1.5 million cybersecurity vacancies worldwide by 2019. Additionally, a recent analysis of job posting frequencies by Economic Modeling Specialists International (EMSI) revealed an 18% increase in cybersecurity analyst jobs since 2011 , distributed among more than 31,000 companies in the U.S. alone. From 2016 to 2017, there were more than 32,000 unique U.S. job postings added each month. While some observers hail cybersecurity as the next great enrollment gold rush, there is less clarity about the contours of this discipline and how schools and other providers can effectively respond to this demand. Beyond simply recognizing the growing demand for cybersecurity professionals, it’s critical to note that there’s a broad spectrum of roles, skills, and technical requirements within the umbrella of “cybersecurity.” The field, and its growing employment demand, is best understood as a range of discreet yet interconnected functions, including risk assessment, data monitoring, system scanning, and responding to actual attacks. These skills tap into many academic disciplines, such as business strategy, engineering, and criminology, requiring a blend of both technical expertise and industry-specific domain knowledge. Recent studies estimate that more than 80% of cybersecurity job openings require at least three years of experience plus a bachelor’s degree, and more than a third of these openings will require an industry-validated certification. These requirements suggest that the widest part of the cybersecurity enrollment funnel will be mid-career adult learners seeking to sharpen their employment opportunities. Eduventures’ own analysis indicates that, between 2011 and 2015, graduate conferrals have grown by 39% while undergraduate conferrals have grown 21%. Hacking the Cybersecurity Demand Curve

Although there are more cybersecurity bachelor’s degrees granted each year, the average number of conferrals per provider trends higher at the graduate level. Fewer graduate providers granting more degrees suggest slightly less competition for schools entering this market for the first time. The uptick in cybersecurity job demand is not only about volume, but also about diversification. As cybercrime spreads, organizations of all sizes and types have to rethink their infrastructure and personnel needs. Both the complexities of the cybersecurity field and recent enrollment dynamics pose a number of considerations for schools either expanding existing cybersecurity programs or seeking to enter the field for the first time:

Hack #1 Anchor Cybersecurity Skills Within Industry-Specific Domain Expertise.

A recent study reported that between 2010 and 2014, postings for cybersecurity vacancies increased 137% in financial services and insurance companies, 121% in health care, and 89% in retail trade. Cybersecurity programs embedded within professional schools (e.g., business and healthcare) will provide the greatest value to the broadest range of applicants, especially among those seeking graduate degrees to supplement existing software skills. As cloud-based systems and applications have proliferated, so too have the ways in which businesses can be disrupted by cybercrime. Consequently, there’s an acute shortage of mid-level managers with an operational grounding in cybersecurity, as well as front-line cybersecurity professionals immersed in the business operations that they are supposed to protect.

Hack #2 Design Stackable Certificates Alongside Degree Pathways.

The cybersecurity employment pipeline easily lends itself to stackable certificate opportunities. A 2014 study by the Ponemon Institute (Poneman), a security and privacy research firm, reported that although many cybersecurity degrees tended to be at the master’s and doctorate level, career changers will likely opt for a progressive series of stackable certificates offered in shorter chunks and at considerably lower prices. Notably, several institutions are playing in this space. Georgia Tech’s Professional Education division offers more than 15 distinct certificate-granting courses—disaggregated from its existing graduate degree programs—condensed into multi-day, on-site formats, and priced at less than $2,000 per course. The University of Texas at San Antonio (UTSA), a top-ranked cybersecurity institution, is partnering with the University of Texas System’s Institute for Transformational Learning to offer a series of competitively priced micro- and nano-certificate offerings derived from existing courses in a variety of blended bachelor’s and Bachelor of Business Administration programs.

Hack #3 Go Beyond Conventional Education and Training.

Cybersecurity education is anything but new. A sizable cottage industry of traditional for-profit training programs exists, addressing industry-mandated certifications and mandatory government security clearance. A mid-career cybersecurity professional can choose from any number of industry-sanctioned, short form, exam-prep courses, often offered locally. While some provide innovative learning opportunities, the lion’s share of these programs offer traditional stand-and-deliver, in-person, or video-based lectures. Prices run from about $2,500 for two or three days, to as high as $10,000 for a week of lectures and exam preparation. In contrast, institutions with existing faculty expertise, coupled with innovative program design capabilities, are exploring simulated environments, real-world scenarios, and gaming models to differentiate from more basic training. This approach is best exemplified by the University of Maryland University College’s (UMUC) Cybersecurity Center, which has leveraged significant federal investments to build a regional presence.

Is there a Cybersecurity Program in Your School’s Future?

To respond to cybersecurity demand, schools need to carefully design programs that not only meet it, but also effectively leverage their existing strengths and capabilities. Keep in mind that enrollment data reveals that nearly all of the five largest bachelor’s and master’s level programs are delivered through online or blended formats. These include both for-profit online schools such as Capella University and the University of Phoenix, as well as proven non-profit, online providers such as UMUC and Western Governor’s University. By the same token, however, there are factors beyond size that may determine whether a cybersecurity program is successful. Curiously, only Carnegie Mellon University’s program ranked among the top 10 in terms of quality, with a high (4%) market share of master’s conferrals, in Ponemon’s 2014 survey of 49,000 information security professionals. For many institutions, hacking the cybersecurity demand curve is not about “if,” but rather about “how.” Significant private sector investments and support from the Department of Homeland Security may help continue the flow of federal dollars into research and education. Perhaps the most critical ingredient will be a school’s ability to precisely understand its target student population, and then design programs that meet its increasingly specific needs. Although the likes of Elliot Alderson—the cybersecurity engineer-turned-hacktivist lead character of the dystopian Mr. Robot series—may not be enrolling in a cybersecurity graduate program at his local university, it’s a safe bet that there will continue to be a deep pool of qualified applicants.