1. The Cybersecurity Workforce Gap
- Author:
- James Andrew Lewis and William Crumpler
- Publication Date:
- 01-2019
- Content Type:
- Working Paper
- Institution:
- Center for Strategic and International Studies
- Abstract:
- As cyber threats continue to grow in sophistication, organizations face a persistent challenge in recruiting skilled cybersecurity professionals capable of protecting their systems against the threat of malicious actors. With cybercriminals now responsible for billions in losses per year and state-sponsored hacking groups posing an ever-greater threat, the need for individuals capable of securing networks against attackers has never been greater. However, education and training institutions in the United States have so far found it difficult to keep pace with the growing need for cyber talent. This paper highlights the gaps that exist in the nation’s current cybersecurity education and training landscape and identifies several examples of successful programs that hold promise as models for addressing the skills gap. It then highlights recommendations for policymakers, educators, and employers. A recent CSIS survey of IT decisionmakers across eight countries found that 82 percent of employers report a shortage of cybersecurity skills, and 71 percent believe this talent gap causes direct and measurable damage to their organizations.1 According to CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), the United States faced a shortfall of almost 314,000 cybersecurity professionals as of January 2019.2 To put this in context, the country’s total employed cybersecurity workforce is just 716,000. According to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015.3 By 2022, the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions.4 Workforce shortages exist for almost every position within cybersecurity, but the most acute needs are for highly-skilled technical staff. In 2010, the CSIS report A Human Capital Crisis in Cybersecurity found that the United States “not only [has] a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”5 At the time, interviews indicated that the United States only had about 1,000 security specialists with skills and abilities to take on these roles, compared to a need for 10,000 to 30,000 personnel. In the nine years since that report, these challenges have persisted. In 2016, CSIS found that IT professionals still considered technical skills like intrusion detection, secure software development, and attack mitigation to be the most difficult to find skills among cybersecurity operators.6 A 2018 survey of California businesses revealed that a lack of required technology skills was one of the greatest challenges facing organizations when hiring cybersecurity candidates.7 These challenges were particularly acute for mission critical job roles, with over a third of organizations reporting a lack of technology skills in candidates for vulnerability assessment analyst positions and half of employers reporting deficiencies for cyber defense infrastructure support candidates. Employers today are in critical need for more cybersecurity professionals, but they do not want more compliance officers or cybersecurity policy planners. What organizations are truly desperate for are graduates who can design secure systems, create new tools for defense, and hunt down hidden vulnerabilities in software and networks.8
- Topic:
- Security, Science and Technology, Cybersecurity, and Information Technology
- Political Geography:
- Global Focus