By Steven Porter
Paul Petefish paced at the front of the room one recent evening, clicking through slides as he told about three dozen prospective students that they, too, could find work as cybersecurity professionals.
Petefish, a 33-year-old information technology consultant who’s climbed the ranks of Solutionary Inc. over the past decade, this year co-founded Evolve Security Academy at 1871, the entrepreneurial co-working studio inside Chicago’s Merchandise Mart.
He sported a crisp white dress shirt, blue jeans and polished brown Oxfords as he made his pitch on Dec. 9. “You always need people to run the tools no matter how smart the tools get.”
Demand for competent workers to serve as security analysts, engineers and consultants has swelled in recent years, outpacing the number of people qualified to do such work. So employers have taken to poaching talent from one another, Petefish said.
Andrew Hamilton, a financial analyst-turned-entrepreneur who co-founded the academy with Petefish, said employers’ being forced to poach qualified IT security employees is bad for business.
“That means the supply-demand is off whack. Now you’re over-paying salaries,” Hamilton said, describing the field as exhibiting “negative unemployment.”
The U.S. Bureau of Labor Statistics reported last year that employment of information security analysts — which Petefish regards as entry-level positions in his line of work — is expected to rise 37 percent by 2022. That’s more than double the growth predicted for computer occupations and more than three times the rate for all occupations.
Already, more than 209,000 cybersecurity positions nationwide are vacant, according to an analysis of BLS statistics conducted by Peninsula Press, a project of the Stanford University journalism program.
In military applications, cybersecurity is both defensive and offensive, and the U.S. isn’t alone in this arms race. North Korea began training “cyber warriors” in the early 1990s and now boasts 1,700 “highly skilled and specialized hackers,” Bloomberg Business reported late last month, citing South Korea’s Defense Security Command chief.
The threat of international conflict playing out in cyberspace raises concerns over American critical infrastructure, which is increasingly integrated with and dependent upon computer networks. The potential targets found in the nation’s transportation systems, alone — including pipelines, highways, mass transit, aviation and maritime traffic — demonstrate how broadly defensive measures must be employed, according to a report by the U.S. Department of Homeland Security soon after its establishment in 2003.
“The diversity and size of the transportation sector makes it vital to our economy and national security, including military mobilization and deployment,” the DHS report states, noting that interdependencies with “nearly every other sector of the economy” mean an attack on critical transportation infrastructure could have far-reaching ramifications.
Petefish, the IT security consultant, ranked aviation among the most obvious transportation systems a malicious hacker would target. “I think it’s a no-brainer when you look at potentially hacking into flight control stations, messing with the flights in the air,” he said. “I think that could be a massive attack.”
Hackers could try feeding false data into air traffic control systems or look for vulnerabilities built into commercial aircraft, Petefish said, noting he’s worked with airlines to ensure an attacker would be unable to gain control of sensitive information via the company’s wireless Internet connection.
Because territorial boundaries work differently in cyberspace than they do in air, land and sea (the domains in which nation-states have historically engaged one another in conflict), hackers abroad needn’t attack the U.S. government in order to attack America. Local governments have been targeted, including the Chicago suburb Naperville, which rebuilt its online network following a 2012 cyber attack.
The city spent about $760,000 to rebuild, with insurance covering about a quarter of the cost, the Naperville Sun reported in September. Although the suspected source of the attack hasn’t been publicly identified, the FBI suspects it originated overseas.
Linda LaCloche, the city’s communications manager, said a staff position for a network security engineer was added following the 2012 incident, following the recommendation of a consultant hired to help local leaders sort through the aftermath of the attack.
The position paid about $86,000 plus benefits last year, according to the city’s employee earnings report published on its new website.
“The challenge for most municipalities is that, obviously the IT field is very competitive, so municipalities don’t have the same salary ranges as the private sector,” LaCloche said.
Competition is fierce because cybersecurity professionals are in high demand and desperately needed in the business world, too, Petefish said: “You wouldn’t believe how far behind some companies are on cybersecurity.”
Some traditional academic institutions have begun responding to this increased demand. American University in Washington, D.C., for instance, launched the Kogod Cybersecurity Governance Center in October to conduct multidisciplinary research on best practices in preparing for and responding to increasingly common security breaches.
But the traditional halls of academia aren’t ideal for everyone, Petefish contended. That’s what inspired his idea to launch the Evolve Security Academy, which will enroll its first cohort in February for a 12-week hands-on curriculum. The class will meet at 1871, where prospective students gathered Wednesday for an informational session.
Petefish told attendees the class size would be limited to 16 students. Tuition costs $10,000, but there are $5,000 scholarships available for up to nine students: three for women and minorities, three for veterans and three for highly qualified applicants.
Kimberly Caravantes, a former Transportation Security Administration employee currently earning a Master’s in Information Systems at Northwestern University, asked Petefish what his program would offer participants upon completion of the program. Petefish said that, although his startup wouldn’t be able to bestow any degrees or certificates, his curriculum would offer valuable experience and professional skills, culminating with a “diploma in cybersecurity.”
Caravantes, who noted that she’d like to apply for a cybersecurity job with the Federal Emergency Management Agency, said after the session that she has reservations about the program’s lack of academic accreditation. But it might be a worthwhile educational experience anyway, she said.
“I don’t know anybody personally who does cybersecurity, so it’s not like I have a mentor,” Caravantes said. “I don’t have somebody who’s like, ‘OK, this is what you should be doing.’ Basically, I’m looking for a road map.”
The academy’s next free informational session — “How Hacking Works,” an exploration of the most common cyber attacks, with demonstrations and hands-on exercises — is scheduled for 6-8 p.m. Dec. 16 at 1871, on the 12th floor of 222 W. Merchandise Mart Plaza.