The United States needs more cybersecurity experts to protect its critical infrastructure and federal networks from cyber threats

With almost 700,000 cybersecurity job openings, the United States doesn’t have enough cybersecurity experts to protect the nation’s critical infrastructure and federal networks from cyber threats, according to members of industry and Congress.

Representatives and witnesses painted an alarming picture of the shortfall in cybersecurity talent during a June 22 House Homeland Security Committee subcommittee on cybersecurity and infrastructure hearing.

“We need not only enough people, but the right people with the right skills in the right jobs to meet the growing cyber threat,” said Rep. Andrew Garbarino, R-N.Y. “In April, the FBI director testified to Congress that even if all FBI cyber-agents and [intelligence] analysts focused on the China threat, Chinese hackers would still outnumber our FBI cyber personnel at least 50 to one. That is extremely concerning.”

Will Markow, vice president of applied research at labor market analytics firm Lightcast, told members that the cybersecurity talent pipeline is severely broken.

“In the past 12 months, there are over 660,000 cybersecurity job openings in the United States, but we only have 69 skilled cybersecurity workers for every 100 that employers demand,” he said. “This means we are stepping onto the digital battlefield missing nearly a third of our army, and the consequences of this talent shortage echo across our country.”

The consequences manifest in the economy, increasing hiring costs and salaries for cybersecurity workers, he added. Meanwhile, cybersecurity jobs take 21 percent longer to fill than other IT roles, which can lead to cybersecurity position vacancies as cyber threats increase.

Cyber certifications, while useful, can be difficult to keep up with, he added. As the cyber world constantly evolves, the same is required of cybersecurity skills. This has led to not just a talent gap, but an expectations gap between employees and employers that prioritize hiring those with inflated credentials or extensive work experience, which has created a “perfect storm of market failures,” Markow said.

He added that even if every single computer and information science graduate pursued cybersecurity, the workforce would still need at least 200,000 more people. “We’re going to have to find ways to redeploy and reskill existing workers if we’re going to close that talent gap within any human timescale.”

To go about closing these gaps in the cybersecurity workforce, entry-level job requirements would need to be lowered, and guidance would need to be offered to individuals and their employers on how to constantly reskill their workers, he added.

Lightcast is one of the partners behind CyberSeek, a cybersecurity workforce analytics and career pathway platform. Markow suggested that cybersecurity employers could use the grant-funded platform to better visualize and build their cyber workforces.

Rep. Eric Swalwell, D-Calif., said the National Cybersecurity strategy, which was released earlier this year, signified the moral necessity and strategic importance of increasing diversity in the workforce. “We simply will not be able to close the gap between employer demand and the available talent pool if we do not do more to bring women, people of color, immigrants and other underrepresented groups into the cyber talent pipeline,” he noted.

Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at ISC2, also emphasized the importance of increasing diversity.

“We know from our research that organizations with [Diversity, Equity and Inclusion] programs in place have smaller workforce gaps. Yet despite these findings, meaningful progress to deliver more diversity, equity and inclusivity in the cybersecurity profession has been slow,” Wisniewski said.

Anjelica Dortch, senior director for U.S. government affairs and head of cybersecurity policy at SAP America, said the company has been able to build diversity through various programs — one of which utilizes the unique abilities of neurodivergent individuals. The program, Autism at Work, was launched in 2013 to promote inclusion at SAP.

“We support neurodiverse professionals during the hiring process and offer a variety of resources to facilitate the success of employees once they are onboarded,” she said. “But to help neurodiverse professionals realize their potential, most organizations must adjust their recruitment, selection and career development policies to reflect a broader definition of talent.”

Another under-tapped resource is the pool of former service members with cyber skills, said Marine Col. Colonel Chris Starling (ret.), executive director of NPower in California. The nonprofit organization provides training and job placement services to veterans and young adults from underserved communities.

“Capitalizing on the talent pool of military-connected individuals and families, including transitioning military service members is easy,” he said. “It’s natural to retrain people from defending the nation to defending the network,” Starling continued.

NPower received a $1 million grant from Cybersecurity Infrastructure and Security Agency, or CISA, to help support the organizations free program that serves more than 1,300 unemployed and underemployed students per year, of which 75 percent are ethnic minorities and 39 percent are women, he added.

“We seek people in transition, that are passionate about technology and who are willing to commit themselves to 16 weeks or more of training,” he said. “Second, we understand that some people need help not just in the classroom to learn the material, but with life. NPower’s team of social support managers provides wraparound services by connecting students with local resources to help them solve everyday problems,” Starling said.

Currently, the program operates in nine states across the country. Starling recommended the committee establish a similar, permanent program, which would focus on providing sustainable funding for individuals like those served by NPower.

However, there is still one structural problem that many former service members face: the lack of a degree, he said. “Cybersecurity demand is outpacing supply, and many companies still seek applicants that have college degrees,” Starling said.

The problem with the national cybersecurity talent pipeline isn’t new, and it’s only continuing to grow, Swalwell said.

“As the White House works to finalize its national cyber workforce education strategy, it’s critical that Congress can be an active partner in implementing policies and providing resources to expand the cyber talent pipeline and ensure we have the workforce necessary to maintain … our advantage against adversaries who are outnumbering us, like China and Russia,” he said.