Cyber workforce shortcomings

As organizations and governments across the globe struggle to staff high-level cybersecurity positions, a new report finds that the U.S. government may have a bigger shortage than it realized.
 - 
Wednesday, April 3, 2019

WASHINGTON—There’s no denying it: the future is digital. Whether it’s Industry 4.0, the aptly named industrial revolution that signals the rising influence of automation and data exchange in manufacturing, or the rise of cyberwarfare, the effects of which are yet to be fully realized, the clout of the Internet is growing exponentially and will continue to do so for the foreseeable future. And with so much resting on the platform, it’s imperative that robust cybersecurity programs in both the public and private sectors grow exponentially, as well.

So why, then, is there such a scarcity of cybersecurity employees?

That’s the question that the U.S. government has been trying to answer for years. It has poured billions of dollars into research, initiatives, recruitment efforts, and programming surrounding the nation’s cybersecurity needs and those who can provide them. One such program, the National Initiative for Cybersecurity Education (NICE), is led by the National Institute of Standards and Technology (NIST) and since 2010 has worked with government, academia, and the private sector to promote robust cybersecurity education and training. And just recently, the White House proposed a budget of nearly $11 billion for cybersecurity and Internet of Things activities, including establishing a unified cyber workforce capability across the civilian enterprise.

Despite federal efforts—and in part due to the exponential growth of the cyber industry—the gap between the number of cybersecurity workers and positions continues to grow. The number of unfilled cybersecurity positions has increased by more than 50 percent since 2015, according to the Center for Strategic and International Studies (CSIS).

The cybersecurity workforce shortage is not just a problem within the U.S. government. A recent study from industry association ISACA found that more than 60 percent of organizations say vacant cybersecurity positions remain unfilled for an average of three months, and 32 percent say it can take upwards of six months to fill such a position. CyberSeek, an initiative funded by NICE, noted that almost 314,000 cybersecurity jobs in the United States remained vacant in January 2019—a significant amount when compared to the total currently employed cybersecurity workforce of just 716,000.

The shortage of cybersecurity workers expands abroad, and is in some cases worse overseas. The Asia-Pacific region is being hit especially hard by the shortage as countries in the region pass more cybersecurity and data privacy legislation. CSIS conducted a survey of eight countries and found that 82 percent of employers are facing a shortage of cybersecurity workers, and 71 percent believe that shortage causes direct and measurable damage to their organizations. And according to research by (ISC)2, there are close to 3 million vacant cybersecurity positions worldwide.

“When it comes to the cybersecurity workforce gap, there are a number of different factors, not the least of which a shortage of supply across the government and private sector, too,” explained Gregory Wilshusen, director of information security issues at the U.S. Government Accountability Office (GAO). “There are a large number of different private and public sector organizations that are vying for the same cyber talent.”

The majority of unfilled cybersecurity jobs today are high-level technical positions and those specializing in newer digital technologies—neither of which can be filled overnight. The constant evolution of necessary skillsets only compounds the problem and requires frequent continuing education.

The long-term solution to the shortage lies in an educational system that teaches children—as well as marginalized groups such as women, minorities, and veterans—about cybersecurity career paths, the studies agree. Both the public and private sector have thrown their support—and money—into grade-school STEM programs in hopes that the future of cybersecurity lies in the next generation. 

The cybersecurity industry is also notoriously cannibalistic, as Wilshusen indicated—once talent is acquired by an organization, it often becomes the target of other companies that can offer better pay or benefits—especially after the employee has received valuable training. This highly-competitive field puts the federal government at a disadvantage, since it requires most employees to pass some form of background check and drug tests, and often can’t pay what big technology companies can afford.

So, what can the government do to tap into the already-meager pool of qualified applicants? For starters, it can accurately document vacant cybersecurity positions, according to a new GAO report authored by Wilshusen. The bipartisan congressional report, Cybersecurity Workforce: Agencies Need to Accurately Categorize Positions to Effectively Identify Critical Staffing Needs, found that many of the agencies affected by the workforce shortage do not have an accurate understanding of just how many cybersecurity positions they need to fill.

Following the 2015 Federal Cybersecurity Workforce Assessment Act, federal agencies were required to assign codes to work roles to signify whether they were IT-related as defined by NICE. The goal of the coding was to help agencies—and the federal government as a whole—have a better grasp of critical staffing needs.

However, when GAO researchers reviewed the efforts of 24 federal agencies, they found that six of those agencies never coded the work roles, and 22 agencies miscategorized many positions. Almost 16,000 cybersecurity positions were miscategorized as non-IT—meaning that 19 percent of all federal IT jobs have been unaccounted for, and the cybersecurity workforce gap may be even larger than initially thought.

“The extent to which these agencies were mischaracterizing their IT positions surprised me,” Wilshusen told Security Systems News. “We looked at the codes from the NICE cybersecurity workforce framework that the agencies were required to code their IT cyber related positions with, and it really surprised me that 19 percent, or more than 15,779 positions, were characterized as not having an IT role or function. That has an impact—if the agencies are not accurately categorizing IT positions, it will make it more difficult to effectively identify critical staffing needs.”

Additionally, GAO found that more than half of a select sample of positions had work codes that were inconsistent with the job description, which raised questions about the accuracy of the system.

“It kind of gives pause as to the reliability of the information in the personnel systems that might be used to identify areas of critical need and what type of positions and skillsets the federal government and individual agencies need to focus on,” Wilshusen said.

Most of the miscategorizations were made in error, and agencies are working to correct the errors before April, when they are required to report on the work roles of critical need, Wilshusen explained.

“It’s a challenge—they will need to go through and review and update that information and how they categorize their IT- and cyber-related positions by April,” Wilshusen noted. “If they don’t, it will likely diminish their ability to accurately identify areas of critical need that they have to fill.”

While the government’s mistaken coding of cybersecurity jobs may seem a small technical hiccup in comparison to the ever-growing global workforce gap, Wilshusen explained that having a factual understanding of what roles need to be filled can influence important policy decisions for years to come. This type of data can reveal the kinds of education and experience most needed to fill critical roles, and that will be used in shaping STEM education in grade schools and beyond, he said.

“It is certainly a key element in making the determination of where we need to place our resources and attention in attracting, recruiting, and being able to train individuals to fill those positions and perform this desperately-needed work,” Wilshusen said. “We have to improve our supply of this talent, expand and grow it, and help expand the workforce that we need to compete in the 21st Century.”