Cybersecurity pros are in high demand, but who will fill the roles?

The next decade is expected to spur more technological progress than experienced over the past century.

A survey conducted in preparation for the development of The Right Place's 10-Year Tech Strategy outlines how important technology is to companies in the Midwest — and what needs to be done to meet that demand.

The Right Place's vision is for Greater Grand Rapids to become a major tech hub in the Midwest, "growing the tech sector to 10% of regional employment."

Meeting that goal will require 20,000 new tech jobs over the next 10 years, according to the survey.

"Researchers estimate the global shortage of tech talent will reach 4.3 million people by 2030," the survey reports. "Sophisticated tech workers comprise some of the most sought-after talent in the world today. Demand for these workers has created a global shortage of tech talent and the demand is projected to grow exponentially as companies undergo rapid digital transformation in coming years."
Demand for tech talent in West Michigan is forecast to grow across four industry sectors — cybersecurity, artificial intelligence, cloud-based computing and machine learning.

Of those, cybersecurity holds the biggest economic impact for small and large businesses, alike.

Why cybersecurity is important

The fact is, it's not a matter of if, but when a cybersecurity breach will occur.Scott Pierce, senior IT and cybersecurity consultant for Applied Innovation

Scott Pierce, senior IT and cybersecurity consultant for Applied Innovation, has been focused on the ever-evolving cybersecurity industry world for close to a decade. He has helped build and develop cybersecurity platforms for entire companies in alignment with strict National Institute of Standards and Technology (NIST) evaluation assessments. Now he works in cyber insurance, helping $10-million-a-year to $20-billion-a-year companies, "check all the boxes that need to be checked."

On a regular basis, Pierce's job involves calls with the FBI and local police departments about dealing with serious cyberattacks, like ransomware. From those experiences, he takes a realistic outlook toward the importance of cybersecurity.

"It's gonna get worse before it gets any better," he says. "The cyber attackers and the hackers out there. They're gonna come at you and you're gonna get in a situation where you better have a plan in place, or your business might not be around in the next few days."
Hungerford Technologies President Matt Clarin
Hungerford Technologies President Matt Clarin also supports the security needs of small businesses. He often works with organizations that once considered themselves too small to fall into the sights of malicious hackers.

One miniscule error is all it takes to prove otherwise, and Clarin points out that humans are typically the weakest point in a cyber defense. Email spoofing software that allows scammers to impersonate others is easily accessible on the Internet and is an effective tool in email phishing scams.

"They're just sending it out to everyone," Clarin says. "Thousands and 1000s of people at a time and whoever clicks is the person they go after."

The potential ramifications depend on what an organization has on its network. It could be sensitive information containing customer, patient or financial data. Or it could be personnel data a bad actor could then use for social engineering.

"They know who the owner is and who the finance person is," Clarin says. "They impersonate the owner and then ask the finance person to transfer money or make it look like they're one of the customers or one of the vendors."
Hungerford Technologies often works with organizations that once considered themselves too small to fall into the sights of malicious hackers.
This is one of the most common cyber threats businesses face and the result is often losses in the hundreds to hundreds of thousands of dollars.

"You can't just get away with having a firewall, antivirus and some good backups," Pierce says. "Ten years ago that was fine. This day and age, it's excelled way past that. I see it at least weekly with organizations that say 'Hey, Scott, remember how you told us we should be doing this? We didn't, and now we're in a sticky spot. What do we do next?'"

What can be doneChad R. Paalman, CEO of NuWave Technology Partners

Cybersecurity threats are the biggest single issue facing organizations and consumers today, according to Chad R. Paalman, CEO of NuWave Technology Partners.

Despite messages of doom and gloom, there are steps individuals and organizations can take to strengthen their cyber-resiliency. But it takes effort.

Business owners are likely familiar with flood, fire and disability insurance, among other precautionary protections. Cyber insurance is now just as critical, especially for smaller businesses that don't already have strong security infrastructure.

"The data is really what the threat actors and bad guys are after; personal information, protected health information, all of this data has value," Paalman says.

Cyber insurance helps businesses recover if their data is stolen and sold on the dark web, or to mitigate ransomware attacks that can completely disable a company's network. These attacks are also becoming more common.

"Make sure you start planning for when, not if," Paalman says.

You may recall practicing fire drills, hurricane drills, or even bomb drills in elementary school. These measures have become standard practice in public schools. Many businesses are built without similar precautions in place to protect them in the case of a cyberattack  —which can be done with an Incident Response Plan (IRP).

"Most business leaders don't know who to call in a cybersecurity event," Paalman says.

Cybersecurity holds the biggest economic impact for small and large businesses, alike.

According to Paalman, a good response plan explains what a team is going to do in the event of a cyberattack, along with exercises to practice that IRP before it is an emergency. The plan also includes the names and contact information of people who can help.

"Call your attorney first, and then call your insurance agent," he says. "Then contact your IT person, whether they are internal or external."

A fourth important role to cover in any cybersecurity event is someone who can communicate safety measures and next steps with customers, users, staff members and other stakeholders, Paalman adds.

In demand talent that can help

At least 78% of the 100 companies surveyed for The Right Place's 2021 Regional Employer Tech Survey identified technology as "highly important" to their strategy in the coming years, while 72% plan to increase their tech hiring needs in the next five years.

In high demand are everyone from the IT generalist with the know-how to help users connect to the network and address basic data and support issues to more highly skilled professionals working at the network level to implement cybersecurity protections. As well, penetration testers and "red teams," or ethical hacking organizations who come in and test the network as a third party, will be increasingly important.

Over the next three years, regional businesses, nonprofits, universities and many other organizations will require half a million people with some type of cybersecurity background. Today there are about 150,000 people available for hire in the near future.

"That's disconcerting," Pierce says.

There are many students interested in technology, but not all of them see cybersecurity in their career plans.

Working with Jen Wangler, vice president of technology at The Right Place, and other stakeholders, Pierce has been developing ways to get young people excited about the cybersecurity field and how they can help businesses better protect themselves. The Right Place’s strategy centers on creating a Midwest tech hub, driving economic growth and spurring advancement and prosperity for the surrounding region.

"These thriving communities drive higher economic output, retain and attract greater numbers of highly educated individuals, and provide increased wages," The Right Place Survey states. "The result is a robust region where people have many opportunities to pursue an improved quality of life."

Available resources and training

Cybersecurity is a broad subject, arguably too much so to fit into a single course curriculum. Computer science and engineering classes can provide a substantial foundation for a cybersecurity career, but even more important is an understanding of the compliance standards and regulations that shape cybersecurity policy.

Here are several organizations/certifications/etc. that have become industry standards for protecting organizations and their stakeholders:
"If you're not compliant, HIPAA compliant, FINRA, NIST, CMMC, or anything else, you can't do business with certain organizations anymore," Pierce says. "If you don't have that golden ticket saying you've audited yourself and you audit yourself every six to 12 months, then we can't do business with you anymore."

To address these requirements, businesses need to get individuals on board who are certified in the necessary areas. And demand for that expertise is high.

"No one in this field will ever have a problem finding a job," Paalman says. "I have talked to some curriculum advisory boards for universities, and many of them say their students never have a problem, whether they find an interrelated position, one with a firm like mine, or an enterprise company. There's just so much opportunity out there."

Paalman points to three major connecting organizations with regards to the cybersecurity landscape — insurance companies, regulatory bodies and licensing organizations.

Insurance companies, likely feeling the sting of huge settlement payouts for cyber liability policies, are now requiring a minimum level of protection for cybersecurity such as multi-factor authentication, endpoint detection and response and other basic safeguards in order to qualify for a cyber insurance policy. The certification offered by the Department of Defense, the Cybersecurity Maturity Model Certification (CMMC), creates the open market for the DoD's industrial base and the companies who can participate in that market. And licensure, long ignored in the cybersecurity industry, is steadily becoming more important as these best practices and standards emerge.

"In all 50 states, we require people who cut hair to have a barber's license,” Paalman says. "However, IT firms still have no licensure or certification.”

Replacing cyber worry with confidence

Optimism has little place in cybersecurity. The best cybersecurity plan is to plan for a breach from the beginning, Pierce says. Cyber threats target any and every organization that has data to steal, whether it be a hospital network, a rideshare company or a nonprofit organization.

"I just did a chat with a group of about 30 nonprofits, and I asked how many people have had a data breach or a ransomware situation in the past two years," Pierce says. "It was 85% of these nonprofits."

"Plan for the worst," Pierce says. "Have cyber insurance, and talk to your partners and vendors that you trust. Then you know your areas of risk and what can happen that can debilitate your business for days or weeks."

"The goal posts are moving," Clarin says. "We didn't have to do these things in the past, but that doesn't mean it's status quo. The bad guys are moving a lot faster than a lot of businesses are moving right now."

The experts concur — don’t put personal or professional protection off until it’s too late. If you don’t want attention from malicious hackers, seek guidance from these or other cybersecurity experts in the area, so you can prepare for if and when an attack occurs.

This series seeks to highlight tech organizations and employers throughout Greater Grand Rapids that are delivering innovative programs and addressing talent pipeline challenges and seeking to develop, attract and retain quality talent in West Michigan. This series is underwritten by The Right Place.

Matthew Russell is a writer and maker living in West Michigan. Matthew has more than 25 years of experience as a journalist for newspapers and magazines in the Midwest, has been published in two books about Grand Rapids history, and is currently improving his skills as an amateur apiarist while building a sustainable farm in West Michigan.