Last week, the Biden-Harris Administration unveiled the National Cyber Workforce and Education Strategy (NCWES), “aimed at addressing both immediate and long-term cyber workforce needs,” including reducing current gaps and empowering aspiring security professionals to enter the workforce. The NCWES follows on the heels of the National Cybersecurity Strategy, released in March, which provides a plan for addressing cyber threats, defending critical infrastructure and investing in a resilient cyber future.
The release of the NCWES is welcome news to the cybersecurity community and a much-needed initiative, as the industry is facing a major talent shortage. According to the (ISC)2 2022 Cybersecurity Workforce Study, there are 3.4 million vacant security positions that organizations are looking to fill – a 26% increase from 2021.
This talent gap poses a significant threat to enterprise, consumer and national safety and is only continuing to widen, especially as attacks are becoming increasingly difficult to detect and mitigate. The rise of generative AI, for instance, is fueling cyber-criminals’ attacks in both volume and sophistication, putting even greater strain on cybersecurity teams that are already very lean as it is.
We’re already seeing how the increasing sophistication of cyber-criminals is devastating businesses. In the first half of 2023 alone, business email compromise attacks (BEC), one of the largest threat vectors that is costing organizations $51bn in exposed losses since 2013, increased by 55% over the previous six months. In that same time frame, nearly half (48%) of all organizations received at least one BEC attack during that same time frame. With current cybersecurity resourcing, defending against attacks on this trajectory is vastly unsustainable.
The NCWES is an excellent first step to closing the cybersecurity talent gap. The federal government needs to be doing more to raise awareness and education for all Americans when it comes to cyber skills, which is what this policy is working to do. Cyber-criminals often target the vulnerable in society, and those who didn’t grow up in a technology-enabled world may be unaware of the risks. In that sense, this policy will likely make a difference. But just how much of a difference it will make – and how quickly – is yet to be seen.
Opportunities to Extend the Potential of the NCWES
While the NCWES outlines several practical and tangible activities, such as financial investments and incentives for higher education institutions to develop cybersecurity talent, improving outreach to diverse candidates, and providing skills training through public-private partnerships, the strategy could go even further.
For instance, while the NCWES promotes opportunities in higher education and at the internship level, cybersecurity acumen must start sooner – even as early as in elementary schools – and be consistently reinforced and built upon throughout high school. The sooner we start teaching people about cybersecurity, the more aware they will be of the risk and the less likely they will fall for a common scam, such as those requesting gift cards or intercepting real estate transactions.
The federal government should also look for more opportunities to award grants and scholarships to promising students seeking a cybersecurity career. Another option is to start paying for undergraduate degrees in computer science or cybersecurity in exchange for a predetermined period of service in the federal government to put that investment to use.
One of the challenges with cybersecurity practitioners is the pay gap between the private and public sectors. Helping to close those gaps or highlighting the benefits of a career in public service and the benefits it may play throughout an employee’s overall career could help drive more qualified individuals toward public service.
Finally, as long as companies lack the security platforms needed to protect their employees, we will have to overly rely on the human element to keep the public safe. And at the rate that attacks are growing, manual and human approaches to defense simply aren’t sustainable. Even with ongoing security awareness training, organizations will struggle to keep up with the evolving landscape.
Federal and state governments and regulators should seek to incentivize companies to enable the robust cybersecurity controls and capabilities needed to ensure that they do not become the victims of a cyber-attack. This could include, for instance, incentives for using modern AI-based technology that could replace or augment existing security operations.
It will be interesting to see the impact of the proposed NCWES programs on reducing the cybersecurity skills shortage and how the strategy shifts as we learn what works (and what doesn’t). But no matter the outcome or how far it goes, we can bet on it going in a positive direction. There has never been a more critical time to rally the entire security ecosystem – from government and private industry to academia and non-profits – to strengthen our workforce and secure our future.