DHS and the Department of Commerce have released a report in response to President Trump’s cybersecurity Executive Order 13800, and its findings suggest there could be a cybersecurity workforce crisis as a result of a serious skills shortage.
The Executive Order, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, was released last year and calls for greater accountability from executive departments and agencies when it comes to managing cybersecurity risk. Part of the order states that it is U.S. policy “to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.” It directs DHS and the Department of Commerce to assess efforts to train a cybersecurity workforce, and to provide a report to the president with findings and recommendations to sustain and grow the cybersecurity talent pool in both the public and private sectors.
DHS and the Department of Commerce responded with the report Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce, produced with input from federal agencies and the public, and its findings about the cybersecurity workforce are concerning.
It highlights the need for immediate improvements in the situation, with employers becoming increasingly concerned about whether cybersecurity-related education programs are meeting their needs in the workplace. The report seems to suggest that part of the reason for shortcomings in education is a lack of skilled cybersecurity teachers, faculty and training instructors. It also points to a number of barriers to hiring professionals and taking on contractors, which are hampering the growth of the cybersecurity workforce, for example, the security clearance backlog and protracted onboarding processes.
It’s not the first time that the cybersecurity skills crisis has been noted, and it’s not isolated to the U.S. either — a study from Cybersecurity Ventures suggests that by 2021 there will be 3.5 million unfilled cybersecurity positions globally. There are currently around 350,000 cybersecurity job openings in the U.S., up from 209,000 in 2015. In April, Kathie Miley, chief operating officer of Cybrary Inc., a security training firm, told tech blog Silicon Angle that the shortage of trained cybersecurity professionals is very real. “I hate to say it, but we need to throw more people at this problem,” she said. “When we have a shortage of soldiers, we recruit more. There is a large supply of able-bodied people who can be trained to fill those roles. In a crisis, we can draft.”
Both this DHS and Department of Commerce report and other studies have pointed out that increasing the participation of minorities, women and veterans in cybersecurity programs would dramatically increase the pool of candidates within the workforce. A report from nonprofit WSC found that only 11 percent of the U.S. IT security workforce consists of women, despite the fact that half of professional occupations and a quarter of computing-related roles are held by women.
As directed by the president, the report makes a number of recommendations to try to halt the cybersecurity workforce crisis. It suggests that federal government leads the way with a national, high-profile call-to-action to mobilize public and private sector resources. It also recommends that the administration consider allocating increased budgetary resources to improve cybersecurity training and workforce development programs. The report also suggests that there needs to be greater private sector involvement in expanding opportunities and offering financial incentives to retrain displaced employees, and that there should be public sector initiatives for providing greater financial assistance and other incentives to reduce student debt or subsidize cybersecurity education and training costs.
In a statement on the executive order and the subsequent report, Homeland Security Secretary Kirstjen Nielsen said, “Pursuant to President Trump’s Executive Order 13800, DHS has developed ways to improve our protection of the federal networks, work more collaboratively with our private sector partners, and reduce the threat of automated cyber-attacks from botnets. The work undertaken reflects months of extensive research and collaboration with the private sector. DHS has recommended ways to improve our federal risk posture and modernize the federal IT enterprise. Additionally, the Department has outlined how it will prioritize private sector access to tailored intelligence and capabilities in order to mitigate risk where a cybersecurity incident could result in catastrophic effects.”