At the end of July 2023, the White House released its National Cyber Workforce and Education Strategy, a high-level blueprint for the United States to develop its cyber professionals as well as advance an education plan to keep up with the fervent pace of technological change. The strategy focuses on four key pillars – Position U.S. citizens with the necessary cybersecurity foundation to protect themselves in a digital age; reshape cyber education throughout the scholastic system; increase the U.S. cyber workforce; and strengthen the federal cyber workforce. Notably, the document recognized that across all industries, 92% of jobs required digital skills, a sobering revelation given that the strategy found nearly one-third of U.S. workers lacked them. The message is clear: cybersecurity is everyone’s responsibility, and as such, there needs to be a path forward in building cyber capabilities among individuals in both the public and private sectors to strengthen the country’s overall cybersecurity resilience, and thereby bolstering its defense posture.
The Department of Defense Cyber Shortage
The Department of Defense (DoD) is also experiencing this hardship. In March 2023, DoD released its own Cyber Workforce Strategy that essentially echoes the issues outlined in the White House’s plan and cited the lack of common criteria for workforce requirements; the need to identify necessary skills to fill gaps; a glaring dearth of skills development; and perhaps more alarmingly, constant job attrition. Unsurprisingly, the DoD strategy’s four pillars concentrate on not only finding the right candidates but also developing and retaining them, which has been a persistent problem for any organization. The principal director for resources and analysis for the DoD’s Chief Information Officer admitted that the civilian side of DoD has a bigger challenge in finding and keeping people more so than the military side, which may have to do with training opportunities and competitive compensation the military provides its personnel. Given that both sides, as well as contractors, have approximately 75,000 positions each that make up the DoD’s cyber workforce, it is little wonder that vying for available talent has been an uphill struggle.
Over the past years, there has been much discussion in the press about a shortage of qualified cybersecurity professionals in the workforce, a disconcerting reality given the pervasiveness of the cyber threat ecosystem. A U.S. interactive map shows the extent of these shortages throughout the United States with only 69% of available cyber jobs being filled. According to a study by the International Information System Certification Consortium, the workforce gap increased by more than 26% in 2022 as compared to the previous year.
This percentage is sobering given that this occurred despite the addition of 460,000 jobs. Per the same study, 70% of respondents acknowledged that their organizations were understaffed with the industries most impacted being government, aerospace, education, healthcare, military/military contractors, insurance, and transportation. For a global perspective, the study also found that the cybersecurity workforce gap grew 59% in the Europe, Middle East, and Africa region; 52% in the Asia-Pacific; and 8.5% in North America (though it was 9% for the United States).
Recruitment, Recruitment, Recruitment
The common theme echoed in both the DoD and White House strategies is the issue of recruitment, which can be more difficult than just luring individuals away from the competition.
Cybersecurity covers a wide area of unique skill sets that are not always as easily transferable across job responsibilities. Positions can range from network engineers, reverse malware analysis, Security Operations Center analysis, cyber threat intelligence, digital forensics, threat hunting, red teaming, penetration testing, network administrators, to name a few. Many vacant cybersecurity positions demand individuals with substantial experience across many of these different disciplines, which may be a contributor to this cyber workforce shortage. A person skilled at performing forensics may not have the skills to write strategic cyber threat intelligence, and vice versa.
Therefore, hiring practices need to be examined and adjusted in order to search for the right individuals without turning them away due to confusing and inaccurate position descriptions. This requires hiring departments to clearly understand the needs being asked for by the organization, and perhaps more importantly, the best way to market it to prospective candidates.
The government may have a better understanding of its needs, but many private sector organizations do not. As such, since they do not know what the specific needs are to support their cybersecurity programs, their attempts to attract candidates may suffer. For example, some entry-level positions want certifications that can’t even be obtained without some experience already in the field and are often expensive and time consuming to obtain.
According to Alyssa Miller, a business executive and speaker on cybersecurity issues, nearly three-quarters of entry level jobs she looked at asked for candidates to have a Certified Information Systems Security Professional (CISSP) certification, which mandates at least five years of professional experience prior to pursuing it. CISSP training and exam costs can be a few thousand dollars depending on the provider, not to mention the time to study and prepare. This would be a huge financial and time burden on “entry level” individuals just looking to get their feet in the door of the cybersecurity industry.
Other Challenges Loom
Failing to augment cybersecurity ranks risks leading to the burnout and subsequent departure of current cybersecurity professionals. There are several reasons contributing to this to include but not limited to small security staffs, increased remote workers, continued exploitation of third parties and supply chains, expanded use of mobile devices in professional environments, and just everyday work responsibilities.
There is no pause when it comes to protecting networks and the information residing on them. Simply, because cyber threats are 24×7, cybersecurity measures must be equally vigilant, and based on limited security resources, this can be an insurmountable task. According to one survey of Chief Information Security Officers found that 73% of them had experienced burnout in the previous 12 months. It’s not too difficult to imagine how the cybersecurity professionals under those CISOs felt over the same period.
There is also another issue that further complicates the cyber workforce shortage issue – layoffs and budget cuts. According to a survey by Cobalt, 77% of security professionals in the United States say their departments have faced layoffs, and 63% have faced cybersecurity budget cuts in the last six months. Nearly 90% of those surveyed acknowledged that workloads were hard to manage as a result.
These findings are consistent with research conducted by HackerOne that found that 67% of companies reported that cybersecurity staff reductions negatively impacted their ability to effectively address cybersecurity incidents. The fact that the company’s research found that 40% more companies intended to reduce staff further is even more disconcerting.
Putting more pressure on cyber defenders is the fact that the cybersecurity environment is one that favors attackers, as they need to get it right only once while defenders need to get it right most, if not all, of the time. And when you face as many as a million potential cybersecurity attacks per day, the odds certainly favor one getting through. Any breach could spell severe economic damage, loss of public trust, consumer confidence, and tarnish brand reputation.
At a time when everything seems to be a “national security” or “existential” threat, there is a hesitation to lump in the cyber workforce shortage into that pot. However, the fact remains that advanced technology will continue to be incorporated into all facets of life, and as such, there needs to be appropriate security considerations as well that include tech and human solutions.
What’s clear is that the current situation cannot continue without substantial changes into how public and private sector organizations think about the cybersecurity professionals that support their interests. And while sustaining a cybersecurity staff may not be economically viable and there is a shift to rely on third party solutions, evidence shows that private sector cybersecurity vendors are cutting back on their workforces as well. While this should ostensibly mean that these individuals are ripe for government or contractor recruitment there is little indication that one entity’s loss is another’s gain. Optimistically, that might change, but only time will tell if that proves out.
But even if successful, that is a temporary fix to a larger problem. The White House strategy is correct in pushing for organized cybersecurity education in kindergarten through 12th grade levels because closing talent gaps necessitates introducing these principles as a scholastic requirement. Because students are using technology recreationally as well as to support their schoolwork, having formal cybersecurity training during these scholastic years just makes sense for students both as independent consumers, and potential future professionals in the field. Furthermore, an educated society reinforces the national cybersecurity posture because users can contribute to the cyber workforce either as professionals supporting the defenses of a public or private organization, or as individual consumers whose activities are tied to critical infrastructure industries and their processes. This way, we better position the future by making all citizens if not cybersecurity capable, at least cybersecurity aware enough to be more astute about their technology behavior. Future leaders will have a strong foundation in cybersecurity best practices having not only grown up with using technology but understanding the vulnerabilities and the threats to it.
Herbert Spencer once said, “The great aim of education is not knowledge but action.” The future of cybersecurity rests in us not just being aware of the threat, but better cybersecurity practitioners to be resilient to it.