By John Carlin
Chair, Cyber & Technology Program, The Aspen Institute
For the past four years, the Director of National Intelligence has named cyber threats to critical infrastructure as the top national security concern. Attacks on Atlanta, Baltimore, Louisiana, Florida, and Texas show how, on the eve of the 2020 elections, cyber adversaries are broadening their reach and targeting an increasingly diverse array of victims. And the routine cyber incidents that barrage the United States every day are costing the economy tens of billions every year. Confronting this threat demands more than bigger budgets and better technology—we desperately need trained people who can spend that money wisely and use technology correctly. Yet the nation faces a critical shortage of cybersecurity skills.
Closing this skills gap is a core mission of the Aspen Cybersecurity Group, which convenes business executives, security practitioners, and former government officials to operationalize concrete recommendations that will enhance the nation’s cybersecurity in measurable ways—in other words, solving problems, not just observing them. Meeting for the first time in early 2018, the Group’s members decided to focus their collective efforts on three areas, one of which was cybersecurity workforce development. The Group embarked on a year-long process, led by IBM CEO Ginni Rometty and IBM VP of Talent Joanna Daly, to identify the most important Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce. These include changing job qualifications to elevate the importance of real-world skills, rewriting job descriptions to appeal to more diverse job applicants, and drawing a transparent career path for cybersecurity workers.
Today the Group announces the next phase of its efforts. For the first time, we have brought together a diverse coalition of fifteen major companies who have agreed to adopt and implement principles to build a more robust pipeline for cybersecurity talent. Leveraging this comprehensive support, the Group aims to expand the roster of participant organizations and scale adoption of these principles.
It should deeply concern all Americans that businesses and government agencies are struggling to find enough cybersecurity workers. President Trump has described them as “guardians of our national and economic security.” Yet unfilled cybersecurity positions have grown by 50% since 2015, underscoring that organizations are struggling to find desirable candidates. According to the Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce, there will be at least 500,000 unfilled cybersecurity jobs in the United States by 2021. Other research tells a similar story, with one study projecting 3 million cybersecurity job openings around the world by 2021.
The cyber workforce gap has multiple causes, including structural ones like the need for developing more computational thinking skills starting in K-12 schools, the integration of cybersecurity education across undergraduate degree programs, and unequal opportunity in education more generally. These are tough problems that will take time and commitment to address.
But other obstacles are ripe for resolution here and now. Companies and government agencies already have the power to narrow the cyber workforce gap simply by changing their internal processes. Many organizations are leaving large pools of skilled candidates untapped, in part because of overly complex job requirements that disqualify more than 50% of applicants. Data collected on CyberSeek shows how the vast majority of cybersecurity job openings require a bachelor’s or more advanced degree. Right now, of the 26,013 openings for a “cybersecurity analyst” nationwide, 90% require a bachelor’s degree or higher. This practice artificially restricts the pool of available cybersecurity talent. The world’s premier authority in cybersecurity—the National Security Agency—is eager to accept candidates from two-year schools that comply with its own strict educational criteria. Yet those same graduates would not qualify on paper for 90% of the openings for a cybersecurity analyst.
Industry and government must strengthen and explore new methods for cultivating, hiring, and training cybersecurity workers. Today, the Aspen Cybersecurity Group is announcing commitments from fifteen companies—AIG, Apple, Cloudflare, Cyber Threat Alliance, Duke Energy, Facebook, Google, IBM, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, Verizon, and PwC—to help lead the way in addressing the mounting shortfall in the nation’s cybersecurity workforce by:
These commitments are not just aspirational—companies are already acting internally and through outside partnerships, demonstrating a path for the rest of industry to follow suit in these and other areas:
The Aspen Cybersecurity Group encourages other employers, including federal, state, and local government agencies, to join this effort. Interested organizations should contact David Forscey, Managing Director of the Aspen Cybersecurity Group, at [email protected].