Cybersecurity’s 3-Million-Person Workforce Shortage is Now a Risk Management Problem

Cybersecurity’s 3-million-person workforce shortage is now a risk management problem.

workforceThe cybersecurity workforce needs and wants you!  Good news for many of us – but from an employer or strategic workforce planning perspective, this is problematic. There’s now a shortage of people qualified to protect data, systems, and operations.

Worldwide, the cybersecurity workforce shortage is about 3 million, according to the 2018 (ISC)2 Cybersecurity Workforce Study – produced by the organization that brought us the CISSP certification.

A shortage of women in the field contributes to the problem.  The 2019 (ISC)² Cybersecurity Workforce Study: Women in Cybersecurity found that women are still underrepresented in the field.  Using a more inclusive methodology to define cybersecurity professionals, the survey concluded that the number of women in the field is now 24% (as opposed to the previous number of 11%).

And the problem is expected to worsen. “Employment of information security analysts is projected to grow 28 percent from 2016 to 2026, much faster than the average for all occupations,” reports the U.S. Bureau of Labor Statistics.

A scarcity of cyber workers means increased cyber risk all around. The (ISC)2 2018 study states that 60% of those surveyed say their companies are at moderate or extreme risk of cybersecurity attacks due to this shortage.

This risk factor plays a role in cybersecurity risk-based analysis and decision-making. If an organization is adhering to a specific cybersecurity framework, there will likely be a written plan of action and milestones (“POA&M”) that assigns the responsibility of maintaining a security control to a specific person or role. If those roles don’t exist within the organization … well, that’s a lot of scary whitespace in your cybersecurity program recordkeeping.

Another challenge lies with the evolving lexicon of cybersecurity skills.

A typical cyber worker may serve 5 or 6 distinct roles. That worker may grow in the job, picking up technical certifications along the way. How do you define this person’s role, or even begin to do succession planning or hire a person just like them?

The NICE Cybersecurity Workforce Framework (NICE Framework) written by NIST is a good place to start.

The NICE Framework, NIST Special Publication 800-181, is a resource that categorizes and describes cybersecurity work. Built over a decade, the core of the Framework is a taxonomy and common lexicon that describes cybersecurity work and workers. It’s neither DoD or Silicon Valley-specific.  It tries to be universal.  In a universe travelling a million miles an hour.

Need a work role description for a Vulnerability Assessment Analyst, Cyber Ops Planner, or Cyber Defense Forensics Analyst?  It’s in there.  Need some words describing what you are looking for in your Executive Cyber Leadership? That’s in there too.

A common language for cyber work is helpful …

  • as colleges turn out new graduates with cyber-related degrees
  • as military veterans transition into the workforce
  • to measure cyber competencies in one’s own workforce
  • when subcontracting for a particular skillset
  • when hiring, mentoring, or advancing the careers of actual human beings whose jobs include both technical and non-technical functions

However, we all know there’s more to hiring the right people than using the right terminology and buzz words.  (Speaking of buzz words, “Jobs requesting cloud security skills, for example, remain open 96 days on average – longer than any other IT skill,” reports CyberSeek.)

Strategic workforce planning is now part of cyber risk management.

Whether bulking up your in-house cyber team or strategically outsourcing some specialized roles, workforce planning is key.  Employers can work with state and federal workforce development programs like the Virginia Cyber Alliance or the U.S. Department of Defense Skills Bridge.  Internships, apprenticeships, and programs like CyberVets are valuable.  You can also do it the hard way – interviewing, hiring, and training your cyber employees one person at a time.


The author, Colleen H. Johnson, Senior Cyber Legal Analyst, can be reached at
View Sera-Brynn