Congress needs ‘private sector buy-in’ to address cyber workforce shortage

Private sector companies need to change their hiring and recruitment practices to effectively onboard the next-generation of cyber talent, including reassessing the skills and degrees that they believe are needed to successfully defend against cyber threats, witnesses told members of a House panel on Thursday. 

The hearing, held by the House Homeland Security Cybersecurity and Infrastructure Protection Subcommittee, focused on efforts to grow the nation’s cyber talent pipeline — a critical necessity, given that a report released by a federal working group last year found that there were “more than 700,000 cyber jobs to fill nationwide and nearly 40,000 in the public sector as of April 2022.”

Rep. Andrew Garbarino, R-N.Y., who chairs the subcommittee, noted in his opening remarks that the widespread cyber workforce challenges facing the nation “must be addressed through a strategic and cross-cutting approach that avoids duplication.

“It is clear that the shortage of talent and burnout are issues that both the public and private sector face,” he said. 

While the panel’s witnesses cited a variety of ongoing courses and educational initiatives across the country that are designed to teach cybersecurity skills and provide certification to students, individuals without college degrees and transitioning service members and veterans, they also stressed that the private sector needs to more readily embrace this pool of promising talent to meet growing digital threats — particularly given the urgent need to expand the cyber workforce. 

Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at (ISC)2, said this includes changing mindsets in the private sector to embrace that cyber positions don’t require a four-year degree, as well as pushing hiring managers to think more deliberately about “what actually are the right credentials for the right job.” 

“We often see our CISSP [certification] — which is a globally de facto standard, it requires five years experience, endorsements, etc. — we often see that on entry-level job descriptions, and that doesn't match,” she said. “And so we have a lot of work to do. So it's not only about getting more people in, but there's a lot of work to do to bring the private sector to the table as well.”

And the need to immediately fill thousands of cyber vacancies across the public and private sectors with talented professionals — particularly with individuals who have received cyber training and related certifications — is often undermined by a corporate head-hunting mentality that still prioritizes targeting top-tier talent. 

Will Markow, vice president of applied research at data firm Lightcast, said private employers often believe “they must hire workers with inflated credentials or many years of work experience.” This mindset, he added, leads to them frequently recruiting from the same small pool of high-skilled cyber talent — a process that he equated with “hiring mercenaries.”

“It just becomes a game of poaching from one employer and poaching from another for a very small pool of workers that have this mythical set of unicorn skills,” he said. “And the companies that we actually see with the best retention rates are the ones that are taking more of a skills-based approach to hiring, as opposed to a credential-based approach to hiring.”

Rep. Eric Swalwell, D-Calif., the subcommittee’s ranking member, said the only way to close the cyber workforce gap is to “do more to bring women, people of color, immigrants and other underrepresented groups into the cyber talent pipeline.” 

Swalwell added that comprehensive efforts to grow the nation’s cyber talent pipeline — which, he said, have strong bipartisan support — can only be accomplished “with private sector buy-in and collaboration.” 

“There's a lot of good partisan excuses for why we can't take on other intractable issues,” Swalwell said. "On this one, we're aligned.”