The Cybersecurity Workforce Gap

Get the full report

No registration required

Nine years after publishing A Human Capital Crisis in Cybersecurity, James Lewis of the Center for Strategic and International Studies (CSIS) revisited the topic to see whether the shortages so starkly documented in 2010 had been ameliorated. Here are a few highlights from the report, entitled The Cybersecurity Workforce Gap and published in 2019:

  • A CSIS survey of IT decision-makers across eight countries found that 82 percent of employers reported a shortage of cybersecurity skills, and 71 percent believed this talent gap causes direct and measurable damage to their organizations.
  • In 2016, the CSIS found that cybersecurity operators still considered technical skills such as intrusion detection, secure software development, and attack mitigation to be the most difficult to find. A 2018 survey of California businesses revealed that a lack of required technology skills was one of the greatest challenges facing organizations when hiring cybersecurity candidates.
  • Employers are in critical need of more cybersecurity professionals, but they do not want more compliance officers or cybersecurity policy planners. What they desperately need are graduates who can design secure systems, create new tools for defense, and hunt down hidden vulnerabilities in software and networks.
  • According to the Report to the President on Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce published by the U.S. Department of Commerce and Department of Homeland Security, “employers increasingly are concerned about the relevance of cybersecurity-related education programs in meeting the needs of their organizations.” In 2016, a CSIS survey of IT employers found that only 23 percent thought education programs were fully preparing students to enter the cybersecurity industry. In 2018, the professional association ISACA found that 61 percent of organizations reported that fewer than half of all applicants for open cybersecurity positions were actually qualified for the job.
  • Cybersecurity encompasses a broad range of specific job roles, and no single education program can be expected to cover all of the specialized skills and sector-specific knowledge needed by each employer. However, there are certain knowledge and skill sets that are essential for all new employees in critical technical work roles, regardless of their particular field or specialty. These include an understanding of computer architecture, data, cryptography, networking, secure coding principles, and operating system internals, as well as working proficiency with Linux-based systems, fluency in low-level programming languages, and familiarity with common exploitation methods and mitigation techniques. Employers are finding that graduates lack this foundation. For example, a representative from a major corporation surveyed by the National Initiative for Cybersecurity Education stated: “The current [education] environment does not provide a common baseline set of skills from which to build the role-specific knowledge necessary to meet employer workforce requirements.”