How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.”

Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming.

How the cybersecurity talent gap emerged

The World Economic Forum (WEF) concluded that COVID-19 was linked to a whopping 238% rise in worldwide cyberattacks against the financial sector between February and April 2020. And in the U.S., cyber breaches increased by 50% for hospitals and healthcare providers between February and May. Additionally, the World Health Organization (WHO) witnessed a fivefold rise in cyberattacks.

Meanwhile, the U.S. Bureau of Labor Statistics projects that the employment of information security analysts is projected to grow 35% from 2021 to 2031, much faster than the average for all occupations. Furthermore, about 19,500 openings for information security analysts are projected each year, on average, over the decade. Many of these openings are expected to result from talent turnover as workers switch to different occupations or retire. And what about those who are working now? Rep. Garbarino stated that 61% of security workers say they are burned out after years of triaging major security incidents.

Given the dire cyber talent shortage, what can organizations do? The testimonies of tech leaders during the HHS Cybersecurity and Infrastructure Protection Subcommittee give us a clue. Later, we’ll also look at tools that can enable security teams to work more efficiently and effectively.

Accelerate training programs

Anjelica Dortch, Senior Director of U.S. Government Affairs & Head of Global Cybersecurity Policy at SAP America, Inc., shared how SAP developed a two-year program for high-performing early career professionals. The participants have little to no professional experience, but they do have a basic understanding of IT and security topics. After completing the program, participants then move into full-time roles that best match their skills and interests. This model has expanded and diversified the company’s pool of cybersecurity candidates while also improving retention rates.

Dortch’s advice to the subcommittee was to pass the Jumpstart Our Businesses by Supporting Students Act of 2023 (or the JOBS Act). The bill would extend Pell Grant eligibility to short-term job training programs for high-demand occupations like cybersecurity.

Leverage available resources

Will Markow, Vice President of Applied Research at Lightcast, highlighted the availability of, a cybersecurity workforce analytics and career pathway platform which is free to the public. Funded by a grant from NIST, the platform provides actionable, accessible and up-to-date information about the nation’s cybersecurity workforce.

CyberSeek provides best-in-class data and interactive visualizations to connect employer needs with job seekers. The platform includes a supply and demand heatmap, cyber career pathways, skill-based job descriptions and a map of local training providers. CyberSeek also includes links to other resources on the cybersecurity workforce — including those from CISA and the National Initiative for Cybersecurity Careers and Studies.

Ditch the degree requirement

Markow also stressed the importance of reducing education, experience and certification requirements in job openings. This could make hiring easier and expand the size and diversity of the government’s candidate pool. For example, as per Markow, Lightcast data show that removing a bachelor’s degree from early-career cybersecurity job postings can reduce the average cost to hire by over $15,000 and increase the candidate pool by over 60%.

Markow’s recommendations to ease the talent crunch also include prioritizing training for high-growth, high-value skills. He states that the demand for many emerging cybersecurity skills will grow 50% or more in the coming years, and many of these skills command salary premiums of $10,000 or more. But in most cases, these skills cost much less to train. Focusing training on high-growth, high-value skills (cloud security, DevSecOps, etc.) can help the federal government maximize its training ROE.

Provide incentives and start early

Tara Wisniewski, Executive Vice President for Advocacy, Global Markets and Member Engagement at ISC2, agrees that for entry-level cybersecurity professionals, degrees are not always required. Wisniewski points out, however, that organizations and the government must be willing to provide incentives and hire entry-level professionals with entry-level qualifications. Plus, stakeholders must be willing to invest in the professional development of these professionals. Otherwise, Wisniewski warns, it will be difficult to create the talent pipeline necessary to bridge the workforce gap.

Wisniewski applauded CISA’s education and career development programs, such as the Cybersecurity Education and Training Assistance Program (CETAP). These programs will inspire future cybersecurity professionals through initiatives to include cybersecurity education in K-12 schools.

Help your cyber teams face threats now

Beyond new hiring and training practices, how can cyber teams contend with a new operational reality? How can they make the most of their current workforce?

Facing a talent shortage, organizations are also turning to artificial intelligence (AI) to enhance the performance of their limited resources. AI plus automation can enable teams to better confront the growing volume of everyday security threats. One report shows that 34% of AI adopters state that threat detection is one of their top AI use cases today. Report participants also ranked automated detection and response and threat intelligence as important applications.

The top-performing AI adopters are proof of the potential for AI to transform cyber defense operations. AI has helped reinforce top-performer network security by monitoring 95% of network communications and 90% of endpoint devices for malicious activity and vulnerabilities. They also estimate that AI helps them detect threats 30% faster than before.

Adopters of AI are also significantly reducing response times to incidents and the time to investigate. Meanwhile, their return on security investment (ROSI) has jumped 40%. Last but not least, recent evidence shows AI assistance cuts alert triage times in half. And that’s good news for overworked and understaffed cyber teams.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

New report names attack surface management leaders

4 min read - Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year. For these reasons, Gartner…