The Cyber Gap Series — Part 2

Defining the Gap

Before exploring deeper into contributing factors, we must first characterize the jobs gap itself. Understanding how industry insiders both qualify and quantify the gap will establish several key concepts that will assist in framing the task at hand. Namely, how bad the gap numerically, how long this gap has existed, and what the forecasted future of the gap is. Defining each of these concepts will underline the impact each causal factor has, as well as the importance of pushing for further industry improvement.

The Numbers Gap

It is a well understood concept that population employment directly ties to the health of a nation’s economy, influencing not just the financial but also social, judicial, and political spheres. High employment rates equate to economic well-being just as high unemployment rates indicate financial, social, and political turmoil. This interrelation has been made all the more obvious in the wake of COVID-19, leaving nearly ten million Americans without jobs in the early days of the pandemic[1]. Combined with the natural fluctuations of both national and international global markets, one would expect a portion of the population to be unemployed, competing for placement amongst the workforce for a finite number of openings. Yet one such industry seems to be impervious to typical fluctuations, demonstrated by a consistent negative employment rate.

Indeed, the Cybersecurity industry has seen a zero-unemployment rate since around 2016[2], with roughly two million jobs going unfilled worldwide at that point in time. Since then, the world has seen the number grow to around four million worldwide, with half a million within the United States alone. And, as far as anyone can tell, this number will continue to grow well into the mid-to-late 2020’s, despite the economic impact of COVID-19, as the number of Internet “nodes” will continue to increase as more of the world comes online.

This is a trend that has its roots in the mid-2000’s, with 2007 marking the last time where the supply met the demand for Cybersecurity professionals[3], as indicated by industry compensation being comparable to that of other fields. However, demand began to outpace supply following the prominent cyberattacks against the country of Estonia[4] and the successful hacking of a noncritical Department of Defense database[5], both in 2007. Since then, the number of jobs available within the industry has exploded, with compensation outpacing the national median by several times. One need only to review reports published in the years between 2010 to 2016, all of which underestimated the total number of unfilled jobs that would exist in 2020 by roughly 50%. The federal government itself has suffered from this outpacing. Jim Gosler, founding Director of the CIA’s Clandestine Information Technology Office, has said only an estimated thousand or so individuals are qualified to undertake defending the nation’s cyber infrastructure, a job that would theoretically require ten to thirty thousand people in total.

Though the history of the Cybersecurity industry dates back to the early 1970’s, with the commission of the Ware Report[6] and the creation of the infamous Creeper worm by Bob Thomas[7], the current state of the industry’s job market has its roots in the events of 2007. Now thirteen years later, how can such a gap continue to exist? Why do 80% of industry managers view college degrees as ineffective marks of preparedness? How is it possible that, with nearly 61% of organizations seeing only half of the available pool as qualified, only 23% of educational programs are seen as fully preparing students?[8] With international and national attention, both public and private, and the respective resources of each being invested to the tune of hundreds of millions of dollars, how can so few be qualified to actively partake in the industry? We will next look to the economic, socio-political, and educational factors that have led to the current jobs market.

[1] Casselman, B., & Cohen, P. (2020, April 2). A widening toll on jobs: ‘This thing is going to come for us all’. The New York Times — Breaking News, World News & Multimedia. https://www.nytimes.com/2020/04/02/business/economy/coronavirus-unemployment-claims.html

[2] Morgan, S. (2016, September 19). Cybersecurity unemployment rate drops to zero percent. Cybercrime Magazine. https://cybersecurityventures.com/cybersecurity-unemployment-rate/

[3] RAND National Security Research Division. (2014). Hackers Wanted: An Examination of the Cybersecurity Labor Market (RR-430). RAND Corporation. https://doi.org/10.7249/RR430

[4] Traynor, I. (2017, November 26). Russia accused of unleashing cyberwar to disable Estonia. the Guardian. https://www.theguardian.com/world/2007/may/17/topstories3.russia

[5] Fox News. (2015, March 25). Pentagon source says China hacked defense department computers. https://www.foxnews.com/story/pentagon-source-says-china-hacked-defense-department-computers

[6] RAND Corporation. (1979). Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security (R-609–1). https://doi.org/10.7249/R609-1

[7] Techopedia. (2011, August 18). What is creeper virus? — Definition from Techopedia. Techopedia.com. https://www.techopedia.com/definition/24180/creeper-virus

[8] Center for Strategic & International Studies. (2019). The Cybersecurity Workforce Gap (01/2019). https://www.csis.org/analysis/cybersecurity-workforce-gap