Cybersecurity Talent Shortage Prompts White House Action

With more than half a million cybersecurity jobs unfilled nationwide in the US, private enterprise and the federal government alike are focusing efforts to help fill the gap by changing hiring strategies and encouraging careers in IT security.

This week, the White House Office of the National Cyber Director (ONCD), in collaboration with the Office of Management and Budget (OMB), announced the "Service for America" initiative, which is part of the National Cyber Workforce and Education Strategy (NCWES).

The main directive is to recruit and prepare Americans for jobs in cybersecurity, technology, and artificial intelligence (AI). The initiative focuses on creating accessible career pathways by removing degree requirements, and emphasizing skills-based hiring.

To that end, the program promotes work-based learning, such as registered apprenticeships, which allow individuals to earn while they gain new skills. And on the AI front, while it is seen as having the potential to fill some of the perceived workforce gaps, human cybersecurity does not appear to be a role that is going away any time soon — for most AI and related tools, a human element is still vital to decision making.

The announcement comes as the US faces a significant cybersecurity talent shortage, with 225,200 more workers needed to fill nearly 470,000 job openings, according to a June report from CyberSeek.

Despite growing education and training programs, "many Americans do not realize that a cyber career is available to them," National Cyber Director Harry Coker Jr. said in a blog post about the initiative. "There is a perception that you need a computer science degree and a deeply technical background to get a job in cyber."

Federal initiatives are also underway to support neurodivergent candidates and those who are blind and visually impaired. And earlier this year, the administration announced a $244 million investment in apprenticeships for growing industries, including cybersecurity. The initiative also supports community-driven efforts to address local workforce needs through collaboration between employers, educational institutions, and government.

Cyber Pros With Unconventional Backgrounds

Erich Kron, security awareness advocate at KnowBe4, said he agreed that many people who work in roles that are not highly technical or related to computer science believe there is no path for them in cybersecurity, even if they have the interest and passion to be great at it. 

"Some of the most amazing cybersecurity talent that I am aware of has come from nontraditional paths, including those in insurance, arts and theater, as well as other seemingly unrelated trades," he said.

Kron added that tapping this well of talent to fill positions in the cybersecurity world has the benefit of infusing nontraditional thought processes and experience into the industry.

"This helps round out defenses and develop ways to defend against cybercriminals through a fresh perspective," he explained.

Meanwhile Shane Fry, CTO of RunSafe Security, said businesses, especially large organizations, tend to favor highly skilled cyber workers with a college degree.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," he said.

He added some of the smartest cyber security professionals he's worked with in his career never even stepped foot on a university campus, let alone finished a degree.

"There's a ton of opportunities for businesses to provide on the job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold," Fry said.

That could be changing: a May survey report from the SANS Institute and GIAC found a growing emphasis on certification-based training over traditional degrees, with cybersecurity and HR managers favoring certifications by a 2:1 margin.

Apprenticeships, Community Engagement

Recent surveys have also indicated that the so-called "workforce shortage" may be in part to unrealistic demands for qualifications and low salaries — added to the systemic problem of persistently high burnout rates among IT security professionals.

Indicative of the issues is the fact that broke, burned out, or laid-off cybersecurity pros are turning to cybercrime side hustles to make ends meet.

The SANS report for instance found that the cybersecurity talent shortage numbers are driven by headcount gaps, and don't reflect the number of available candidates that have appropriate skills.

And indeed, while most respondents (71%) in the SANS survey said they are committed to recruiting diverse candidates, hiring efforts are hindered by internal confusion, a lack of standardized career paths, and misaligned skill sets, particularly for mid-level roles.

Survey results also indicated many organizations lack alignment between HR and cybersecurity teams, with 37% of managers suggesting HR needs a deeper understanding of cyber roles, and 46% calling for better collaboration.

Cyber: A Rewarding Profession, But Be Realistic

Kron noted that for those who understand that cybersecurity can be a stressful, but also incredibly rewarding, type of career field, checking out programs to help accelerate education and a career change is critical.

"It is important that people considering a career in cybersecurity understand some of the challenges of this career path, including the potential to be on call and a requirement to react quickly when incidents occur, even on weekends or in the evenings," Kron explained.

From Fry's perspective, far too many businesses have been apprehensive to spend money on training or skills development; but that's likely an untenable position.

"The impact to those organizations, and the customers of those organizations is that they will continue to fall prey to cybersecurity attacks," he said. "The longer those organizations wait to prioritize cybersecurity and build a cybersecurity pipeline, the farther behind the power curve they will be."

Thus, business' hands may be forced, and the time is right to embrace some of the federal initiatives.