This article is part of the monthly CSI5x5 series by the Cyber Statecraft Initiative, in which five featured experts answer five questions on a common theme, trend, or current event in the world of cyber. Interested in the CSI5x5 and want to see a particular topic, event, or question covered? Contact Simon Handler with the Cyber Statecraft Initiative at SHandler@atlanticcouncil.org.
Defending against threats in cyberspace is hard enough, but severe cybersecurity talent deficiencies have consistently made the challenge harder for both public and private sector organizations.
The field of cybersecurity continues to expand rapidly—so much so that the number of available jobs has outpaced the pool of available talent. A 2017 report by the National Academies estimated that by 2022, the United States will face a shortage of 3.4 million skilled technical workers, on top of an existing global dearth of 2.93 million workers in just the field of cybersecurity, per a study by the International Information System Security Certification Consortium, or (ISC)2. Furthermore, when it comes to top talent, the pool is small and there are many organizations looking to tap into it. While this issue is not particularly new, it is one with which government and industry continue to grapple, with no one clear-cut solution on the horizon.
Our Cyber Statecraft Initiative experts go CSI5x5 to dig into the people problem of cybersecurity, its implications, and possible solutions.
#1 What is the most significant real-world example of the cybersecurity talent gap you’ve observed?
Pete Cooper, nonresident senior fellow, Cyber Statecraft Initiative; CEO, Pavisade: “First, we have to be sure of what we mean by ‘cybersecurity talent gap.’ The latest report and survey from the UK Department of Culture Media and Sport highlighted that ‘approximately 653,000 businesses (48 percent) have a basic skills gap’ and lacked the confidence to carry out basic cybersecurity measures. But additionally, they highlighted that there are a wide range of relevant cybersecurity skills ranging from deep technical to policy, strategy, and leadership. When we talk about the talent gap, we have to look at the whole arc of what skills are needed, not just technical which tends to be the focus and headline. The real-world example that stands out to me when looking across organizations is how they are positioned to manage cyber security risk; there are often pockets of great cybersecurity skills or knowledge of risk, but often, this isn’t translated well into the board and decisionmakers. So, they aren’t getting the best value out of the technical skills they have because it isn’t woven together with policy, strategy, and leadership across the whole organization. At its worst, this means that those with technical skills in the organization have a much better understanding of actual risk than the board, who may be making decisions based on inaccurate assumptions.”
Emily Frye, director, cyber integration, MITRE/Public Sector: “For the most part, the cybersecurity field has been unable to massively or uniformly deploy elements of progress and best practice as they become clear. This is because there aren’t enough people to actually move the ecosystem to the new baseline. One example is threat-informed cyber defense. We don’t see enough organizations with enough personnel and expertise to ensure that the bulk of organizations are already covering basics. So, they can’t, in turn, move to what we know is better: threat-informed cyber defense.”
Kurt John,chief cybersecurity officer, Siemens USA:“It’s impossible to overstate our need for human talent. The latest research I’ve seen, from Cybersecurity Ventures, puts open cybersecurity jobs worldwide at 3.5 million by next year. And that might seem like a daunting figure, but think of it like this: there are approximately 174 million unemployed people worldwide. Say one percent are in the pool of potential candidates; that fills fifty percent of the need. Now, clearly there are a host of variables that makes such a comparison complicated. My point is that what we really need is a mindset change for how we recruit that taps into the full range of talent across society and enables us to address the needs of industry.”
Ronald A. Marks III, president, ZPN National Security and Cyber Strategies; former Central Intelligence Agency and Capitol Hill official:“It is less a gap that affected a specific event than the long-term fundamental gap between policymakers—both public and private—and the guys who understand technology. The continued lack of this mutual understanding in the third decade of the world wide web—and its creation, cyber world—on both sides is troubling and potentially dangerous. And, it does not appear to be closing.”
Jacquelyn Schneider, Hoover fellow, Hoover Institution, Stanford University; nonresident fellow, Cyber and Innovation Policy Institute, Naval War College: “When I was an active duty Air Force officer, I was struck by how many talented airmen we were losing not because they lacked technical skills for the mission, but instead because we were inflexible about family issues, promotion, and even health/fitness. What has surprised me since leaving the active duty is how many similar problems the US government has in recruiting and retaining talent in our civilian sector.”
#2 What aspects of organizational culture are most influential on the gap, and does the private sector really have an advantage recruiting talent?
Cooper: “Organizational culture is the most important aspect of cybersecurity and also the most underrated; it appreciates in value over time, unlike a lot of other measures, and is incredibly cost effective. If the leadership of an organization can instil a great culture, it makes attracting and retaining talent considerably easier, and you have an incredibly proactive workforce that actively look for ways to minimize risk, innovate, and develop effective solutions. If the leadership has the right culture to hiring, it opens up access to talent. As an example, a comment from a job seeker was that she had dismissed herself from taking up an internship because she was a working mother. In discussing this case with a chief information security officer (CISO) friend, they absolutely wanted to speak to her because if they could find a way to make it work for the candidate, they improved and strengthened as a business. It’s this sort of culture, thinking, and leadership that closes the skills gap and gets people into work. Having been in both worlds, early in your career, the public sector is a great place to learn and develop skills, but the private sector has such breadth of roles, organizations, and locations. There is no clear-cut answer to advantages of one over the other, it really depends on the individual and what they are looking for.”
Frye: “Flexible policies on issues like working hours and telework, continuing education, and a combination of healthy teams plus individual autonomy are the most influential. Also, flat organizational structures and a non-rigid approach to authority are key. Strictly hierarchical organizations appear to turn off the smart creative professionals that solve problems.”
John: “Collaboration is…
Protection of critical cyber systems: Canada introduces new legislation under Bill C-26
On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Se…