Lawmakers lean on research, success stories in effort to diagnose cyber workforce shortage

If you haven’t heard, there’s a cybersecurity workforce crisis happening in the public sector. And the private sector. All across the United States.

And everywhere else.

This complex problem affects government agencies and private businesses alike and goes beyond a lack of available candidates or prospective applicants. FBI Director Christopher Wray testified to Congress in April that even if they were to take all their cyber and counterintelligence personnel and focus them on digital threats from China, Chinese hackers would still outnumber them 50 to 1.

Rep. Andrew Garbarino, R-N.Y., chair of the House Homeland Security’s cybersecurity subcommittee, noted in a hearing Thursday that “it’s clear that the shortage of talent and burnout are issues that both the public and private sector face. Therefore, it is an issue we must tackle together.”

California Rep. Eric Swalwell, ranking Democrat on the subcommittee, argued the way out of the nation’s current information security employment crisis was through aggressive programs that can identify, train and develop communities and populations that have long been underrepresented in the field.

“We simply will not be able to close the gap between employer demand and the available talent pool if we do not do more to bring women, people of color, immigrants and other underrepresented groups into the cyber talent pipeline,” said Swalwell.

There is research to back up some of these claims.

A study this year from nonprofit group Women in Cybersecurity surveyed over 300 women who attended a series of cyber workshops in February and collected over 420 anonymously shared workplace experiences. It found that workplace dynamics, a lack of opportunities for career growth and respect in the workplace were major factors that contribute to the existing gender gap in the cybersecurity industry.

Anecdotally, many women in cybersecurity continue to report episodes of harassment, mistreatment from coworkers and peers or unfounded lack of trust in their abilities as an obstacle in pursuing a cybersecurity, though some note the industry has collective made real efforts to improve in these areas over the past decade.

While policymakers often describe the problem as a “shortage” of qualified workers, another study last year from non-profit (ISC)2 surveyed more than 11,000 cybersecurity practitioners concluded that the primary problems affecting most organizations were a failure to invest enough into developing and training their cybersecurity workforce and providing clear career pathways into the craft, not a shortage of available talent.  

“This analysis suggests that the most negatively impactful issues are ones that organizations can indeed control: not prioritizing cybersecurity, not sufficiently training staff, and not offering opportunities for growth and promotion. Being able to find qualified talent was actually the least impactful problem based on this analysis,” the report stated.

Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at (ISC)2, testified to lawmakers Thursday that their research indicates that organizations with more diverse security teams tend to be more confident in their security posture, have smaller workforce gaps and better retention rates.

“Despite these findings, meaningful progress to deliver more diversity, equity and inclusivity in the cybersecurity profession has been slow,” Wisniewski said.

Organizations must better tap younger applicants, underrepresented groups

Lawmakers were keen to learn from private sector counterparts who have reported more success when it comes to filling out their cyber hiring needs.

Tapping younger candidates with less established backgrounds but more familiarity with the technology market could be another pathway.

Despite their lack of tenure — or college degree — younger candidates often have hands-on operational experience with computers and hacking that aren’t always reflected on their resumes.

Chris Krebs, former head of the Cybersecurity and Infrastructure Security Agency, told Congress in 2020 that many of the most promising, experienced candidates he saw apply to the government were teenagers or in their early 20s, and that when it comes to hiring cybersecurity professionals: “I'm not sure it matters if you're 45 or 17, which speaks to the ways that we need to evolve our hiring practices.

But other cybersecurity professionals have expressed reluctance to hire early career candidates, arguing that learning on the job is not a viable option when it comes to defending the networks and assets of multi-million or billion-dollar businesses. Many positions listed as entry level, for example, actually require multiple years of cybersecurity specific experience.

Anjelica Dortch, senior director of U.S. government Affairs for SAP America, told the panel her company has more than doubled the number of women in cybersecurity management roles, and more than 60% of the organization’s security team is comprised of Millennial and Gen Z cybersecurity professionals, compared to only 4% of federal IT employees who are under the age of 30.

“The generational diversity of the SAP global security team is drastically different from that of the U.S. federal government,” she told lawmakers.

Dortch cited three programs and initiatives responsible for their workforce successes.

One them, SAP’s global security early talent program, targets high-performing early career employees with little or no professional experience and puts them through a rigorous two-year training program that involves rotations through different jobs and roles in the United States and abroad. Following the program, participants are placed into full-time role that align with their interests and skillsets.

SAP also runs an autism-at-work program that is designed to support neurodivergent individuals during the hiring process and provide other resources once they’re onboarded, as well as a non-profit, NS2 Serves, that trains and supports veterans into national security and technology careers. Both have helped to reshape and adjust SAP hiring practices to capture a broader pool of applicants.

“This model has expanded and diversified our pool of cybersecurity candidates, along with achieving higher rates of retention. Additionally, these types of rotational programs provide greater exposure and flexibility for young professionals to explore different specialties within this field, rather than locking them into distinct roles or occupational series,” said Dortch.

Several members expressed the potential for emerging technologies like artificial intelligence or quantum computing to play a larger role in protecting organizations from cyberattacks. Experts believe both hold intriguing potential for offensive and defensive cybersecurity applications, but are also years away from being a viable or scalable solution.

“Our position is that [AI-enabled cybersecurity is] another emerging technology and one that needs to be managed but also embraced…I think there is still a lot of unknowns about the technology and that is driving some of the media storm right now, but it is still a really important technology and then of course there’s quantum coming right behind it,” Wisniewski said.