The war in Ukraine has heightened fears of Russian cybersecurity attacks on U.S. institutions, from companies to federal agencies to universities. But for years, there has been a stark national shortage of cybersecurity professionals. To fill this gap, several universities have been working to expand cybersecurity degree and certification programs. Yet some experts say more is needed with demand as high.
“The size of the workforce gap is so big that it’s almost hard to imagine,” said Dr. Richard DeMillo, interim chair of the Georgia Institute of Technology’s School of Cybersecurity and Privacy (SCP) and professor of computing. “There are more open positions in cybersecurity around the world than there are cybersecurity professionals. We have to figure out ways of rapidly getting more trained people in the workforce.”
According to a report from (ISC)2, a nonprofit membership association in cybersecurity, the U.S. added more than 250,000 people to the cyber workforce between 2020 and 2021. Yet in 2021, the need for cybersecurity professionals increased by 30%. Also, (ISC)2 found that there are about 400,000 open cybersecurity roles in the U.S. and about 2.7 million unfilled cyber jobs globally.
DeMillo noted this shortage has been building for roughly a decade. As information technology has progressed over the past generation, bad actors—be they nation states or organized crime syndicates or retail criminals—have also found more tools to conduct cyberattacks. Much of the world’s economy and society has simultaneously moved onto computers and social media networks.
“So, all of that is now exposed,” said DeMillo. “When you boil it down, we’ve built infrastructure around the world that is not quite up to the task of protecting our underlying systems from being taken advantage of. In real terms, the cybersecurity skills needed simply aren’t there—and that’s where higher education comes in.”
In early 2020, a series of high-profile cyberattacks, namely the SolarWinds hack, led to greater visibility of this problem. Responding to that growing need, Georgia Tech in fall 2020 opened SCP with undergraduate and graduate programs focused on cybersecurity areas. SCP built on about 30 years of groundwork from Georgia Tech’s institute on cybersecurity and privacy.
But DeMillo noted some higher education institutions seeking to start or expand their programs may have to team up with others.
“If you’re a large research university in a metro area, you probably have easy access to experts who can teach courses,” said DeMillo. “But if you’re a small liberal arts college in a rural area, chances are you’re going to be far away from those resources. That means colleges and universities need to cooperate with each other to share resources in ways that aren’t quite natural in higher education. That way we can make sure that courses are developed, and training is successful.”
DeMillo added that universities can find local stakeholders with cybersecurity needs to work alongside. For example, SCP started running cybersecurity training with the many agricultural and food safety professionals in Georgia that may be vulnerable to cyberattacks.
Clar Rosso, CEO of (ISC)2, further noted that the nonprofit offers certification and training programs in cybersecurity, including a newly created entry-level certification. She pointed out that new partnerships have been forming to bolster the cyber workforce—and to make training more accessible to underrepresented groups in a field historically dominated by white men.
“We’re seeing more of a marriage between degree programs and certification programs,” said Rosso. “We have universities embedding certifications into some of their bachelor’s programs, for example. And we’re seeing signs that this new entry-level certification program is helping to attract a more diverse workforce, such as among women.”
To Dr. Lorrie Cranor, a professor of computer science and of engineering and public policy at Carnegie Mellon University (CMU), the cybersecurity workforce shortage is not because there are not enough programs but rather not enough American students and support.
“I don’t think the gap is due to a lack of programs at higher education institutions,” she said. “I think the gap comes from a lack of Americans who want to be educated in cybersecurity and a lack of scholarship funding to support these programs. I think there are plenty of programs out there, though there could definitely be more.”
While current events may draw more attention to this workforce gap, Cranor like DeMillo stressed that the shortage is far from new. She directs CyLab, a security and privacy institute that coordinates with academic programs related to cybersecurity across CMU. Most of these programs have been around for years, she noted, and reflect the field’s breadth.
“I think a lesson from our work is that cybersecurity is not one-size-fits-all,” said Cranor. “For students who have a more technical background, we have programs that suit them well. And for students with more of a public policy background, we have programs that focus on those skills.”
To drum up more interest in cybersecurity, CyLab also runs a free computer security education program for high school and middle school students. Called picoCTF, the program additionally seeks to attract underrepresented students in the field, such as students of color and women and girls. But Cranor noted picoCTF’s funding has not been “at the levels that we’d like to see."
"Both government and companies can help address this scholarship problem with more funding for education,” she said.
Rosso of (ISC)2 stressed that cybersecurity challenges won’t be fixed without humans, not computers, at the forefront.
“The magic pill for cybersecurity that some organizations are selling is technology, and we and the entire cybersecurity profession are saying that you have to put people before technology,” she said. “Technology is part of the solution, but you also need to have people to know what we’re looking at to solve the problem.”
Rebecca Kelliher can be reached at firstname.lastname@example.org.