Looking Beyond the Technical to Fill America's Cyber Workforce Gap

There is an urgent need for skilled cyber professionals. The Center for Strategic & International Studies reports there will be 1.8 million unfilled cybersecurity positions by 2022. Many articles focus on the need for technical skills to plug the cyber threat gap.

Key federal agencies, like National Institute of Standards and Technology and National Science Foundation, are working hard to provide the framework and skill mapping needed. Technical schools and academic institutions are doing their best to fill the gap in available cyber workers. These efforts are not enough, however. 

Challenge One: Speed to market is lacking. 

The NICE Framework is an outstanding methodology that informs the skills needed to undertake cyber work. It is updated every 3-5 years, but cybersecurity is evolving far more quickly than that. By the time the NICE Framework update is approved and distributed, it is already out of date. 

Academic institutions depend on the NICE framework to guide their curricula and educate their students on cyber work, across a variety of cybersecurity domains. However, it takes these institutions years to get approved changes to their courses of study, meaning their students are not receiving the most up-to-date cyber knowledge and skills. 

Employers rely on certifications to make hiring decisions. New cyber workers might have passed the test, but have never tried their hands on a keyboard in a cyber setting. These certifications ensure that employees have demonstrated knowledge, but they do not indicate that new cyber workers can start day one on performing practical cyber tasks.

Challenge Two: Missing the “main thing.”

Training and education do not equate to experience. Nor do technical skills always equate to cyber competence. The bottom line is that new, and even experienced, cyber workers may not possess the most important skills needed to provide a strong cyber line of defense.

In some instances, cyber workers can sit down at the keyboard and freeze. They have the knowledge base, but they are not ready to operate the complex systems that protect their agency or organization from intrusions and hacks. Newly minted cyber workers have gone through all appropriate steps to gain their respective degrees and certifications, they have been heavily recruited, and now they have the job. But in a live environment, they do not always know what to do.

As with other jobs, high-performing cyber workers are promoted to cyber leaders. However, cyber supervisors are faced with an entirely different set of challenges. They know how to operate in the cybersecurity world but may not have learned how to manage teams, appraise performance, and help that newbie cyber worker transition from knowledge to hands-on experience. Worse, they might not even want to do that work or enjoy it as much as applying their technical expertise. 

Solution: Support new and experienced cyber workers in obtaining crucial nontechnical skills.

Think of nontechnical skills as skills that are useful in every possible job like critical thinking, listening to others, and initiative. The trained but inexperienced cyber worker now on the job will need good judgment to understand when to ask for help and when to take initiative to analyze what is most puzzling and risk making an independent decision. Cooperation, not competition, will help to build a cyber team. Leaders can empower proven cyber workers to have more latitude in decision-making, and to have freedom to help peers who are faltering.

As you recruit and on-board cyber-workers, or choose cyber leaders, think carefully about these skills. It can be the key to a more effective and engaged cyber workforce. 

Sarah Krawlzik, Ph.D., is a cyber solutions architect and Debra Tomchek is a vice president at ICF.