CYBER
JUST IN: U.S. Desperately Needs Cyber Talent, Congress Says
iStock illustration
With almost 700,000 cybersecurity job openings, the United States doesn’t have enough cybersecurity experts to protect the nation’s critical infrastructure and federal networks from cyber threats, according to members of industry and Congress.
Representatives and witnesses painted an alarming picture of the shortfall in cybersecurity talent during a June 22 House Homeland Security Committee subcommittee on cybersecurity and infrastructure hearing.
“We need not only enough people, but the right people with the right skills in the right jobs to meet the growing cyber threat,” said Rep. Andrew Garbarino, R-N.Y. “In April, the FBI director testified to Congress that even if all FBI cyber-agents and [intelligence] analysts focused on the China threat, Chinese hackers would still outnumber our FBI cyber personnel at least 50 to one. That is extremely concerning.”
Will Markow, vice president of applied research at labor market analytics firm Lightcast, told members that the cybersecurity talent pipeline is severely broken.
“In the past 12 months, there are over 660,000 cybersecurity job openings in the United States, but we only have 69 skilled cybersecurity workers for every 100 that employers demand,” he said. “This means we are stepping onto the digital battlefield missing nearly a third of our army, and the consequences of this talent shortage echo across our country.”
The consequences manifest in the economy, increasing hiring costs and salaries for cybersecurity workers, he added. Meanwhile, cybersecurity jobs take 21 percent longer to fill than other IT roles, which can lead to cybersecurity position vacancies as cyber threats increase.
Cyber certifications, while useful, can be difficult to keep up with, he added. As the cyber world constantly evolves, the same is required of cybersecurity skills. This has led to not just a talent gap, but an expectations gap between employees and employers that prioritize hiring those with inflated credentials or extensive work experience, which has created a “perfect storm of market failures,” Markow said.
He added that even if every single computer and information science graduate pursued cybersecurity, the workforce would still need at least 200,000 more people. “We're going to have to find ways to redeploy and reskill existing workers if we're going to close that talent gap within any human timescale.”
To go about closing these gaps in the cybersecurity workforce, entry-level job requirements would need to be lowered, and guidance would need to be offered to individuals and their employers on how to constantly reskill their workers, he added.
Lightcast is one of the partners behind CyberSeek, a cybersecurity workforce analytics and career pathway platform. Markow suggested that cybersecurity employers could use the grant-funded platform to better visualize and build their cyber workforces.
Rep. Eric Swalwell, D-Calif., said the National Cybersecurity strategy, which was released earlier this year, signified the moral necessity and strategic importance of increasing diversity in the workforce. “We simply will not be able to close the gap between employer demand and the available talent pool if we do not do more to bring women, people of color, immigrants and other underrepresented groups into the cyber talent pipeline,” he noted.
Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at ISC2, also emphasized the importance of increasing diversity.
“We know from our research that organizations with [Diversity, Equity and Inclusion] programs in place have smaller workforce gaps. Yet despite these findings, meaningful progress to deliver more diversity, equity and inclusivity in the cybersecurity profession has been slow,” Wisniewski said.
Anjelica Dortch, senior director for U.S. government affairs and head of cybersecurity policy at SAP America, said the company has been able to build diversity through various programs — one of which utilizes the unique abilities of neurodivergent individuals. The program, Autism at Work, was launched in 2013 to promote inclusion at SAP.
“We support neurodiverse professionals during the hiring process and offer a variety of resources to facilitate the success of employees once they are onboarded,” she said. “But to help neurodiverse professionals realize their potential, most organizations must adjust their recruitment, selection and career development policies to reflect a broader definition of talent.”
Another under-tapped resource is the pool of former service members with cyber skills, said Marine Col. Colonel Chris Starling (ret.), executive director of NPower in California. The nonprofit organization provides training and job placement services to veterans and young adults from underserved communities.
“Capitalizing on the talent pool of military-connected individuals and families, including transitioning military service members is easy,” he said. “It's natural to retrain people from defending the nation to defending the network,” Starling continued.
NPower received a $1 million grant from Cybersecurity Infrastructure and Security Agency, or CISA, to help support the organizations free program that serves more than 1,300 unemployed and underemployed students per year, of which 75 percent are ethnic minorities and 39 percent are women, he added.
“We seek people in transition, that are passionate about technology and who are willing to commit themselves to 16 weeks or more of training,” he said. “Second, we understand that some people need help not just in the classroom to learn the material, but with life. NPower’s team of social support managers provides wraparound services by connecting students with local resources to help them solve everyday problems,” Starling said.
Currently, the program operates in nine states across the country. Starling recommended the committee establish a similar, permanent program, which would focus on providing sustainable funding for individuals like those served by NPower.
However, there is still one structural problem that many former service members face: the lack of a degree, he said. “Cybersecurity demand is outpacing supply, and many companies still seek applicants that have college degrees,” Starling said.
The problem with the national cybersecurity talent pipeline isn’t new, and it’s only continuing to grow, Swalwell said.
“As the White House works to finalize its national cyber workforce education strategy, it's critical that Congress can be an active partner in implementing policies and providing resources to expand the cyber talent pipeline and ensure we have the workforce necessary to maintain ... our advantage against adversaries who are outnumbering us, like China and Russia,” he said.
Topics: Cyber
Comments (5)
Congress should talk to the recruiters of these companies who "need a workforce". Before taking an IT role, every single Cybersecurity company applied to wanted 10 years plus experience for an "entry-level" role. There are plenty of cybersecurity people out there, but it is a dead-end when you are dealing with recruiters who don't exactly know what entry-level means. Cybersecurity degree hasn't done jack for me.
John K at 2:44 PMI'm going to take a contrarian view on the lack of entry level jobs for cybersecurity-destined young Americans. There are many of these positions you can jump into but they are not where you are looking. For those who have earned a cyber undergrad degree, congratulations. But please don't expect to be hired as a cyber ninja chasing foreign threat actors as part of a corporate security team with a six-figure salary until you've proven yourself worthy. Your first job, regardless of your degree, should be in an IT shop learning how to work in a business or operational environment, how to pull cables and install software patches, how to deal with irritated employees or customers, and how to manage highly complex information systems. Earn your ten years of experience that employers are looking for by performing very well in a technical job. Along the way learn about firewalls, intrusion detection systems, SIEM, data forensics, risk management, and incident handling. And for extra credit, volunteer to secure the network at your church or at a local civics organization. Get your experience by proving you are a hard working individual who can be trusted to properly handle very sensitive information. Then apply for a cool cyber job and watch how much in demand you are. Bottom line - "entry level" for cybersecurity really does require many years of prior experience in managing and operating computer systems and networks. If you are unwilling to gain basic IT experience then maybe you should reevaluate your career goals.
Marc Sachs at 2:23 PM
Richard Cornell's comment, above, makes perfect sense: recruit the people we need from a worldwide talent pool.
What also makes sense is the following: limit government-subsidized student lending to jobs that have an actual marketplace need. Any compenptent economist can reasonably project, with 90% accuracy, the skills needed within 10 years. I'm not saying people can't continue to pursue Law, "Gender Studies " or "Mass Communication" degrees - it's just that I see no reason for the government to provide subsidized loans to students who want to chase a degree for which we already have a huge surplus of graduates.
My brother-in-law is from the old country and when he was growing up his father put him into a training problem to be an engineer. One of the first things he did was to take a square block of metal and with a file make a large ball, then a slice was cut off and again he shaped it into a ball, and that went on until he had a ball bearing. When you have a few hundred students doing the same thing, then they slowly did that for years and many went on into industries. My brother-in-law worked for Bethel on worldwide projects.
India has a program where students do just about everything that deals with computers and each year 100,000 when they leave school is your IT people. That has been going on for years. You might want to take said Indian students and fast-track them into being American citizens.
In Japan how many students that are not selected for jobs in that country would jump at the chance to be hired by a US firm and fast track to American citizenship?
Korean students with IT education would jump at the chance to work in the US and again fast-track to being a American.
It's all about the pay and benefits. If you can actually do the job, industry pays far more with greater opportunities, and they don't care about many things that would get in the way of a security clearance. Government jobs are a dead end. Nobody with the potential to be successful in cybersecurity wants to work at a government or defense industry job.
Ainsley Lowbeer at 10:19 AM