The National Cyber Workforce and Education Strategy (NCWES), announced on July 31, aims to address gaps in the cyber workforce and in cybersecurity education. This strategy follows the announcement of a new National Cybersecurity Strategy in March and the announcement of an implementation plan in July.
Like the preceding cybersecurity initiatives, the NCWES is sweeping in scope and requires collaboration across multiple government agencies and throughout the private sector. How could this strategy address the cyber workforce challenges we face today?
Cyber Workforce Challenges
On a global scale, there is a gap of 3.4 million cybersecurity workers, according to a 2022 report from the International Information System Security Certification Consortium (ISC)2. And that is just one study of many highlighting the unfilled jobs in cybersecurity. Cyber threats continue to grow as personal and professional lives only become more intertwined with the digital world.
The NCWES recognizes the scope of the current challenges. The majority of jobs (92%) require digital skills, according to the nonprofit National Skills Coalition. Yet, many of America’s workers lack the requisite digital skills.
The United States needs cybersecurity workers to fill jobs in the public and private sectors, and it needs to give people the awareness and the skills to do so.
“We have seen both the economy and the way in which people work rapidly digitize over the past 20 years to take advantage of all of technology’s benefits, but we have not kept up in how we train people to watch for its vulnerabilities,” says Shaun McAlmont, president and CEO of cybersecurity awareness training company NINJIO.
The Goals of the New Strategy
The NCWES is guided by three imperatives: leveraging adaptable ecosystems, enabling lifelong development of cyber skills, and growing the cyber workforce through improvements in diversity and inclusion. The first imperative recognizes the need for multiple stakeholders to work together on cyber education and workforce development. The second imperative highlights the importance of digital literacy, computational literacy, and digital resilience among all Americans. The third imperative hinges on improving diversity, equity, and inclusion to grow the cyber talent pool.
Like the National Cybersecurity Strategy, the NCWES is supported by several pillars. The first pillar aims to make foundational cyber skills universal for Americans. It calls for the improvement of learning opportunities and the incentivization of developing cyber skills and careers.
“Equipping the entire workforce with foundational skills would go a long way in making our digital lives safer,” McAlmont points out.
The second pillar builds on the first: it calls for the transformation of cyber education. This emphasis on education goes beyond four-year degrees to include a focus on K-12 schools, community colleges, and informal programs, such as boot camps.
“Overall, the strategy emphasizes that cybersecurity jobs don’t necessarily require a four-year degree, and that community college degrees, apprenticeships, and certificate courses are, in many cases, quite appropriate,” says Erin Weiss Kaya, senior strategist and cyber leader at consulting firm Booz Allen Hamilton.
The third and fourth pillars home in on the workforce gap. The third focuses on enhancing the overall cyber workforce in America, while the fourth specifically addresses the need to strengthen the federal cyber workforce.
“The ‘typical’ cyber expert does not exist,” says Weiss Kaya. “The best ones come from a wide variety of backgrounds and experiences.” She sees the strategy building the groundwork for embracing a broader talent pool to meet cyber workforce needs.
The NCWES hinges on a collaborative effort from a range of stakeholders, including government agencies, educators, and industry. The strategy has already garnered commitment from many organizations.
The National Science Foundation, National Security Agency, Office of the National Cyber Director (ONCD), National Institute of Standards and Technology (NIST), Department of Labor, Office of Personnel Management, Department of Veterans Affairs, Cybersecurity and Infrastructure Security Agency, and Department of Housing and Urban Development each have a role to play through various partnerships and plans.
For example, NIST will be awarding up to $3.6 million in Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) awards to support projects for cybersecurity education and workforce development projects. Any non-federal entity is eligible to apply for the funding. Applicants must have a partnership “with at least one institution of higher education or nonprofit training organization, and at least one local employer or owner or operator of critical infrastructure,” says Danielle Santos, NIST IT specialist. The deadline for applications is Sept. 5, and NIST will fund up to 18 RAMPS awards.
NIST is also supporting the NCWES via its involvement in the US Cyber Games, which scouts, trains, and puts together a team of cyber talent to compete in global cybersecurity games.
“Athletes who demonstrate drive and potential but do not make the team are invited to the US Cyber Games Pipeline Program, a four-month cybersecurity training and mentorship program,” Santos says.
Many other stakeholders, in addition to government agencies, have pledged commitments, including the following:
- Craig Newmark Philanthropies
- Women in CyberSecurity
- Cybersafe Foundation
- SANS Institute
- Cyber Readiness Institute and the Center on Cyber and Technology Innovation
- Girl Security
- The Society for Human Resource Management
- Omidyar Network
- Task Force Movement
- Check Point Software Technologies
- Black Tech Street
- MassBay Community College
- Accenture & Immersive Labs
- National Cybersecurity Alliance
- Aspen Institute’s Cybersecurity Program
- Dakota State University
- Information Technology Senior Management Forum
- ConSol USA
- American University
“There will need to be a consistent, driving force behind interagency groups and public-private partnerships, and potential new mechanisms such as periodic summits, to set up the type of ecosystem described, which will be necessary to drive the actions the strategy lays out,” says Weiss Kaya.
The ONCD is overseeing the implementation of the NCWES. Implementation will be data-driven with the ONCD and National Cyber Workforce Coordination Group, established in 2022, working together to “identify gaps, develop performance measures for outcome-based goals, regularly communicate progress to stakeholders, and use data to assess progress toward goals,” according to the full strategy text.
In the short-term, Mandy Andress, CISO at search and analytics company Elastic, expects to see increased interest in the cybersecurity space. “The needs are so vast that there is likely an area that will interest almost everyone, they just need to take a little time to try different things,” she says.
While immediate interest in cybersecurity is likely to grow, the strategy will still need to tackle long-term challenges as stakeholders work through implementation. For example, Joseph Williams, global partner, cybersecurity at management consulting firm Infosys Consulting, wonders how the strategy will be funded in the long-term.
“In the short-term, there will be a rush of investment in K-12 teacher training, which will produce a short-term bump in awareness,” he says. “In the long-term, the program will need a solid funding source to be effective, and with a divided Washington it is hard to see how this will come together.”
The NCWES, like the cybersecurity field as a whole, will need to evolve to meet its mandates. “Security professionals will require constant training and retraining to keep themselves up to date with the latest threat vectors. The strategy will help accelerate the process but it’s by no means an end all be all,” says Kobi Kalif, CEO and co-founder of cybersecurity company ReasonLabs.