In 2010, the Center for Strategic and International Studies (CSIS) published the report "A Human Capital Crisis in Cybersecurity," which noted "there are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000."
Twelve years later, the Cyberspace Solarium Commission 2.0 Workforce Development Agenda for the National Cyber Director observed that "in the United States, there are almost 600,000 open cybersecurity jobs across the private sector and federal, state, and local governments — a remarkable gap considering that the field currently employs just over a million professionals." This is not an encouraging trend.
Stakeholders Who Have the Power
To effect multigenerational change, there are four distinct groups of stakeholders that have the power to best address a problem that has existed for over a decade.
Cybersecurity buyers should generally stop buying point solutions and instead focus on a strategy of long-term consolidation of technical cybersecurity capabilities. Although the latest shift-left-zero-trust-artificial-intelligence-XDR-machine-learning "solution" may provide comprehensive coverage against the latest techniques from an advanced persistent threat, it's meaningless unless your organization has actual proof of engagement by an advanced persistent threat (APT) that uses those techniques. Each new point solution has a training and operations burden, typically a minimum of two people who must learn to design and operate the solution.
Unfortunately, each new solution also needs to be integrated into the organization's existing security stack, which takes precious time and resources, and where visibility failures may provide coverage for threat actors to hide. By comparison, an integrated security stack might not immediately cover every conceivable technology threat permutation, but it will take fewer human resources to own and operate, and those staff tasked with operations will have in-depth knowledge as a result.
HR professionals should de-emphasize the importance of certifications for interns and junior and midcareer professionals and instead focus on on-the-job training and clearly defined career paths for cybersecurity professionals. The issue with certifications has existed since before CSIS in 2010 observed, "It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security." Part of the reason for the workforce gap is the sheer number of entry-level job postings that require certifications; the specificity of the job descriptions also has been repeatedly shown to discourage otherwise-qualified women and minorities from even applying.
Retaining cybersecurity professionals is similarly difficult, as many junior and midcareer professionals will change jobs every two to five years to gain expertise with new technologies and additional security domains. Both hiring and retention can be managed effectively with well-defined career paths for cybersecurity professionals, such as those defined by the National Institute of Standards and Technology's (NIST) National Initiative for Cybersecurity Education (NICE) program. When supplemented by paid training from employers, employees are more likely to stay, which further reduces the cybersecurity skills gap.
Compliance professionals should be aware that their security counterparts are continuously overextended and seek to automate as many compliance operations as feasible. When responding to an internal assessment or an external audit, compliance professionals regularly rely on the security team to collect evidence of internal control operation and effectiveness. Realistically, this is an "extra" job duty on the part of security professionals, and as such, these tasks may be done in a rush or put off to the last minute, due to the more pressing duties on their limited time. These activities include manual tasks such as taking a screenshot of the password policy and saving it in a defined location or creating a PDF report showing that all hard drives are encrypted. As these compliance activities do not require creativity or intuition, they are prime opportunities for automation, which will lessen the time burden on security professionals. This may also result in a positive change in budgetary priorities, as an organization that has automated many compliance operations can hire additional security staff rather than additional compliance staff.
Individual cybersecurity professionals should reach out to middle schools and high schools to find opportunities to speak to young people about their jobs. A persistent misconception in secondary education is that cybersecurity jobs require a programming background, yet most cybersecurity jobs require no expertise in programming. Individual contributors across all disciplines — including sales, marketing, UX design, customer success, DFIR, and red teamers — should try to speak to one secondary school audience about what they do, why they love their job, and how their job has a middle-class salary that likely only required a two-year degree. That last part will resonate with many secondary school students and their parents who are considering how long it may take to pay off a four-year university degree.
Despite there not being a single solution to solving the cybersecurity workforce gap, there are reasons to be hopeful. The cybersecurity community attracts people who like working in teams and sharing their knowledge and experiences. A cross-disciplinary effort of behavioral changes across stakeholders based on shared values may be our best solution moving forward for the next decade.