Cybersecurity pros in high demand as hacking attacks soar | Business

Growing up, Kayne Whitney wanted to be a cop like his dad. Now 21, he’s preparing for a different kind of career of fighting crime and keeping people safe — from behind a keyboard.  

As a cybersecurity student at Madison College, he learned how to hack computer systems to find weaknesses to be fixed, and how to guard personal data against such threats. He’ll graduate this month and transfer to the cybersecurity program at the University of Wisconsin-Stout, setting him on track to fight the country’s fastest-growing crime, identity theft, in one of the country’s fastest-growing jobs.   

“You’re protecting all these assets and people’s lives and their money and their information,” said Whitney, who’s worked as a part-time cybersecurity intern for the Wisconsin Department of Administration for two years. “There’s a big weight on that. … It’s an incredibly important job.” 

The skills Whitney is learning are in high demand in Wisconsin and around the country, as the number and cost of security breaches surge. American Family Insurance, Kwik Trip, Johnson Controls, SSM Health, UW Health and Group Health Cooperative are just a fraction of the Wisconsin companies that have been hacked in the last year. Some of those incidents exposed the personal information of hundreds of thousands of people. Others paralyzed computer systems while hackers attempted to extort a ransom. Just last week, a ransomware attack at Ascension took medical records offline and forced the health system to divert ambulances from some of its 140 hospitals, the Associated Press reported.  

Nationally, 3,205 data breaches were reported in 2023, topping the previous record by 72% and revealing the personal data of more than 353 million people, according to the Identity Theft Resource Center. The average cost of a single incident is nearly $4.5 million, computer company IBM found. Globally, cybercrime costs around $9.5 trillion a year, according to industry researcher Cybersecurity Ventures. 

Hackers aren’t just looking for credit card information or Social Security numbers. In the era of electronic health records, they can also access patients’ medical data, using it to buy medical equipment, file false insurance claims or even apply for health insurance.  

While preventing and responding to hacking used to be on a long list of responsibilities handled by all-purpose IT staff, as the threats have grown, it’s increasingly become its own job, and there aren’t enough workers to do it.  

Estimates of just how many workers are needed vary widely. According to the federal Bureau of Labor Statistics, the specific role of information security analyst is the fifth-fastest growing job in the country. The agency estimates the ranks will grow by nearly a third from 2022 to 2032, with 53,000 more analysts expected to join. A 2023 report from Cybersecurity Ventures, meanwhile, estimated that across all cybersecurity roles there are more than 750,000 unfilled jobs in the U.S. and 3.5 million worldwide.  

With a median salary of just over $120,000, it’s lucrative work, but hiring managers say the pay alone won’t draw the right workers for jobs that require technical know-how, a love of computers and a strong moral compass. What will it take to fill the gap, and what’s at stake if we don’t? 

When Mike Masino came to Madison College 20 years ago to direct the school’s new cybersecurity major, cybercrime seemed to be surging. Back then, he said, a big breach would make headlines every six months or so.  

Now, he said, it’s more like every week, in part because experts have gotten better at detecting attacks. “They’re like background noise now. You don’t even hear about them unless they’re unbelievably severe.” 

The Cap Times contacted several major Madison-area employers, including Epic Systems, Exact Sciences, TDS, UnityPoint Health, UW Health and WPS Health Solutions to ask how they’re meeting their cybersecurity needs. Some did not respond. Others declined to comment, citing security concerns. “We generally avoid the topic so as not to endanger security,” one spokesperson said. Only UW Health agreed to answer questions. 

Meanwhile, new technologies like artificial intelligence will give cybercriminals new frontiers, said University of Wisconsin-Madison computer science professor Somesh Jha, who specializes in security. While machine learning tools can be used to automate some parts of the cybersecurity process, they also offer bad actors new ways to wreak havoc, like, for example, interfering with self-driving cars. 

“There have been attacks shown where (one) can put a sticker on a stop sign and object recognition says it’s a speed limit sign. There are attacks like where GPT, prompted with some specific prompts, starts regurgitating the data which it was trained on, which might have sensitive stuff in it. So there are new threats that come out because of these new technologies,” Jha said. 

Recognizing the growing risks, many insurers and regulators now insist that companies prove they’re protecting their own systems. “We’re seeing the requirement for cybersecurity in businesses drastically increase,” said Casey Cammilleri, founder and CEO of the Madison-based startup Sprocket Security. To meet those requirements, companies increasingly outsource some or all of their cybersecurity work to businesses like his rather than hiring hard-to-find security experts. 

For positions that require technical expertise, the competition is so stiff that just posting a job listing often isn’t enough, especially for smaller businesses without name recognition, said Scott Holewinski, who founded the Madison-based cybersecurity company Tetra Defense in 2017. When his startup team had just over a dozen people, he hired a “head of talent acquisition” to work almost like a salesperson, doing constant outreach to potential recruits.  

“It was just abundantly clear that it was a talent war, and the folks who could acquire the best talent would win,” Holewinski said.  

His company grew to a staff of 150 across more than 30 states before Tetra Defense was acquired by Minneapolis-based Arctic Wolf in 2022. At Arctic Wolf, where Holewinski is a senior vice president, he said they’re usually hiring for 50 openings at any given time. 

The federal estimate that the country will add 53,000 new information security analysts by 2032 is likely conservative, he said, given that the worldwide industry is estimated to be short more than 3 million workers.  

“Whatever the number is, I don’t see it getting closed overnight, but I feel like we’re making progress in the right direction,” Holewinski said. 

Cammilleri, meanwhile, plans to double his 25-person team by the end of the year, thanks to $8 million in seed funding for expanding the business. Though Sprocket uses automation to test clients’ systems for vulnerabilities around the clock, it also depends on human testers.  

He’s already bracing for the hiring challenge. Still, he said, Madison has a lot of good candidates, both industry veterans and newcomers. The company can also try to draw workers who’ve lost jobs in the layoffs that have swept tech companies elsewhere. “We’re able to capture a lot of good talent that, unfortunately, is being benched right now because of other rifts that are happening,” Cammilleri said. 

At Madison College, students like Whitney are lining up for those jobs. Several years ago, the cybersecurity major had a waitlist of more than 100 students, who were sometimes waiting a year or more to get into classes. In 2021, the program moved to a larger space and hired more teachers, raising its capacity from 60 to 140 students. Today, the program enrolls all who qualify. 

Still, not all of them are looking to work specifically in cybersecurity. Connor Williams, 21, enrolled in the cybersecurity program after completing the college’s program in systems administration. He’s hoping to one day work as a supervisor of a help desk, but he thinks security skills will improve his resume.  

“I really just wanted it for … the buzzword,” Williams said. “It looks really good when you’re applying to a job to have system administration (and) cybersecurity alongside each other.”  

Plus, he figures, everyone in IT should know something about these threats. “I’ve learned a little bit more about how security should be done … and what kind of attacks I should expect, as a system administrator, to defend against or at least set up infrastructure to defend against.” 

At UW-Madison, computer science is the most popular major on campus. Its 2,840 undergrads make up more than 8% of the school’s student body. But most of those students are more interested in building artificial intelligence tools than protecting computer systems, Jha said. 

“The reality is that people who do have very good cybersecurity backgrounds get jobs like this,” he said, snapping his fingers. “But it’s not as fashionable as something like machine learning or AI.” Those classes, he said, fill up within a day. “It’s not the same thing with security. It should be.” 

Jha thinks schools like his need to do a better job of educating students about the value of the field. “The benefits of cybersecurity are a little bit hidden. … There’sa very famous quote inside cybersecurity that it’s a little bit like life insurance: ‘I have life insurance, but I didn’t die even once today.’” 

Students can get jobs in this field without leaving the state, he said, recalling a phone call he got last year from someone at UW Health, asking if he knew anyone who should apply for an open security job.  

“They had a privacy security officer (position) open. He said it was open for a long time, and they’re just not getting good applicants,” Jha said. 

But in addition to trying to attract new students, he said, educational institutions like his need to make sure they’re teaching students to guard against the latest threats, even in classes focused on artificial intelligence. “The challenge has been … how do you keep adapting the cybersecurity curriculum?”  

Four years ago, he started a class on “trustworthy machine learning,” the discipline focused on anticipating the security and privacy risks that could come with artificial intelligence tools. For now, it’s just for graduate students, but he’d like to create a version for undergrads, too.  

In 2020, UW-Madison launched two more cybersecurity training programs. The non-credit Cybersecurity Bootcamp is designed to help people prepare for careers in less than a year, with no prior experience necessary. Students begin with a four-week introductory course that costs $180. To complete all 11 courses costs about $18,000. For those who’ve already earned a bachelor’s degree, UW Extended Campus added a cybersecurity master’s degree. The all-online program, a collaboration of eight campuses, consists of 12 courses with a total tuition of around $29,000. 

Meanwhile, an hour’s drive to the west, Southwest Wisconsin Technical College in Fennimore began offering a technical diploma in cybersecurity and network administration last fall. 

The cybersecurity talent pool might get larger if the industry can diversify. The current U.S. workforce is predominantly white and male, with just one woman for every three men, according to a 2021 report from the Aspen Institute. Black, Hispanic and Native American people, who make up 34% of the U.S. population, make up just 14% of the industry.  

Representation in the field is especially important because people of color are more likely to suffer the consequences of data theft, said Christina Outlay, who spent decades working and teaching in the IT field. Those who are low-income, a group that disproportionately includes people of color, are less likely to know what to do if they get a notice that their data may have been compromised, or to be able to get to their bank during the workday if suspicious activity freezes their account, Outlay said. 

“We’re interacting with security and security measures and risks every day, all day. All of us are,” Outlay said. “The more diverse the field can become, the better.” 

But while one doesn’t necessarily need a degree to do cybersecurity work, Outlay said it can be difficult to get even an entry-level position without a bachelor’s or master’s degree. That keeps many women and Black and brown people from joining the field, especially as college costs rise and trades that don’t require a four-year degree become more attractive. 

Today, Outlay works to diversify the ranks of a variety of tech and science fields as executive director of the Madison nonprofit Maydm, which offers workshops, afterschool programs and summer immersive courses to prepare girls and youth of color for careers in science, technology, engineering and math. The organization’s summer internship program, now in its fourth year, places high schoolers in paid positions at local companies. Of this year’s 26 interns, eight are in IT roles and one is likely to do some cybersecurity work.  

But when the summer ends, those positions do too, and Outlay said students sometimes struggle to find a job or college internship in their field afterward. 

The answer, she thinks, is for companies to throw out the welcome mat and invest in growing their workforce, perhaps by hiring people with less experience and training them on the job, or by helping current or potential workers pay for school.  

“The stakes are high for those who work in cybersecurity, so you’re not just going to pull someone off the street and say, ‘Here, maintain these secure systems.’ But there has to be some type of an entry into the field, just as there is for a painter’s apprentice or carpentry apprentice or something similar where we can make it available for more of our youth.” 

It’s not so different from how she got started in IT in the late 1990s. When she graduated with a psychology degree from DePaul University, State Farm Insurance was recruiting non-computer science graduates with relevant skills and training them to be programmers. Looking back, she thinks the initiative was probably born out of “desperation.” With Y2K on the horizon, the company needed workers to rewrite its old code fast.  

“Doesn’t that sound so much like what we’re hearing now? ‘How can we get more workers? There aren’t enough.’ How can we think creatively about how to go out and bring in those who have the aptitude, the ability and the interest, and then train them ourselves and pay them as we do it?” Outlay said. “I think that that is an innovative approach that we should bring back.” 

Despite the growing demand for cybersecurity workers, those who most want to grow the ranks want to make one thing clear: This job isn’t for everyone. As more people hear about the cybersecurity boom, Masino said some come to the Madison College program without really understanding what the job is like. “I’ve talked to people who just don’t like working on computers,” Masino said.  

In addition to enjoying screens, prospective security professionals should love puzzles and expect to keep learning long after they finish school, since cybercriminals are constantly finding new ways to exploit vulnerabilities in computer systems, Masino said. “It’s a constantly evolving and changing field. It wouldn’t be a field where you could just say, ‘OK, I’m done. I learned everything.’” 

UW Health chief information security officer Trevor Martin agrees. “We never have a shortage of (job) applicants. The question really is, are we finding the people that are applying for the right reasons?” he said.  

“When somebody says, ‘Well, I’ve seen that cybersecurity happens to pay a lot of money. I would like a job that pays a lot of money,’ I also want to make sure that they understand … what this field is.” 

Specifically, Martin wants to be sure they know just how high the stakes can be. “Health care data is still one of the most valuable records out there on the dark web these days,” he said. In March, UW Health announced that an employee’s email account had been hacked, potentially exposing the personal and health information of an undisclosed number of patients.  

Meanwhile, a massive February attack at UnitedHealth subsidiary Change Healthcare reminds Martin of the risks of letting one’s guard down. Earlier this month, he watched footage of members of Congress grilling UnitedHealth CEO Andrew Witty, who oversees the country’s largest insurer, about the ransomware incident that disrupted medical claims across the country and may have exposed the data of one-third of Americans. Hackers breached a Change Healthcare server that did not require multifactor authentication, Witty told senators. UnitedHealth ultimately paid $22 million in ransom and now faces multiple class action lawsuits. 

In other cases, Martin said, a cyberattack could be deadly. “It’s not a matter of if, it’s a matter of when a major ransomware event could hit our organization and bring our (operating room) capabilities down or ICU capabilities down,” Martin said, noting that even heating and cooling systems rely on computers these days. An attack that changes the humidity of a carefully controlled operating room, for example, could force hospital staff to cancel some or all surgeries.  

It’s his department’s job to do “everything we can to prevent that,” Martin said. “It’s very important … that we have a process to bring us back up to speed as quickly and as efficiently as we can.” 

When choosing people to do that work, Martin said, character is sometimes more important than technical expertise. “It’s much easier for me to hire somebody that I know I can trust, somebody that I know is going to do right by the organization and by their team, (who) I can train the rest of the way in terms of their aptitude. It’svery difficult to do that the other way around.” 

He regularly fields questions from friends or acquaintances whose kids are considering going into cybersecurity. It’s stressful work, he warns them, and there’s little attention to the toll it takes on analysts’ mental health.  

“We’re the only line of defense between a threat actor and patient information or potentially, a patient-care-impacting event. That burden, that responsibility is a lot for folks to carry and … that can be more than some people can take.”