By David Forscey, Managing Director, Aspen Cybersecurity Group
In the United States, cybersecurity workforce demand continues to outpace supply despite steady growth in the workforce. From 2018 to 2020, the number of employees in cybersecurity roles grew 29 percent, from 715,715 to 922,720, while unfilled positions grew by 62 percent.
As the country enters a period of significant transition, the time is ripe for industry and government to rethink our approach. The United States boasts over 212 million citizens of working age. It would take just over 0.2 percent of our workforce to supply the 520,000 open cybersecurity roles we have today. But outdated concepts of what constitutes “cybersecurity talent” are preventing thousands of employers from taking advantage of this enormous talent pool.
An excellent source for the sort of new ideas this nation needs can be found at the Aspen Cybersecurity Group. The group is a standing, public-private forum, established to bridge the gap between government, industry, and civil society by operationalizing consensus solutions to the hardest cybersecurity problems. In 2018, the Aspen Cybersecurity Group issued the Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce. This report offered employers fresh ideas for hiring, retaining, and upskilling cybersecurity workers in ways that can expand the talent aperture and lift artificial restrictions on the pool of talent from which employers draw. Key among its findings were recommendations that employers:
These ideas are not controversial. It should not be surprising that the Aspen Cybersecurity Group was able to assemble a growing coalition of over 32 employers, from big tech firms to retailers and defense companies, who have committed to implementing these principles.
The changes are evident to anyone curious to look. Just as an example, these two open cybersecurity positions from member Bank of America showcase needed skills and experience without mentions of degrees and certifications: Cyber Intrusion Analyst and Cyber Threat Hunter Information Security Engineer.
Leidos also took degree requirements out of job postings recently. Lynsey Caldwell, Leidos Cyber Workforce Sr. Manager, said: “At Leidos, we know there are uncovered gems just waiting to be found who lack traditional credentials or experience. We removed degree requirements from our job requisitions, standardized job descriptions, and focused on diversity hiring via partnerships in underserved communities. We are confident that we can teach candidates who have technical skill gaps, if they have the soft-skills and security mind-set. In fact, some of our most talented employees do not have a cyber-background at all. This year we graduated 14 candidates from our Cyber Academy, some with no IT background, breaking down barriers to career agility in cyber. In a fiercely competitive environment, talent profiles are changing.”
Even when employers do expand their sources for talent, many Americans do not recognize their own potential to enter the cybersecurity field. Changing that perception will require federal leadership. In December 2020, the Aspen Cybersecurity Group released A National Cybersecurity Agenda for Resilient Digital Infrastructure, centered on five priority themes for the next administration and Congress. Its chapter on cybersecurity education and workforce development outlined several practical steps for policymakers in Washington to scale demonstrated successes, including:
We encourage more companies to join this important initiative. There’s a lot of work ahead to socialize these ideas in every sector of business and in every part of the country. The cybersecurity community might be surprised by how much and how quickly we can close the jobs gap simply be changing how employers define and recruit cybersecurity talent.