February 23, 2023
The 5×5—Strengthening the cyber workforce
On July 19, 2022, the White House convened leaders from industry, government, and academia at its a National Cyber Workforce and Education Summit. In his remarks at the Summit, recently departed National Cyber Director Chris Inglis committed to developing a National Cyber Workforce and Education Strategy with input from relevant stakeholders to align government resources and efforts toward addressing the many challenges in this area. Among these challenges is finding sufficient talent to fill the United States’ ever-growing number of openings for cyber-related roles across all sectors of the economy. According to research from CyberSeek, US employers posted 714,548 of these job openings in the year leading up to April 2022. While many of the vacancies are oriented toward individuals who are savvy in the more technical aspects of cybersecurity, more organizations are searching for multidisciplinary talent, ranging from international affairs to project management and everything in between.
While we await the White House’s National Cyber Workforce and Education Strategy, we brought together a group of experts to provide insights into bolstering the cyber workforces of the United States and its allies.
#1 What is one assumption about the cyber workforce that is holding the cyber community back?
Nelson Abbott, senior director, advanced program operations, NPower:
“‘We cannot find good talent.’ This sentiment is, in my opinion, a result of companies not broadening their talent acquisition strategies. You will not meet the increasing demand for cyber talent by using the same talent pipelines that are not increasing their output to market.”
Richard Harris, principal cybersecurity policy engineer, MITRE Corporation:
“One problematic assumption is that the market, academia, or government alone can solve the problem of cyber workforce shortages. Developing cyber workforces at the right time, in the right quantities, and with the right skills requires purposeful and persistent public, private, and academic partnerships.”
Ayan Islam, director, cyber workforce, Office of the National Cyber Director:
“There is an assumption that there is a single pathway into the cyber workforce when there are many pathways to recruit cyber workforce talent. To open the job pipeline to those for whom a career in cyber or a related field would be out of reach, new pathways need to be created. We need to fully leverage the potential for community colleges to contribute to the workforce, grow work-based learning programs such as apprenticeships, and further explore non-traditional training opportunities. While some exist today, we need many more pathways to allow for more entrants and career changers into the cyber workforce and to demystify those pathways.”
Eric Novotny, Hurst professor of international relations, emeritus, School of International Service, American University:
“One assumption that I have noticed in employment advertising is the posting of entry-level positions in which the Certified Information Systems Security Professional (CISSP) certification is listed as necessary or desirable. This certification, as is well-known in the community, is a cybersecurity management certification that requires five years of experience in the domain. It may be that human resources representatives do not understand the levels or purpose of cybersecurity certifications. Some organizations may lose qualified job candidates if desired certifications are not aligned with job requirements.”
Merili Soosalu, partner leader and regional coordinator for Latin America and the Caribbean, EU Cyber Resilience for Development Project (Cyber4Dev), Information System Authority of Estonia (RIA):
“Cybersecurity as a topic is on its way to the mainstream. In the more and more digitalized world, cybersecurity is an integral aspect that cannot be overlooked. This should also be reflected in the outlooks of cyber careers that do not only mean highly experienced technical skills but rather a variety of professions and skillsets from the areas of project management and communications to the highly skilled blue- and red-team competencies.”
#2 What government or industry-led programs have had an outsized positive impact on workforce development efforts?
Abbott: “I am of the opinion that there have not been ‘outsized’ positive impacts. There are a lot of great companies and organizations doing good work (NPower, Per Scholas, etc.), but they do not have the capacity to meet the exponential growth in demand for talent. The recent cybersecurity sprint was good to develop interest in that alternative hiring model, but it is still too early to see what the measurable results are.”
Harris: “Some of the most successful workforce development programs have been in local communities. These programs were the result of local businesses, governments, and academic institutions putting their heads together to meet cybersecurity and other technical skill needs. While these efforts help keep people in their communities, they also support workforce mobility where these same skills are in demand outside of the local community.”
Islam: “With over seven hundred thousand (approximately 756,000 as of December 2022, per CyberSeek.org) vacancies in cybersecurity positions across the United States, these numbers constitute a national security risk and must be tackled aggressively. Therefore, it is important for government, industry, education, and training providers to all contribute to workforce development efforts, and work in tandem to address our growing needs. For example, the Office of National Cyber Director hosted a National Cyber Workforce and Education Summit at the White House last summer with government and private sector partners to discuss building the United States’ cyber workforce, increasing skill-based pathways to cyber careers, and equipping Americans to thrive in our increasingly digital society. The event resulted in many new commitments. A cybersecurity apprenticeship sprint was also announced at the Summit, which led to an increase in private-sector participation in the Department of Labor’s apprenticeship program, with 194 new registered participants and over seven thousand apprentices getting jobs.”
Novotny: “Sponsored events to attract new talent into the field, such as Cyber 9/12, AvengerCon, and various Capture the Flag (CTF) exercises are invaluable for stimulating interest in cybersecurity and exposing students and young professionals to executives and experts in the field.”
Soosalu: “In Estonia in recent years, many positive initiatives have been developed for different age groups. For instance, for adults looking to change their careers to information technology (IT), the Kood/Jõhvi, an international coding school, was created and top IT specialists should enter to the job market in the coming months. A private initiative called Unicorn Squad was created in 2018 to popularize technology education among girls. These initiatives, to name some, will hopefully show positive effects in the coming years. The Estonian State Systems Authority, responsible for national cybersecurity, prioritizes the knowledge development of cyber incidents of critical sectors by regularly organizing joint exercises between the national Computer Emergency Response Team (CERT) and the IT teams of different critical service providers.”
#3 Are there any issues or challenges in workforce development have been overstated or immaterial?
Abbott: “‘Anyone can do cyber.’ While it is true that there is a much broader spectrum of roles in cyber than most people realize (non-technical; governance, risk management, and compliance; policy; etc.), these still require a strong working knowledge of information technology and networking concepts.”
Harris: “Many people need to move beyond wringing their hands about cyber workforce shortages or hoping that someone else will solve the problem. Organizations can start at the grassroots level and proactively develop partnerships and plans that result in a tangible workforce development achievement at whatever level is feasible, and then build on that success.”
Islam: “Actually, what is understated and greatly material to the issue and challenge in cyber workforce development is the lack of appropriate resourcing and C-suite appreciation with security program investments. There is still a disconnect in recognizing that cybersecurity is a foundational business risk and not a one-time, niche issue. Without proper investments on the people side of security programs, we will continue to see the same issues or challenges in tackling cybersecurity threats.”
Novotny: “There are some misconceptions that cybersecurity is an exclusively IT-driven, technical field. That is certainly true for some roles and responsibilities, but cybersecurity solutions also embrace people and processes, as well as technology. Professionals with highly developed technical skills will need to include management and people skills in their career development.”
Soosalu: “Today, all studies show that the IT sector, cybersecurity in particular, lacks a qualified workforce. Therefore, all challenges are real and need to be tackled.”
More from the Cyber Statecraft Initiative:
#4 How can different types of organizations better assess their cyber talent needs?
Abbott: “By 1) moving from credential-based job descriptions to competency-based job descriptions; 2) better communicating between hiring managers and talent-acquisition teams; 3) changing job descriptions to remove bias and non-negotiable requirements to encourage more candidates to apply; and 4) considering internal upskilling programs and backfilling entry-level roles with new talent.”
Harris: “The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) Framework is an awesome baseline reference for understanding workforce positions and skills. Organizations, however, must do the work to understand their current and future cyber talent needs, then leverage the NICE Framework, or a similar guide, to connect those business needs with the right positions and skill paths, and build a workforce development plan.”
Islam: “A growing number of organizations are taking advantage of skill-based and aptitude assessments to allow for diverse and multidisciplinary candidates to join the cyber workforce. However, skill-based training and hiring practices are still necessary. Any solution must be inclusive of historically untapped talent, including underserved areas and neurodivergent populations. A cybersecurity career should be within reach for any American who wishes to pursue it, and skills-based training and hiring practices enable inclusive outcomes, give workers a fair shot, and keep the economy strong.”
Novotny: “The size of the existing IT and cybersecurity internal infrastructure plays a huge role here. Medium and small enterprises will have a more difficult time justifying a large cybersecurity staff in most cases. For these organizations, where many cybersecurity functions are outsourced, the skills shift to management and procurement, rather than technical operations, such as staffing a security operations center. In the government sector, having different standards and compliance rules than in the private sector also drives different necessary skill sets. On the other hand, I would argue that any organization that has network operations and valuable information assets to protect has similar security requirements in principle.”
Soosalu: “For assessing needs, some forms of standards are needed. In the European Union, the new European Cybersecurity Skills Framework (ECSF) was created to become a useful tool to help identify the profiles and skills that are most needed and valued. This will help create a European framework for recognizing skills and training programs.”
#5 How have cyber workforce needs shifted in the past five years, and where do you see them going from here?
Abbott: “They have only increased, and almost doubled in 2022. More companies are taking cybersecurity seriously, and are now realizing the importance of having those individuals on their teams. I fear that the demand for cyber talent will only continue unless employers start to create new solutions instead of relying on old habits when it comes to talent acquisition.”
Harris: “Rapid technological change like the current artificial intelligence revolution, and increasingly complex risk dynamics exemplified by greater cyber-physical convergence, require cyber workforces and individuals to embrace continuous learning throughout their careers. More attention needs to be paid to developing interesting and flexible cyber career paths and investing in more career progression training and education.”
Islam: “We need to broaden our thinking about the importance of cyber across occupations and professions in our interconnected society. There are many occupations and professions that have not traditionally required in-depth cybersecurity knowledge or training, but whose work relies on the use of cyber technologies. Greater attention should be paid to ensuring that cybersecurity training and education are part of the professional preparation of these workers.”
Novotny: “Several broad trends are noticeable in workforce requirements that have changed over time. First, as more sectors of the economy are identified as critical infrastructure, professionals that have industry sector experience are in higher demand. Second, the cyber threat intelligence business—in both government and in the private sector—has opened job opportunities for young professionals with language and international relations education. Third, there is an apparent fusion of traditional cybersecurity needs with a growing concern about misinformation, social media, and privacy. A few years ago, these latter issues were largely separate from the cybersecurity domain. That is not the case today.”
Soosalu: “Estonia was the target of one of the first ever national cyberattacks in 2007, and therefore cybersecurity as an issue is not new to our general public. However, being one of the most digitalized countries in the world, Estonia relies heavily on its digital services and needs to both create awareness and invest in being as cyber resilient as possible. The lack of a skilled workforce is clearly a vector of risk. Compared to the period of past five years, the legislation has evolved. Today, many more sectors are obliged to follow information and cybersecurity standards, hire information security officers, and invest budget into dealing with cybersecurity. The topic of cybersecurity is here to stay, and we will need to do our outmost to create interested and competent workforce for these profiles. Hopefully, the initiatives named above (Question #2) will help to contribute to this, and we see soon more women and more IT and cyber enthusiasts in the job market.”
Simon Handler is a fellow at the Atlantic Council’s Cyber Statecraft Initiative within the Digital Forensic Research Lab (DFRLab). He is also the editor-in-chief of The 5×5, a series on trends and themes in cyber policy. Follow him on Twitter @SimonPHandler.
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.