August 16, 2023 By Jonathan Reed 4 min read

How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.”

Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming.

How the cybersecurity talent gap emerged

The World Economic Forum (WEF) concluded that COVID-19 was linked to a whopping 238% rise in worldwide cyberattacks against the financial sector between February and April 2020. And in the U.S., cyber breaches increased by 50% for hospitals and healthcare providers between February and May. Additionally, the World Health Organization (WHO) witnessed a fivefold rise in cyberattacks.

Meanwhile, the U.S. Bureau of Labor Statistics projects that the employment of information security analysts is projected to grow 35% from 2021 to 2031, much faster than the average for all occupations. Furthermore, about 19,500 openings for information security analysts are projected each year, on average, over the decade. Many of these openings are expected to result from talent turnover as workers switch to different occupations or retire. And what about those who are working now? Rep. Garbarino stated that 61% of security workers say they are burned out after years of triaging major security incidents.

Given the dire cyber talent shortage, what can organizations do? The testimonies of tech leaders during the HHS Cybersecurity and Infrastructure Protection Subcommittee give us a clue. Later, we’ll also look at tools that can enable security teams to work more efficiently and effectively.

Accelerate training programs

Anjelica Dortch, Senior Director of U.S. Government Affairs & Head of Global Cybersecurity Policy at SAP America, Inc., shared how SAP developed a two-year program for high-performing early career professionals. The participants have little to no professional experience, but they do have a basic understanding of IT and security topics. After completing the program, participants then move into full-time roles that best match their skills and interests. This model has expanded and diversified the company’s pool of cybersecurity candidates while also improving retention rates.

Dortch’s advice to the subcommittee was to pass the Jumpstart Our Businesses by Supporting Students Act of 2023 (or the JOBS Act). The bill would extend Pell Grant eligibility to short-term job training programs for high-demand occupations like cybersecurity.

Leverage available resources

Will Markow, Vice President of Applied Research at Lightcast, highlighted the availability of CyberSeek.org, a cybersecurity workforce analytics and career pathway platform which is free to the public. Funded by a grant from NIST, the platform provides actionable, accessible and up-to-date information about the nation’s cybersecurity workforce.

CyberSeek provides best-in-class data and interactive visualizations to connect employer needs with job seekers. The platform includes a supply and demand heatmap, cyber career pathways, skill-based job descriptions and a map of local training providers. CyberSeek also includes links to other resources on the cybersecurity workforce — including those from CISA and the National Initiative for Cybersecurity Careers and Studies.

Ditch the degree requirement

Markow also stressed the importance of reducing education, experience and certification requirements in job openings. This could make hiring easier and expand the size and diversity of the government’s candidate pool. For example, as per Markow, Lightcast data show that removing a bachelor’s degree from early-career cybersecurity job postings can reduce the average cost to hire by over $15,000 and increase the candidate pool by over 60%.

Markow’s recommendations to ease the talent crunch also include prioritizing training for high-growth, high-value skills. He states that the demand for many emerging cybersecurity skills will grow 50% or more in the coming years, and many of these skills command salary premiums of $10,000 or more. But in most cases, these skills cost much less to train. Focusing training on high-growth, high-value skills (cloud security, DevSecOps, etc.) can help the federal government maximize its training ROE.

Provide incentives and start early

Tara Wisniewski, Executive Vice President for Advocacy, Global Markets and Member Engagement at ISC2, agrees that for entry-level cybersecurity professionals, degrees are not always required. Wisniewski points out, however, that organizations and the government must be willing to provide incentives and hire entry-level professionals with entry-level qualifications. Plus, stakeholders must be willing to invest in the professional development of these professionals. Otherwise, Wisniewski warns, it will be difficult to create the talent pipeline necessary to bridge the workforce gap.

Wisniewski applauded CISA’s education and career development programs, such as the Cybersecurity Education and Training Assistance Program (CETAP). These programs will inspire future cybersecurity professionals through initiatives to include cybersecurity education in K-12 schools.

Help your cyber teams face threats now

Beyond new hiring and training practices, how can cyber teams contend with a new operational reality? How can they make the most of their current workforce?

Facing a talent shortage, organizations are also turning to artificial intelligence (AI) to enhance the performance of their limited resources. AI plus automation can enable teams to better confront the growing volume of everyday security threats. One report shows that 34% of AI adopters state that threat detection is one of their top AI use cases today. Report participants also ranked automated detection and response and threat intelligence as important applications.

The top-performing AI adopters are proof of the potential for AI to transform cyber defense operations. AI has helped reinforce top-performer network security by monitoring 95% of network communications and 90% of endpoint devices for malicious activity and vulnerabilities. They also estimate that AI helps them detect threats 30% faster than before.

Adopters of AI are also significantly reducing response times to incidents and the time to investigate. Meanwhile, their return on security investment (ROSI) has jumped 40%. Last but not least, recent evidence shows AI assistance cuts alert triage times in half. And that’s good news for overworked and understaffed cyber teams.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today