August 16, 2023 By Jonathan Reed 4 min read

How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.”

Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming.

How the cybersecurity talent gap emerged

The World Economic Forum (WEF) concluded that COVID-19 was linked to a whopping 238% rise in worldwide cyberattacks against the financial sector between February and April 2020. And in the U.S., cyber breaches increased by 50% for hospitals and healthcare providers between February and May. Additionally, the World Health Organization (WHO) witnessed a fivefold rise in cyberattacks.

Meanwhile, the U.S. Bureau of Labor Statistics projects that the employment of information security analysts is projected to grow 35% from 2021 to 2031, much faster than the average for all occupations. Furthermore, about 19,500 openings for information security analysts are projected each year, on average, over the decade. Many of these openings are expected to result from talent turnover as workers switch to different occupations or retire. And what about those who are working now? Rep. Garbarino stated that 61% of security workers say they are burned out after years of triaging major security incidents.

Given the dire cyber talent shortage, what can organizations do? The testimonies of tech leaders during the HHS Cybersecurity and Infrastructure Protection Subcommittee give us a clue. Later, we’ll also look at tools that can enable security teams to work more efficiently and effectively.

Accelerate training programs

Anjelica Dortch, Senior Director of U.S. Government Affairs & Head of Global Cybersecurity Policy at SAP America, Inc., shared how SAP developed a two-year program for high-performing early career professionals. The participants have little to no professional experience, but they do have a basic understanding of IT and security topics. After completing the program, participants then move into full-time roles that best match their skills and interests. This model has expanded and diversified the company’s pool of cybersecurity candidates while also improving retention rates.

Dortch’s advice to the subcommittee was to pass the Jumpstart Our Businesses by Supporting Students Act of 2023 (or the JOBS Act). The bill would extend Pell Grant eligibility to short-term job training programs for high-demand occupations like cybersecurity.

Leverage available resources

Will Markow, Vice President of Applied Research at Lightcast, highlighted the availability of CyberSeek.org, a cybersecurity workforce analytics and career pathway platform which is free to the public. Funded by a grant from NIST, the platform provides actionable, accessible and up-to-date information about the nation’s cybersecurity workforce.

CyberSeek provides best-in-class data and interactive visualizations to connect employer needs with job seekers. The platform includes a supply and demand heatmap, cyber career pathways, skill-based job descriptions and a map of local training providers. CyberSeek also includes links to other resources on the cybersecurity workforce — including those from CISA and the National Initiative for Cybersecurity Careers and Studies.

Ditch the degree requirement

Markow also stressed the importance of reducing education, experience and certification requirements in job openings. This could make hiring easier and expand the size and diversity of the government’s candidate pool. For example, as per Markow, Lightcast data show that removing a bachelor’s degree from early-career cybersecurity job postings can reduce the average cost to hire by over $15,000 and increase the candidate pool by over 60%.

Markow’s recommendations to ease the talent crunch also include prioritizing training for high-growth, high-value skills. He states that the demand for many emerging cybersecurity skills will grow 50% or more in the coming years, and many of these skills command salary premiums of $10,000 or more. But in most cases, these skills cost much less to train. Focusing training on high-growth, high-value skills (cloud security, DevSecOps, etc.) can help the federal government maximize its training ROE.

Provide incentives and start early

Tara Wisniewski, Executive Vice President for Advocacy, Global Markets and Member Engagement at ISC2, agrees that for entry-level cybersecurity professionals, degrees are not always required. Wisniewski points out, however, that organizations and the government must be willing to provide incentives and hire entry-level professionals with entry-level qualifications. Plus, stakeholders must be willing to invest in the professional development of these professionals. Otherwise, Wisniewski warns, it will be difficult to create the talent pipeline necessary to bridge the workforce gap.

Wisniewski applauded CISA’s education and career development programs, such as the Cybersecurity Education and Training Assistance Program (CETAP). These programs will inspire future cybersecurity professionals through initiatives to include cybersecurity education in K-12 schools.

Help your cyber teams face threats now

Beyond new hiring and training practices, how can cyber teams contend with a new operational reality? How can they make the most of their current workforce?

Facing a talent shortage, organizations are also turning to artificial intelligence (AI) to enhance the performance of their limited resources. AI plus automation can enable teams to better confront the growing volume of everyday security threats. One report shows that 34% of AI adopters state that threat detection is one of their top AI use cases today. Report participants also ranked automated detection and response and threat intelligence as important applications.

The top-performing AI adopters are proof of the potential for AI to transform cyber defense operations. AI has helped reinforce top-performer network security by monitoring 95% of network communications and 90% of endpoint devices for malicious activity and vulnerabilities. They also estimate that AI helps them detect threats 30% faster than before.

Adopters of AI are also significantly reducing response times to incidents and the time to investigate. Meanwhile, their return on security investment (ROSI) has jumped 40%. Last but not least, recent evidence shows AI assistance cuts alert triage times in half. And that’s good news for overworked and understaffed cyber teams.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today