Microsoft Wants to Train 250,000 Cybersecurity Workers

On October 28, the Official Microsoft Blog discussed a new initiative that may help incoming professionals, along with out-of-work persons seeking reskilling opportunities. That announcement comes from Brad Smith, president and vice chair at Microsoft, who is second only to Satya Nadella at the company.

In other words, this is a big deal, deserving of all of the requisite fanfare and bells and whistles. The first couple paragraphs detail all the work Microsoft has done to boost overall information security and all the time and money it's spent on that effort. Why the urgency?

Here's how Smith himself frames it: "We've entered a new international era that falls short of war, but with constant foreign cybersecurity attacks that threaten not only our businesses, but our students, healthcare, and daily lives."

Why The Beast Must Be Fed!

Smith goes onto observe that increased investment in tools, technology, and capabilities cannot adequately address the cybersecurity problem. People are needed to install, configure, monitor and maintain, and otherwise work with all this stuff. Here's how Mr. Smith sums up the situation (the bold emphasis is his, not mine):

"But this work has also brought an additional and daunting realization: the country's cybersecurity challenges in part reflect a serious workforce shortage. Until we redress the cybersecurity workforce shortage, we will fall short in strengthening the country's cybersecurity protection.

"That's why today Microsoft is launching a national campaign with U.S. community colleges to help skill and recruit into the cybersecurity workforce 250,000 people by 2025, representing half of the country's workforce shortage. While some of these individuals will work at Microsoft, the vast majority will work for tens of thousands of other employers across the country."

I'm impressed. I've been following the cybersecurity workforce shortage for years (at least a decade). This is the first time I can remember seeing a single company step up and bite off a chunk of responsibility of this size and complexity. But the blog post provides ample justification for this bold move:

1) After Microsoft discovered the Solar Winds hack at the end of 2020, the company moved mountains to respond. They even published 30 blog posts with detailed information on how to fix the situation at affected organizations. However, says Smith, "(T)here were not enough people with the training needed to read everything we were writing."

2) As Smith traveled the country to meet with organization representing the interests of small and mid-size business, he kept hearing a particular complaint: "We can't find people with cybersecurity skills."

3) Upon in-depth analysis of job postings and hiring data from sites like LinkedIn.com and cyberseek.org, Microsoft concluded that for every two cybersecurity jobs filled, one sits empty. Smith also reports there are more than 460,000 open positions in the United States right now that require cybersecurity skills: 6 percent of all open jobs in the country.

Where Community Colleges Come Into the Picture

Smith offers up a nice infographic from the American Association of Community Colleges (AACC) to explain how community colleges can help to remedy this situation, and get trainees in the pipeline toward the workforce, and productive, decent-paying jobs.

Source: Official Microsoft Blog

As I have long said here at GoCertify, community colleges are a tremendous and valuable educational asset. Not surprisingly, Mr. Smith sees them as the "single greatest potential asset in expanding the cybersecurity workforce."

In short, with a mandate to provide workers to fill jobs in their local communities, and address the shortfall of cybersecurity professionals around the country, the network of more than a thousand community colleges nationwide has some strong assets. These oft-undervalued institution are uniquely equipped to help offset the shortfall by training people up to fill such jobs.

Here's What Microsoft Has in Mind

Microsoft has been working with 14 community colleges in six states since the start of 2021 to put a program together. They've assessed the needs of the student bodies, their instructors, and their home institutions to try to identify the barriers they face. Smith sums up those barriers in three bullet points:

1) Community colleges need access to "state-of-the-art curriculum materials" that can be used right away to expand their course offerings

2) Community colleges need more trained faculty to teach from existing cybersecurity programs. They should also be able to teach courses as yet untaught to respond to emerging threats.

3) Community colleges need to expand financial aid and provide additional learning services so they can help more students pursue cybersecurity certificates and degrees. By happy coincidence this should also help bring diversity to the mostly male, mostly white cybersecurity professionals already in the workforce.

After a long-build up Microsoft's program is both clear and straightforward. As you might expect there's an infographic for this, too:

Source: Official Microsoft Blog

1) Microsoft will be providing a complete security curriculum free of charge to all accredited institutions in the United States, including all thousand-plus community colleges.

2) Microsoft will provide training for new and existing faculty at 150 community colleges. Their goal is to raise the quality of instruction at such colleges to the level of the NSA Center of Academic Excellence in Cyber Defense (CAE-CD) designation. In addition, Microsoft will sponsor a grant program that will support 42 additional community colleges in accelerating their cybersecurity programs.

3) The company also plans to grant 25,000 scholarships with supplemental financial and soft skills support for students who apply to the program.

This is big, complex and entirely laudable effort. I'm pleased to see Microsoft buying into education and life change for a big group of people. Microsoft is planning this as a first step in a larger effort that could result in additional investments where, as Smith says in his blog post, "it makes sense."

This looks like a significant commitment already, but if MS really wants to reach 250,000 people, it still has a long way to go. For my part, it makes me want to check in with Austin Community College and see what kinds of cybersecurity teaching position they may need to fill!