The shortage of cybersecurity professionals in the United States (750,000+ open jobs as of February) is a pressing concern with far-reaching national security implications.
As technology continues to advance and cyber threats become increasingly complex and sophisticated, the nation finds itself grappling with a critical deficit of skilled individuals capable of defending its physical and digital infrastructure.
The more connected we become as a society, the larger the attack surface becomes for adversaries to exploit.
Recipe for Disaster
The shortage is exacerbated by multi-year government procurement processes, which are then extended by endless post-award protests. This puts US national security programs at least one to two generations behind adversary attack vectors. Their quick adoption and application of AI-related technologies to automate operations will only lengthen those gaps.
Couple all that with the scarcity of US cyber professionals and we have a recipe for disaster. The cyber professional shortfall is profoundly impacting America’s ability to safeguard sensitive data, critical infrastructure, and governmental systems.
Recent cyber-attacks – Solar Winds, Oldsmar Beach, Colonial Pipeline, Pipe Dreams, and others – have exposed the vulnerabilities of aging infrastructure and outmanned and overworked security professionals. Right now, almost every IT job in the US has a cyber component to it.
Vulnerabilities From Home to the Homeland
The over-reliance on detection tools to alert you when an incident occurs masks the larger problem. As a society, we are increasingly dependent on the 31 billion+ mainly unprotected Internet of Things devices deployed globally embedded in our homes, vehicles, communications devices, power and water generation and distribution facilities, and more.
It’s an unacceptable risk that we unknowingly but continually face. No one person decided over the last decade to embed these vulnerabilities into our everyday lives, but we have become the frog in the slowly boiling digital pot.
Moreover, national security agencies and military operations heavily depend on cyber capabilities. From intelligence gathering to defending against espionage, US agencies require highly skilled cyber professionals to protect against threats from rival nations and non-state actors.
The scarcity of such experts undermines the nation’s ability to mount effective cyber defenses, leaving the US exposed to foreign adversaries.
Everyone Looks for the Same Scarce Talent
The proliferation of cyber threats has increased demand for cybersecurity professionals across all sectors. As private and public sector organizations struggle to secure their physical and digital assets, they compete for a limited pool of qualified candidates, driving up salaries and the cost of cybersecurity services.
Small and medium-sized enterprises, which may not have the resources to attract and retain that high-priced talent, often find themselves particularly vulnerable.
Job descriptions on search boards all have similar desires – a 4-year degree, plus a master’s or PhD, plus 2 to 3 years working in a Security Operations Center. All for entry and mid-level jobs!
What’s more, of the approximately 180,000 graduate and PhD degrees awarded annually in the US, there are estimates that more than 50 percent are non-US citizens. Many of them will return to their home countries; some may even apply their cyber skills for our adversaries.
Unfortunately, there is a tendency to over-value “academic” credentials over experience for these positions. That is not to discount those with degrees – there just are not enough. Cybersecurity job descriptions often inflate complexity, likening them to the expertise required for a medical profession.
A large percentage of these jobs can be filled with people who undergo 16-week-or-less boot camps or micro-certificate programs. In fact, there are US personnel on the frontlines of cyber who do not have a PhD, master’s, or even undergraduate degree.
Getting industry and government hiring boards comfortable with accepting non-traditional and experiential talent for cyber positions is a cultural hurdle, not a technical one.
Even meeting minimum academic requirements after 6 to 9 years of schooling and training may leave candidates with limited hands-on keyboard experience. They also often carry college debt, and government jobs pay significantly less than Google, Meta, or Microsoft.
Fixing the Problem Can Start Now
Addressing these challenges requires a multifaceted approach. Education and training must be prioritized from primary education to university and non-traditional certification programs. Encouraging students to pursue careers in cybersecurity, computer science, and related fields can help build a pipeline of skilled experts.
Additionally, re-skilling and up-skilling programs can help professionals from related disciplines transition into cybersecurity roles. Apprenticeships and stackable, transferable micro-certifications will also help.
Public-private partnerships are crucial. Collaboration between government agencies, academia, and the private sector can facilitate the exchange of knowledge, expertise, and resources. Offering incentives like scholarships, internships, and grants will attract more individuals. Diverse and inclusive recruitment practices can broaden the pool of potential candidates, ensuring a wider range of perspectives.
Failure to address the urgent cyber talent shortage could leave the US exposed to cyberattacks with far-reaching consequences, affecting critical infrastructure, economic stability, and overall security. It doesn’t and shouldn’t have to take 7 to 9 years to create the next generation of cyber professionals.
Efforts to invest in education, training, and collaboration between sectors are essential to building a strong and capable cybersecurity workforce that can safeguard the nation’s digital landscape. Creating opportunities for non-degreed people to enter the field and/or to retrain people who want to re-enter the workforce is the only viable option to meet the demand.
Paul Maguire is the co-founder and CEO at Knowmadics. He is a former intelligence officer with multiple deployments to the Persian Gulf and Southeast Asia.
His expertise lies in specialized areas such as counter-terrorism, counter-drug, and personnel tracking and recovery operations.
Disclaimer: The views and opinions expressed here are those of the author and do not necessarily reflect the editorial position of The Defense Post.
The Defense Post aims to publish a wide range of high-quality opinion and analysis from a diverse array of people – do you want to send us yours? Click here to submit an op-ed.