Is the Cyber Workforce Shortage a Myth?
Some experts disagree with the conventional wisdom that the United States, along with most of the world, faces a severe shortage of cybersecurity professionals.
To many, the shortage of cyber workers has been an established fact for a number of years. For example, in mid-March, Cyberseek.org showed more than 450,000 cybersecurity job openings across the nation. Cybersecurity Ventures, a global cyber economy research firm, reported in 2023 that global cybersecurity job vacancies grew by 350%, from 1 million openings in 2013 to 3.5 million in 2021. The number of unfilled jobs leveled off in 2022 and remained at 3.5 million in 2023, with more than 750,000 of those positions in the United States. “Industry efforts to source new talent and tackle burnout continues, but we predict that the disparity between demand and supply will remain through at least 2025,” the firm reported.
The job gap has been especially acute in the Defense Department and other government agencies. Mark Gorak, principal director for resources and analysis for the Defense Department’s Office of the Chief Information Officer, reported in 2023 departmental vacancies of about 24%, with plans to reduce that by half. As of November, the department still had a 16% vacancy rate for its workforce, which includes 75,000 civilians, 75,000 contractors and 25,000 military personnel.
Congress also has gotten involved. On February 5, the U.S. House Committee on Homeland Security held a hearing examining the issue. According to Chairman Mark Green, R-Tenn., the United States “lacks about 500,000 cyber workforce workers.”
However, Klint Walker, supervisory cybersecurity advisor at the Cybersecurity and Infrastructure Security Agency (CISA), recently told the audience at a critical infrastructure-related cybersecurity tabletop exercise in Atlanta, that the worker shortage is largely a myth fed by multiple factors, including inadequate salaries, undesirable job locations and the demands of some jobs.
The event was sponsored by AFCEA International’s Atlanta Chapter in relation to its second annual homeland security conference. Walker led the tabletop exercise along with Keyaan Williams, managing director of Cyber Leadership and Strategy Solutions LLC (CLASS-LLC), a professional services firm focused on cybersecurity strategy, risk management and workforce development.
Walker said he studied the topic while working on his doctorate. He believed the shortage existed until he began talking to academics, he recalled. “The academic world was like, ‘That’s a fallacy. We’re pumping out cybersecurity professionals.’ The problem is that everybody thinks that entry-level cybersecurity is 10 years of experience,” he said.
He described a fundamental mismatch in which either employees are not willing to hire the available workers, or the available workers are not willing to accept the jobs offered. For some job seekers, it’s all about location, location, location. Workers in Atlanta might get $200,000 a year and live in a larger city with plenty of professional, social and entertainment options, but a smaller, more rural city will pay much less with fewer lifestyle options. “Who wants to move out to rural Indiana to work as a cyber person at a small water company? So, they’ve got an open position that they can’t fill,” Walker said.
In some cases, the jobs are considered too important to hire someone with little experience. “The organizations only have one or two cybersecurity professionals, so they can’t afford to have that be an inexperienced person on the staff,” he added.
The cybersecurity exercise audience seemed divided over Walker’s remarks, some disagreeing and others offering a chorus of “Yes,” “That’s right, and at one point an “Amen.”
In a telephone interview with SIGNAL Media, Richard Forno, a teaching professor at the University of Maryland, Baltimore County (UMBC) Department of Computer Science and Electrical Engineering, director of the UMBC Graduate Cybersecurity Program and assistant director of UMBC’s Cybersecurity Institute, said there is no overall worker shortage, but that shortages may exist in particular cyber-related areas. “I wouldn’t say there’s a shortage in every field, but maybe in a certain specialty there may be shortages. There are pockets—like cloud computing is a hot topic these days. It depends on the company and what their specific needs are.”
It is also possible that some organizations want specific kinds of experience. Several years ago, an Uber driver in San Antonio told SIGNAL Media he had received a cybersecurity degree but that he couldn’t find work in the area without military experience. Told of that encounter, Forno allowed that in some cases, military experience might make the difference. “San Antonio being the home of Air Force cyber, I can understand why companies would want people with military experience, particularly if they’re applying for jobs that are military facing. I think that person could still walk into a bank or some company somewhere and get a cybersecurity job because that wouldn’t necessarily require military experience.”
The lack of a unified definition of “cyber” constitutes another part of the problem, according to Walker. “Is the administrative assistant to the CIO a cybersecurity position? Some people seem to think so. That’s the vacancy that they have to be filled.”
Furthermore, more and more technologies now fall under the “cyber” term. “Is somebody managing your social media an information technology or cybersecurity function? If they’re counting those positions as cybersecurity positions that are not being filled, but nobody told cybersecurity they’re supposed to be filling those positions, that’s part of the problem,” Walker declared.
The responsibilities of cybersecurity professionals constantly expand to include such capabilities as artificial intelligence (AI), Internet of Things and operational technology, Walker asserted. “We went from being IT security to being IT, OT and IoT security. They use that term ‘cyber’ to lump all three of those things in, and now they just use it for a catchphrase of everything that they don’t know where else to put it.”
And that takes a toll on the cybersecurity workers. “Whether it’s artificial intelligence, quantum computing—that’s all in our wheelhouse. Now we’re expected to keep expanding our definition of what our role is as the world expands,” Walker asserted.
But ever-expanding responsibilities don’t necessarily mean higher salaries. Walker said his duties tripled when his title changed from information technology security to cybersecurity. Yet, I’m getting the same pay. Every time a new technology comes out, my job increases. Every time they say we’re going to add this new platform to our system, you multiply that by the number of users in the organization, your job has just grown that much more.”
New technology areas can add to the perception of a cyber workforce shortage, Forno indicated. “Cloud and AI are the new, emerging areas of cybersecurity, so there aren’t enough people trained and educated in this stuff yet. Whether that could be described as a shortage, that’s up to you,” he said.
And while automation and artificial intelligence are supposed to help carry the workload, that often doesn’t happen, according to Walker. “You’re securing more and more every day and with less people. They say automation is going to help you, but you have to be an AI expert. And then we also want you to secure AI while implementing AI.”
It can also be a challenge to get qualified cybersecurity workers to accept some specialty jobs, Walker noted. For example, many cyber professionals want to be penetration testers, but few want to be involved in governance, risk and compliance.
He added that getting people to accept or stay in chief information security officer (CISO) positions presents even more hurdles. “We’re no longer training people to be CISOs anymore,” he asserted, explaining that once cybersecurity personnel reach that level, they realize the responsibilities are broader than their experience. “So, they’re burning out really fast, and they’re leaving.”
Also, CISOs are sometimes held legally responsible for incidents occurring on their watch, so they’re leaving the field entirely, both Walker and Forno indicated. Forno said it is a mistake to go after CISOs in court because they do not have the authority to act. “I know from my own case as CISO, I could push, I could prompt, but when it came down to it, I didn’t have the authority to pull something off the wire, not even during the incident.”
Forno explained that he would have to get action approval from the business manager or the chief technology officer, which he compared to telling a firefighter, “You’re responsible to keep the house from burning down, but you’ve got to check with me before you can go inside with the hose.”
Williams, co-leader for the tabletop exercise, described an organization behavior he termed “misattribution of alignment,” in which everyone assumes the CISO is responsible for all security across the organization. He reported talking to officials with a company about to be sold for $1 billion.
Williams said he asked what they were doing for enterprise cybersecurity and risk management and was told they had no information technology people and were looking for someone to conduct penetration testing. “They think the solution to the problem is doing a pen test so that they can identify vulnerabilities and then put some fixes in place that are only going to be relevant until the CISA sends me the next email about known exploited vulnerabilities.”
The issue is that nobody at the executive level thinks about enterprise cybersecurity risk, Williams suggested. “You want to hire a CISO off the street and pay that person $125,000 a year to deal with all this ridiculousness. I could go be a Salesforce engineer and make $200,000 a year and show up at 9:00 a.m. and go home at 5:00 and take a 90-minute lunch as long as I hit my quota. It’s not really incentivizing people to deal with all of the frustration.”
