NSF initiative aims to bring better data to the cyber workforce challenge

Policymakers often talk about a cyber talent gap, but official data on the national cyber workforce is also in short supply.

One of the most bipartisan issues in Washington in 2024 is the need to address a persistent rise in cyber threats by bolstering the national cyber workforce.

In Congress, Democrats and Republicans alike frequently sponsor bills to invest more in STEM education and fill gaps in the cyber workforce. Meanwhile, the Biden administration is also implementing a widely supported national cyber workforce and education strategy.

But while everyone agrees there’s a gap, data on the U.S. cyber workforce is severely lacking compared to many other occupations. And as a new report shows, it’s often because official labor and education sources don’t yet reflect the changing landscape of cybersecurity work.

The Cybersecurity Workforce Data Initiative, authorized as part of the 2022 CHIPS and Science Act, aims to “assess the feasibility of producing national estimates and statistical information on the cybersecurity workforce.” The National Center for Science and Engineering Statistics, housed within the National Science Foundation, is leading the initiative.

In May, the CWDI released a report on “cybersecurity workforce supply and demand” led by RTI International, a nonprofit research institute.

The report lays out many of the challenges in obtaining granular, ground-truth data on the cybersecurity workforce, as well as some recommendations for addressing those problems.

For instance, one of the most commonly used guides for explaining cybersecurity work is the “NICE Framework,” maintained by the National Institute of Standards and Technology. Widely regarded as essential to understanding different cyber roles, the NICE Framework has not been translated to align with traditional federal labor data used by the Bureau of Labor Statistics or the Census Bureau.

“The NICE framework is not intended to be a prescriptive taxonomy. By our definition, and that within the NICE framework, cybersecurity does not fit easily into a single occupation code or title, and this presents a challenge to using existing labor market data,” Michael Hogan, one of the lead authors on the new repot, said during a June 10 workshop hosted by CWDI.

“In the absence of traditional data, administrative data providers have filled that gap,” Hogan added.

Those administrative providers include CyberSeek, a public-private partnership, that serves as one of the most commonly cited sources for cyber workforce data. CyberSeek currently estimates that there are nearly 470,000 open cybersecurity jobs across the country.

Another commonly referenced resource is ISC2’s cyber workforce study, which recently estimated there are 5.5 million cybersecurity workers and nearly 4 million job opening across the globe.

“These data and surveys are very valuable for capturing a subset of the workforce, but we believe that this data does not yet encompass the entire state of supply and demand for cybersecurity workers,” Hogan explained.

While many new pieces of legislation focus on increasing STEM education and expanding the pipeline of STEM graduates, the CWDI report notes that only 46% of college graduates in core cybersecurity positions had a degree that was closely related to their work.

“There is a lack of information about the knowledge, skills, and credentials required for cybersecurity work, the on-ramps into cybersecurity jobs, and the source of a potential mismatch between the work experience sought by employers versus the experience held by new graduates,” the report explains.

Part of the challenge is that cybersecurity is still a relatively new and evolving field. But yet another wrinkle is that while there are jobs that are clearly cybersecurity positions – information security analyst, for example – many other jobs could be considered cybersecurity-adjacent, as the CWDI report notes.

“We know that nearly every occupation today touches digital technology, and there are cybersecurity components to go along with it,” Hogan said. “This presents a challenge for us in putting a boundary around the cybersecurity workforce.”

The report offers a range of initial recommendations to better understand the cybersecurity workforce. It recommends, for instance, merging NIST’s NICE Framework with the Occupational Information Network, a public database sponsored by the Labor Department’s Employment and Training Administration.

It also recommends improving the Standard Occupational Classification to better reflect cybersecurity workers. The SOC is maintained by the Bureau of Labor Statistics and is used by federal agencies to classify workers into occupational categories.

Similar, the report recommends improving the Education Department’s Classification of Instructional Programs (CIP) to better capture cybersecurity schooling data.

Meanwhile, Hogan said CWDI will continue to collect data and feedback as it prepares to potentially launch a pilot survey of the U.S. cybersecurity workforce later this year.

Nearly Useless Factoid

By Michele Sandiford

The first known computer virus (worm) to replicate over a computer network (The Creeper worm) was created by BBN engineer Robert Thomas in 1971.

Source: Computer Timeline

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories