In the DMV, the future of cybersecurity is a people problem

In the spring of 1999, the smash hit “The Matrix,” one of the most popular hacking movies of all time, brought a rather important question to viewers: Who wouldn’t want to become a cybersecurity pro if you could, well, save the world?

But even Hollywood’s attempts to make cyber careers cool were not enough for one of DC’s largest tech industries. Today, cybersecurity is a field that’s becoming more and more important while simultaneously experiencing a huge need for talent.

For Sarbari Gupta, founder and CEO of Reston, Virginia cyber firm Electrosoft, engaging young people — especially women — is essential for the industry’s success

“That’s the place to start so that young people don’t feel like this is something out of their reach or not interesting enough,” Gupta told Technical.ly. “I mean, certainly, the movies have helped to kind of romanticize cybersecurity, but also makes it look difficult, which might be an off-putting thing for folks that are not naturally technically inclined.”

That intimidation factor might be steering people away from positions, which is becoming an increasingly urgent problem. Data from Robert Half Technology showed that about 51% of senior tech managers across the US believe that the security of IT systems and information is a top priority for 2022. Alongside that, 70% said that they plan to boost their security budget this year while 35% said cyber is an in-demand skill is a top skill in demand — even if 30% also said that security, privacy and compliance professionals are among the hardest to find.

Cyber’s national importance extends to the local tech scene. A CompTIA report found that cybersecurity and systems engineering are the second top jobs in the DMV, with about 37,000 jobs around. These figures underscore tech’s broader importance here, as the industry h constitutes about 11% of the area’s workforce.

As cybersecurity becomes more approachable every day, its future regional growth has yet to be seen. But one thing is for sure: In the DMV, cyber is here, and it’s not going away anytime soon.

What does DMV cyber look like?

Starting with the fact that the industry wasn’t even called cybersecurity a few decades ago (it was just called  “security”) and ending with the move to defensive cyber, it’s an industry that’s ever-growing and changing. The market only continues to grow as cyber continues creeping into more aspects of everyday life, according to John DeSimone, president of cybersecurity, intelligence and services at Raytheon Intelligence and Space.

DeSimone, who works out of the company’s Dulles, Virginia location, said that the local cybersecurity industry has taken a more holistic approach over the last few years. That process involves building out both the defensive and offensive sides and exploring how those two ideas can work together.

“Cyber is one of those very interesting fields because it’s a vertical business, and it’s also horizontal,” DeSimone said. “So, things pop up and there are things that we start to label ‘cyber’ in different types of applications that we’re never thought of with cyber before.”

In the DMV, it’s an industry that has not suffered from a lack of attention. DC’s 2022 draft budget put $15 million towards the district’s “cyber hygiene,” which largely requires implementing a significant risk mitigation framework. Nationally, last year’s Infrastructure Investment and Jobs Act allotted each state millions of dollars for cyber protection.

Still, it’s an industry with issues, like any. At the moment, one of its top industry-wide priorities is the growing need for talent.

“To get more young people interested in this, to build that cyber workforce from the ground up, I think that’s something [that] is desperately needed,” Gupta said. “Because more and more, as we’re getting to be an internet-based economy, we need more people involved in technical realms that are trained in technical realms.”

Kevin Hanes, CEO of cybersecurity training company Cybrary, agreed that talent is a top problem that local cybersecurity leaders are itching to solve.

“If you think about what would be the best risk mitigation for the next dollar that you spent in cybersecurity, where would that be?” Hanes told Technical.ly earlier this month. “In the past, I would have said maybe prevention, maybe detection, maybe mitigation. I would say now — and I think a lot of people would say — scaling up my team, getting a team and scaling it up, which is good.”

Raytheon, too, is feeling the pressure to not only find but retain top local talent while keeping an eye on players like Google and Amazon growing their local outposts. Raytheon is looking to add nearly 1,500 engineers and cyber professionals this year alone.

“We have got to make sure that we’re retaining the talent we have, giving them all the best benefits we can possibly provide them, providing them really cool missions to work on and a great environment to actually do it in,” DeSimone said. “And then, in the same token, we’ve got to be able to train these resources that are maybe not ready to jump on those missions but are close, giving them that last-mile training.”

These qualities and more make it a good time to watch cyber. The industry is experiencing a practically never-before-seen demand as the urge for protection from attacks, the technology’s capacity and an ever-important emphasis on sectoral inclusion grow every day.

Lonye Ford, CEO of DC-based cyber startup Arlo Solutions, said that she’s eager to see this growth pan out.

“From a workforce perspective, from a technology perspective, I think some beautiful things are going on,” Ford said. “I think I’m excited about where we’re going because applications, tools and those types of things are being developed at a speed that we never even imagined. Things that we’re doing now, we hadn’t imagined in our wildest dreams, and I’m sure that’s going to be the same 10 years from now.”

Cyber and the government

While the DC area is quick to separate itself from the goings-on of the federal government, regional cyber is an industry that’s intrinsically attached to federal agencies like the Department of Defense. Gupta described it as a field focused on doing what the government needs, oftentimes encapsulated in mandates from research and development agencies or the White House, and tracking the policies, standards and guidelines as they’re released — for instance, this recent zero trust architecture move.

“Many times, as cyber industry professionals, we keep doing some of the same things because that’s been proven,” Gupta said about working in the more-established government pathways. “However, if I were to think out of the box in terms of the industry, it would be really advantageous if the industry players, including ourselves, try to come up with creative new ways to get to the end goals for cybersecurity, which is addressing cyber-related risks.”

For startups, it can be difficult to break into the government tech ecosystem, especially as they compete for those customers with tech giants like Microsoft and Google. On top of breaking into the game, they also need to keep up with talent and the flashy perks larger employers can offer. Ford said that Arlo handles this by viewing larger tech companies as clients, just like she sees the federal government. This way, the startup can work with the larger companies to either suss out a possibly smaller part of a contract or collaborate on bigger projects.

“It is competitive, but with the larger companies, [generally] what we do is say, ‘Hey, large company, this is a win-win. You have this large contract, this is the piece that Arlo can do,’” Ford explained.

But even if startups really want government contracts, some say that, akin to a bad breakup feeding personal growth, the industry needs to take a step back from the government to truly thrive. John Wood, CEO of NoVa cyber company Telos, said that the region’s proximity to the government both benefits and hinders it. Being able to deliver something to the market that’s unique and different means moving at a faster pace than the government can (although he noted that when the government wants to move fast, it certainly is able to).

“If you’re trying to build an ecosystem that’s nimble, you’ve got to be able to wean yourself off of the reliance on that huge customer base that sits out there, just right outside our doors,” Wood said.

The automation game

The need for cyber professionals, according to Gupta, is only going to grow. She still expects a talent shortage even five years from now. Meanwhile, as more and more operations move to the cloud, security needs will increase as the potential for attacks grows. For some, the obvious solution is embracing automation in the cyber industry. Automating jobs, or switching tasks from humans to devices and systems, might even have the potential to lower costs while improving quality and (somewhat) lowering the need for new talent.

“More and more young people will study to get into this field or get into jobs where they get trained to be cyber analysts and engineers,” Gupta said. “However, the demand is going to continue to skyrocket because as more and more things are connected to the internet and connected with one another, there’re only going to be more threats, more types of attacks.”

There’s even a spot for quantum to function here. Technologists like Eric Hay, the director of field engineering at Bethesda, Maryland quantum company Quantum Xchange, are figuring out how quantum can be used in cybersecurity. Currently, the company is using quantum random number generators to produce numbers so random that even a quantum computer would struggle to break them. The process involves using an algorithm alongside another method called “quantum key distribution” to make systems more secure.

“This is a good place for quantum because it’s a very specialized skill set,” Hay said. “Communities build technologies, and when you have a quantum community growing here, that’s only going to continue to grow and attract more people.”

For Ford, though, finding space for automation to help the talent craze isn’t an end-all, be-all solution. She sees people as the foundation of cybersecurity, which makes continually refreshing the technology without keeping up with the talent a risky prospect. Moreover, the automation tech needs frequent maintenance and adjustment according to clients’ needs, she said.

“When I have the opportunity, I like to focus on the people. They are the foundation,” Ford said. “And what I’m seeing in the industry is that we’re skipping that part. We want to throw a new tool at every problem that we have, but if you don’t have the right people that can manage it, that can configure it, that can secure it, you have an insecure tool that may not even be interoperable.”

DeSimone is also pursuing a more human-focused approach. He’d like to see a move towards adding cyber training to all jobs, instead of training cyber professionals to meet the requirements of all the industries that need it.

“If we can get cybersecurity training in all aspects so that there’s some fundamental knowledge in a lot of the roles that are out there, that may hopefully take a little bit of the heat and pressure off people getting recruited very specifically for cyber-related activities,” DeSimone said.