[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
GROWING AND DIVERSIFYING THE CYBER TALENT PIPELINE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
MAY 21, 2019
__________
Serial No. 116-22
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
37-868 PDF WASHINGTON : 2019
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas Mike Rogers, Alabama
James R. Langevin, Rhode Island Peter T. King, New York
Cedric L. Richmond, Louisiana Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey John Katko, New York
Kathleen M. Rice, New York John Ratcliffe, Texas
J. Luis Correa, California Mark Walker, North Carolina
Xochitl Torres Small, New Mexico Clay Higgins, Louisiana
Max Rose, New York Debbie Lesko, Arizona
Lauren Underwood, Illinois Mark Green, Tennessee
Elissa Slotkin, Michigan Van Taylor, Texas
Emanuel Cleaver, Missouri John Joyce, Pennsylvania
Al Green, Texas Dan Crenshaw, Texas
Yvette D. Clarke, New York Michael Guest, Mississippi
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
Hope Goins, Staff Director
Chris Vieson, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Cedric L. Richmond, Louisiana, Chairman
Sheila Jackson Lee, Texas John Katko, New York, Ranking
James R. Langevin, Rhode Island Member
Kathleen M. Rice, New York John Ratcliffe, Texas
Lauren Underwood, Illinois Mark Walker, North Carolina
Elissa Slotkin, Michigan Van Taylor, Texas
Bennie G. Thompson, Mississippi (ex Mike Rogers, Alabama (ex officio)
officio)
Moira Bergin, Subcommittee Staff Director
Sarah Moxley, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable John Katko, a Representative in Congress From the
State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 3
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Prepared Statement............................................. 5
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 6
Witnesses
Mr. Wesley Simpson, Chief Operating Officer, International
Information System Security Certification Consortium:
Oral Statement................................................. 11
Prepared Statement............................................. 12
Mr. Richard ``Rick'' J. Gallot, Jr., President, Grambling State
University:
Oral Statement................................................. 16
Prepared Statement............................................. 17
Mr. Amelia Estwick, National Cybersecurity Institute, Excelsior
College:
Oral Statement................................................. 19
Prepared Statement............................................. 21
Mr. Candace Worley, Vice President and Chief Technical
Strategist, McAfee:
Oral Statement................................................. 26
Prepared Statement............................................. 28
For the Record
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Statement of Laura Bate, Policy Analyst, New America........... 48
Appendix
Questions From Honorable Lauren Underwood for Amelia Estwick..... 55
GROWING AND DIVERSIFYING THE CYBER TALENT PIPELINE
----------
Tuesday, May 21, 2019
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:13 p.m., in
room 310, Cannon House Office Building, Hon. Cedric L. Richmond
(Chairman of the subcommittee) presiding.
Present: Representatives Richmond, Langevin, Rice, Slotkin,
Katko, Walker, Taylor, and Rogers (ex officio).
Mr. Richmond. I am going to go ahead and gavel us in so
that we can give our opening statements, and hopefully, we can
get through some of the testimony while we are here. But we are
going to have to break for votes, which will be called anywhere
probably in the next 15 minutes, and so then we will break, we
will go vote, and then we will try to rush back as quickly as
possible to be respectful of your time, because we are
certainly glad that you are here.
So I will start off, and then I will turn it over to
Ranking Member Katko.
Let me just start by staying good afternoon. I want to
welcome the panelists to today's hearing on Growing and
Diversifying the Cyber Talent Pipeline.
When I became Ranking Member of this subcommittee in 2015,
researchers were projecting that the shortage of cybersecurity
professionals would reach 1.5 million by 2020. In 2018, that
research showed a current day shortage of nearly 3 million
unfilled positions around the world, and over 300,000 in the
United States alone.
That means that nearly one--nearly a third of the U.S.
cybersecurity work force is, at this point, an empty desk.
Nevertheless, every day we introduce newer, smarter, more
connected devices and infrastructure to make our lives easier,
our businesses more profitable, and countless other goals.
Every day, we learn new ways these devices can be hacked,
disrupted, or manipulated to cause everything from minor
inconveniences to major global havoc.
We have seen ransomware attacks take out entire branches of
local government. We have had our personal data, intellectual
property, and military secrets stolen by high-style foreign
governments. It has never been more clear, we need more people
at the table who know cybersecurity.
We must do more than admire the problem. This subcommittee
held 3 cyber work force hearings last Congress, and learned
something in all of them. Now that I have the gavel, I want to
use it to drive home an important point: Diversity is essential
for National security and for cybersecurity. We need to bring
people to the table who have different perspectives, different
experiences, and different ways of looking at a problem. Right
now the vast majority of cybersecurity work force is white and
male. Only 9 percent are African American, 4 percent are
Hispanic, and 11 percent are women.
My concern is that having such a homogenous work force
could lead to blind spots, and potentially intelligence
failures, particularly for Federal agencies like the Department
of Homeland Security.
I know we have some panelists here today that can speak to
these issues directly, and I look forward to hearing your
perspectives.
Despite the good work being done in the public and private
sector on cyber work force, here is what I know for sure. We
still are not tapping into diverse talent streams. If we are
serious about fixing this problem, we need to put our money
where our mouth is. We have to stop starving the Federal
programs that support cyber talent, such as the National
Science Foundation, CyberCorps Scholarship for Service, whose
budget is on the chopping block every year.
We also need to stop bleeding talent at the very agencies
who need cyber experts to carry out their missions, like DHS,
the FBI, and the National Security Council at the White House.
Finally, we have to move the conversation around diversity out
of the background and put it in the front and center. We cannot
continue to make diversity an afterthought and expect that it
will spring forth naturally.
A few weeks ago, the White House issued an Executive Order
on America's cybersecurity work force. It introduced a
President's Cup Cyber Competition, and some work force rotation
opportunities, which are good, but was mostly silent on
diversity.
Officials reportedly explained that they hoped diversity
would be a natural byproduct of the order. That is exactly the
type of thinking we cannot afford to have if we are serious
about reversing trends.
[The statement of Chairman Richmond follows:]
Statement of Chairman Cedric L. Richmond
May 21, 2019
When I became the Ranking Member of this subcommittee in 2015,
researchers were projecting that the shortage of cybersecurity
professionals would reach 1.5 million by 2020. In 2018, that research
showed a current-day shortage of nearly 3 million unfilled positions
around the world--and over 300,000 in the United States alone. That
means that nearly a third of the U.S. cybersecurity workforce is, at
this point, an empty desk. Nevertheless, every day, we introduce newer,
smarter, more connected devices and infrastructure to make our lives
easier, our businesses more profitable, and countless other goals. And,
every day, we learn new ways these devices can be hacked, disrupted, or
manipulated to cause everything from minor inconveniences to major
global havoc.
We have seen ransomware attacks take out entire branches of local
government. We have had our personal data, intellectual property, and
military secrets stolen by hostile foreign governments. It has never
been more clear: We need more people at the table who know
cybersecurity. And we must do more than admire the problem. This
subcommittee held 3 cyber workforce hearings last Congress, and learned
something in all of them. Now that I have the gavel, I want to use it
to drive home an important point: Diversity is essential for National
security, and for cybersecurity. We need to bring people to the table
who have different perspectives, different experiences, and different
ways of looking at a problem.
Right now, the vast majority of the cybersecurity workforce is
white and male--only 9 percent are African American, 4 percent are
Hispanic, and 11 percent are women. My concern is that having such a
homogenous workforce could lead to blind spots and, potentially,
intelligence failures--particularly for Federal agencies like the
Department of Homeland Security. I know we have some panelists here
today that can speak to these issues directly, and I look forward to
their perspectives. Despite the good work being done in the public and
private sector on cyber workforce, here's what I know for sure--we
still are not tapping into diverse talent streams. If we are serious
about fixing this problem, we need to put our money where our mouth is.
We have to stop starving the Federal programs that support cyber
talent, such as the National Science Foundation's Cyber Corps
Scholarship for Service, who's budget is on the chopping block every
year. We also need to stop bleeding talent at the very agencies who
need cyber experts to carry out their missions, like DHS, the FBI, and
the National Security Council at the White House. And finally, we have
to move the conversation around diversity out of the background and put
it front-and-center. We cannot continue to make diversity an
afterthought and expect that it will spring forth naturally.
A few weeks ago, the White House issued an Executive Order on
America's Cybersecurity Workforce. It introduced a President's Cup
Cyber Competition, and some workforce rotation opportunities--which are
good--but was mostly silent on diversity. Officials reportedly
explained that they ``hoped diversity would be a natural byproduct'' of
the Order. This is exactly the type of thinking we cannot afford to
have if we are serious about reversing trends. I look forward to
hearing from our witnesses today about opportunities to address this
important National security issue.
Mr. Richmond. I look forward to hearing from our witnesses
today about opportunities to address this important National
security issue. With that, I will yield to the Ranking Member,
Mr. Katko.
Mr. Katko. Thank you, Mr. Chairman, for today's hearing on
the cybersecurity work force.
As I meet with those involved in cybersecurity, the common
refrain from Government, academia, and industry, is a need for
more people. As the Chairman said, there is about 300,000 open
positions in the cybersecurity field in the United States right
now.
How do we fix this? To start, we much begin engaging
students in primary and secondary school. We can't wait until
college to introduce cybersecurity as a profession.
To that, we need more teachers that are cyber aware and
curriculums that help inspire and encourage kids to engage with
cybersecurity. For those that want to go to college, we need to
make sure the programs are building the experience and
knowledge that employers need. We also need to make sure we
have professors to do that.
I am heartened that in my district, Le Moyne College is
starting up a cybersecurity program this year. But it is--you
know, we need a lot more than just one school doing that.
Enabling programs that grant a range of students the
opportunity to engage in cybersecurity scholarship should be a
top priority. I recently discussed cybersecurity scholarship
opportunities offered by the National Science Foundation
through their CyberCorps program. By offering prospective
students the opportunities to develop the critical skills in
exchange for Government service, we ensure that we have highly-
skilled cybersecurity employees in the Government, while
creating the next generation of cybersecurity experts.
College is not the only pathway to a career in cyber. We
need to not only develop and scale programs, but also need to
increase the awareness of them. We need to provide
opportunities to reskill those currently in the work force who
are interested in moving to a career in cyber.
We must do more in the short term as well. I had the
opportunity to talk with employees at the Department of
Homeland Security, Cybersecurity and Infrastructure Security
Agency yesterday, or CISA, and the common theme among them was
the challenges in hiring, and then retaining skilled employees
after they train them up.
It is critical that we do more now that give CISA the tools
that they need to more quickly bring on qualified personnel,
particularly to join the Hunt and Incident Response Team, or
HIRT, and the National Cybersecurity Assessment and Technical
Security Lab, or NCATS.
The men and women in these offices are working around the
clock to identify and mitigate cyber vulnerabilities in both
the Government domain, and on behalf of the private sector, and
they are expanding every day in those efforts.
Over the past few years, Congress has given CISA
significant new authorities to harden our cyber defenses, but
we have to cut the red tape so we can hire faster and keep that
personnel longer.
There is no silver bullet to solve the problem, and the
Federal Government cannot go it alone. It will take time. It
will take effort. It will take more ideas and collaboration.
I look forward to working with my colleagues on both sides
of the aisle to make a dent in the cyber work force shortage.
Thank you to our witnesses for speaking with us today.
Mr. Chairman, I yield back the balance of my time.
[The statement of Ranking Member Katko follows:]
Statement of Ranking Member John Katko
May 21, 2019
As I meet with those involved in cybersecurity, the common refrain
from Government, academia, and industry is the need for more people.
Despite having the best and the brightest students and
professionals in the world, the United States still has 300,000 open
positions in the cybersecurity field.
How do we fix this? To start, we must begin engaging students in
primary and secondary school. We cannot wait until college to introduce
cybersecurity as a career profession.
To do that, we need more teachers that are cyber aware and
curriculums that help inspire and encourage kids to engage with
cybersecurity.
For those that want to go to college, we need to make sure the
programs are building the experience and knowledge that employers need.
We also need to make sure we have professors to do that.
Enabling programs that grant a range of students the opportunity to
engage in cybersecurity scholarship should be a top priority. I
recently discussed cybersecurity scholarship opportunities offered by
the National Science Foundation through their CyberCorps program. By
offering prospective students the opportunity to develop the critical
skills in exchange for Government service, we insure that we have
highly-skilled cybersecurity employees in the Government while creating
the next generation of cybersecurity experts.
College is not the only pathway to a career in cyber. We need to
not only develop and scale programs, but also increase the awareness of
them.
We need to provide opportunities to reskill those currently in the
workforce who are interested in moving to a career in cyber.
We must do more in the short term as well. I had the opportunity to
talk with employees at the DHS Cybersecurity and Infrastructure
Security Agency yesterday and a common theme was challenges in hiring
and retaining skilled employees.
It is critical that we do more now to give CISA the tools to more
quickly bring on qualified personnel, particularly to join the Hunt and
Incident Response Team (HIRT) and the National Cybersecurity
Assessments and Technical Security (NCATS) Lab.
The men and women in these offices are working around the clock to
identify and mitigate cyber vulnerabilities in both the .gov domain and
on behalf of the private sector. Over the past few years, Congress has
given CISA significant new authorities to harden our cyber defenses but
we have to cut the red tape so they can hire faster and keep their
personnel.
There is no silver bullet to solve the problem. And the Federal
Government cannot go it alone. It will take time, effort, new ideas and
collaboration.
I look forward to working with my colleagues to make a dent in the
cyber workforce shortage.
Mr. Richmond. I want to thank the Ranking Member, Mr. Katko
from New York, for his opening statement and remind Members
that other Members of the subcommittee are reminded that under
the committee rules, opening statements may be submitted for
the record.
[The statements of Chairman Thompson and Honorable Jackson
Lee follow:]
Statement of Chairman Bennie G. Thompson
May 21, 2019
Good afternoon. I want to thank Chairman Richmond for holding
today's hearing on an issue critical to both our National security and
our economy: Addressing the cybersecurity workforce shortage.
Today, North America's cybersecurity workforce is nearly a half-
million people short--globally, the delta is nearly 3 million.
On a bipartisan basis, this committee has devoted considerable time
to understanding potential consequences of the cybersecurity workforce
shortage, its root causes, and how the Federal Government can most
effectively partner with the private sector to develop cyber talent.
The White House reported last year that malicious cyber activity
cost the U.S. economy between $57 billion and $109 billion in 2016.
Those figures have almost certainly grown since.
We also know that sophisticated foreign adversaries are constantly
seeking novel ways to attack our critical infrastructure and steal
sensitive National security information.
So, it is clear that failing to grow the cyber talent pipeline
could have catastrophic consequences.
As we have worked to better understand the roots or our
cybersecurity workforce shortage, one thing has become clear: We aren't
looking for talent in the right places and, as a result, our Federal
policies are not effectively targeting untapped talent pools.
(ISC)\2\ and the International Consortium of Minority Cybersecurity
Professionals conducted a survey last year that revealed African
Americans make up only 9 percent of the cybersecurity workforce and
Hispanics comprise only 4 percent.
Women are similarly underrepresented.
Over time, we have learned that our workforce shortages stem--in
part--from misconceptions about the education levels required to work
in cybersecurity.
Not all cybersecurity positions require 4-year degrees, and we need
to do a better job making sure the public understands that.
At the same time, women and minority groups holding cybersecurity
jobs tend to have higher education levels but are less likely to hold
management positions or receive salary increases.
That brings me to another observation: The cybersecurity field has
struggled to adapt to the demands of diversity, including being slow to
create opportunities for training and advancement for diverse
candidates.
That is why I am pleased that we have a diverse set of panelists
with a range of experience here today to help us better understand how
we can bring more people into the cybersecurity field.
We need to have a soup-to-nuts conversation about how to attract
new people from different backgrounds to cybersecurity jobs, and then
retain them.
Growing and diversifying the cyber talent pipeline will require the
Federal Government to improve that way it partners with the private
sector and the public to achieve three objectives:
First, we must cultivate an interest in cybersecurity
careers in diverse communities;
Second, we must connect people with educational and training
opportunities;
Finally, we must provide a bridge between training and
careers.
The Federal Government's current workforce initiatives start to
address some, but not all, of these objectives.
For example, the Department of Homeland Security and the National
Science Foundation provide scholarships and stipends to students
seeking cybersecurity-related degrees, and DHS also works with the
National Security Agency to support the designation of over 200
colleges and universities as either National Centers of Academic
Excellence.
And NIST developed the NICE National Cybersecurity Workforce
Framework to match job descriptions with job seekers.
But I am not certain that any of these well-intentioned initiatives
successfully attract new people to the field.
Even the Executive Order on the Cybersecurity Workforce signed
earlier this month is largely silent on diversity.
Indeed, the EO could actually create barriers to growing the cyber
talent pool by implementing ``aptitude assessments'' for agencies to
use when identifying employees to reskill for cybersecurity.
To fill gaps in the Federal Government's cybersecurity workforce
policy, we need to hear from diverse voices like those before us today.
With that, I thank the witnesses for being here today and look
forward to our discussion.
I yield back the balance of my time.
______
Statement of Honorable Sheila Jackson Lee
May 21, 2019
Chairman Richmond and Ranking Member Katko, thank you for holding
today's hearing on ``Growing and Diversifying the Cyber Talent
Pipeline.''
This hearing provides Members an opportunity to learn about the
current shortage of skilled cybersecurity professionals, the lack of
diversity in the field, and academic initiatives to address workforce
challenges.
The Federal Government, including the Department of Homeland
Security (DHS), can support efforts to grow and diversify the cyber
talent, and leverage these talent streams to recruit and retain cyber
experts in civil service.
I look forward to the testimony of today's witnesses:
Wesley Simpson, chief operating officer, International
Information System Security Certification Consortium
((ISC)\2\);
Richard ``Rick'' Gallot, president, Grambling State
University;
Dr. Amelia Estwick, National Cybersecurity Institute,
Excelsior College; and
Candace Worley, vice president and chief technical
strategist, McAfee (Minority witness).
The cybersecurity field's has an expanding shortage of
professionals, with over a quarter-million positions remaining unfilled
in the United States alone and a predicted shortfall of 1.5 million
cybersecurity professionals by 2019.
The solution must be to grow a greater pool of cybersecurity
professionals that are prepared to fill positions within the Federal
Government.
The strength of the U.S. cybersecurity workforce is paramount to
our National security and economic stability, but there are 300,000
unfilled positions in the United States, and close to 3 million world-
wide.
Congress must intervene to stop this gap from widening.
The challenge before the Homeland Security Committee is finding the
right policy that will accomplish the goal of attracting and retaining
cybersecurity professionals within the Federal Government.
I have focused on this problem and have mapped out a comprehensive
approach to meeting the underlying problem: Increasing the pool of
people who would receive essential education in science, technology,
engineering, and mathematics from kindergarten through advanced degree
programs.
In 2017, I was pleased to have been awarded the Executive Women's
Forum's Women in Cybersecurity Leadership Award for my work in
promoting advances in our cybersecurity policy.
I participated on a leading cybersecurity panel at the 2018 Aspen
Institute Cyber Summit in San Francisco.
The Trump administration's new Executive Order on America's
Cybersecurity Workforce does not do enough to grow the cybersecurity
talent pipeline and could unnecessarily exclude qualified candidates by
relying on aptitude assessments, which tend to yield biased outcomes.
Committee Democrats will push the White House to fully leverage
Federal resources to grow and diversify that cybersecurity talent
pipeline.
I was pleased to attend the Aspen Institute to discuss the role of
Government in creating a policy and framework for our Nation which will
protect Government and civilian computer networks by current and future
threats, such as quantum computing, advances in artificial
intelligence, and unknown--but likely and anticipated--threats posed
from future technological innovations on the horizon.
The beginning of the Government's ability to protect networks and
computing technology begins with the talent we can attract to the
Department of Homeland Security.
In our pursuit of closing the gap between minority and majority
participation in cybersecurity, we must also look at promotion and
retention issues as well.
The (ISC)\2\ Global Information Security Workforce Study that
covered the period from June 22 through September 11, 2016, and
features a deeper dive into the diverse composition of the U.S.
cybersecurity workforce to encompass not only gender, age, and tenure,
but ethnicity and race as well.
Among minority cybersecurity professionals, 23 percent hold a role
of director or above, 7 percent below the United States average.
They found that minorities who have advanced into leadership roles
often hold higher degrees of academic education than their Caucasian
peers who occupy similar positions; of minorities in cybersecurity, 62
percent have obtained a master's degree or higher, compared to 50
percent of professionals who identified as White or Caucasian.
The 2017 Global Information Security Workforce Study examined both
conscious and unconscious forms of discrimination in the workplace.
They considered unfair treatment based on gender, age, ethnicity,
or an employee's cultural group.
The survey found discrimination based on ethnicity and gender.
Thirty-two percent of cybersecurity professionals of color who
participated in the survey report that they have experienced some form
of discrimination in the workplace.
Across all races and ethnicities, women experience greater rates of
discrimination in the workplace than men, reporting discrimination in
much greater proportions than men when viewed as a total U.S.
population.
Women who identify as Black, Hispanic, Asian, or of Native American
descent, report the highest numbers of discrimination.
congresswoman jackson lee's legislative efforts to close the
cybersecurity workforce gap
I will soon be reintroducing the Cyber Security Education and the
Workforce Enhancement Act, which seeks to prepare more women and
minority students and early stage to mid-career professionals within
the Federal Government for cybersecurity jobs.
The bill supports:
Recruiting information assurance, cybersecurity, and
computer security professionals;
Providing grants, training programs, and other support for
kindergarten through grade 12, secondary, and post-secondary
computer security education programs;
Supporting guest lecturer programs in which professional
computer security experts lecture computer science students at
institutions of higher education;
Identifying youth training programs for students to work in
part-time or summer positions at Federal agencies; and
Developing programs to support underrepresented minorities
in computer security fields with programs at minority-serving
institutions, including Historically Black Colleges and
Universities, Hispanic-serving institutions, Native American
colleges, Asian-American institutions, and rural colleges and
universities.
The goal of the Cyber Security Education and the Workforce
Enhancement Act is to address underrepresentation of women and
minorities in cybersecurity fields of employment.
cybersecurity statistics
In 2016, the Bureau of Labor Statistics reported that African-
Americans comprised only 3 percent of the information security analysts
in the United States, yet comprise nearly 13 percent of the National
population.
Just 2 years ago a security analyst, a position which required a 4-
year degree, was paid on average $88,890 per year.
The top computing security salaries range from $175,000 to $230,00
per year.
The most senior position was chief information security officers
(CISOs), which typically earns $400,000 or more per year.
In 2017 the United States employed nearly 780,000 people in
cybersecurity positions, with approximately 350,000 current
cybersecurity employment vacancies.
In 2017, nearly 65 percent of large U.S. companies have a chief
information security officer, up from 50 percent in 2016.
Women hold only 11 percent of cybersecurity positions globally,
while filling 25 percent of tech jobs, and comprising 50 percent of the
population.
During this time of the year, I speak at commencement exercises and
given these statistics my message to young people is to look to the
cybersecurity field for career and employment opportunities.
There is a similar situation with African Americans which comprise
only 7 percent of the cybersecurity workforce, and Hispanics, who
account for 5 percent of cybersecurity positions although they make up
13 percent of the Nation's population.
Finally, 2 out of 3 high school students indicate that no one has
ever spoken to them about a career in cybersecurity.
These facts mean that we should not have any shortages for
computing security jobs, but that these vacancies exist because of
barriers to entry like education.
solution for expanding the federal cybersecurity workforce
The solution is expanding the diversity of those who are
cybersecurity professionals by tapping human capital already within the
Federal Government in new hires or mid-career changes, when we identify
that someone has the aptitude and desire to become a computing security
professional.
african american pioneers in computer science
Katherine G. Johnson, of Hidden Figures fame, graduated from
college at age 18. In 1952, she began working at NASA in its
aeronautics area as a ``computer,'' where she performed the
calculations that assured that when astronauts were sent into orbit
they could be safely returned to earth.
Roy Clay Sr. is known as the Godfather of Silicon Valley. Mr. Clay
was at the cutting edge of computing and technology through his
leadership of HP's first foray into the computer market with its 2116A
computer.
He was inducted into Silicon Valley Engineering Council's Hall of
Fame in 2003.
Mark Dean co-created the IBM personal computer and was instrumental
in the development of the company's PC 5150, which was sold to the
public in 1981.
Mr. Dean also contributed to the development of the color PC
monitor, the first gigahertz chip, and the industry standard
architecture (ISA) system bus.
The personal computers' impact on our world is unmistakable.
In the early days of the computing technology age, computers were
only available to governments and large institutional organizations
because of their size and complexity.
The age of personal computing has paved the way for mobile
computing and handheld computing devices like smart phones.
women and the history of computing
Augusta Ada King-Noel, Countess of Lovelace was an English
mathematician and writer, chiefly known for her work on Charles
Babbage's proposed mechanical general-purpose computer.
She was the first to recognize that the machine had applications
beyond pure calculation, and created the first computer program to give
Babbage's machine instructions to carry out a task.
As a result, she is often regarded as the first to recognize the
full potential of a ``computing machine,'' and the first computer
programmer.
Grace Hopper was an American computer scientist and United States
Navy rear admiral, who became the first programmer of the Harvard Mark
I computer and she invented the first compiler for a computer
programming language.
The Executive Women's Forum (EWF) recognizes the contributions
women have made and seeks to expand opportunities for women.
The Executive Women's Forum was founded in 2002, with a mission of
inspiring leaders, transforming organizations and building businesses
through education, leadership development and the creation of trusted
relationships.
Today, the EWF has over a thousand members Nation-wide--from
emerging leaders to senior executives, all of whom benefit from the
organization's programs and events.
EWF members support each other in achieving their goals and
advancing their careers by celebrating each other's accomplishments and
acknowledging the ideas and contributions of the women around us.
Most notably, each year EWF presents Women of Influence Awards to
individuals who have made outstanding contributions in the corporate,
Government/academic and vendor sectors.
The EWF's, ``2017 Global Information Security Workforce Study:
Women in Cybersecurity'' report delivers troubling statistics on areas
we are missing the mark in maximizing the participation of women in the
cybersecurity workforce.
Fifty-one percent of women report various forms of discrimination
in the cybersecurity workforce.
Women who feel valued in the workplace have also benefited from
leadership development programs in greater numbers than women who feel
undervalued.
In 2016 women in cybersecurity earned less than men at every level.
We know that cybersecurity expertise is a critical component of
National security; however, Federal agencies have traditionally
struggled to recruit, retain, and manage a robust cybersecurity
workforce.
The International Consortium of Minority Cybersecurity
Professionals (IC-MCP) launched in 2014 with a mission to bridge this
``great cyber divide'' in the cybersecurity profession. ICMCP offers
programs and services to these groups to assist them in gaining skills
and visibility to promote their careers, including:
Mentoring opportunities for entry- and mid-career
cybersecurity professionals;
Networking opportunities;
Skills workshops.
In 2015, I was pleased to host the International Consortium of
Minority Cybersecurity Professionals for its first meeting held on
Capitol Hill.
The vision of ICMCP is to build a pipeline of cybersecurity
professionals at all levels, and support them throughout their careers.
ICMCP efforts have the potential to broaden the pool of available
experienced cybersecurity professionals.
This Congress I introduced H.R. 1981, the Cyber Security Education
and Federal Workforce Enhancement Act, which creates programs to
support underrepresented minorities in computer security fields.
I understand that the supply of educated and certified
cybersecurity professionals is too few when compared with the thousands
of positions that need them.
As a result, talented candidates can demand higher salaries, more
flexible hours, and other benefits that are incompatible with the
Federal hiring process.
Priorities within the workforce have also changed.
For instance, millennials change employers more frequently than
their predecessors and place a high value on flexible work schedules
and professional development opportunities.
I strongly believe that we have untapped talent within the Federal
workforce, and we have potential pools of talented young people who are
in underrepresented communities around the Nation that we must reach
during their formative education to prepare them for potential
cybersecurity careers.
We are not supporting DHS with a policy that would allow the agency
to pursue talent regardless of where it might be found.
So long as DHS attempts to compete for cybersecurity talent in the
same market where the private-sector businesses are competing, the
results will not change.
We must be creative and engage in broader thinking that does not
limit our view of who can be a cybersecurity professional.
potential for dhs to succeed in recruitment and retention of
cybersecurity professionals
The 2017 Global Information Security Workforce Study: Women in
Cybersecurity issued by the Executive Women's Forum, stresses what we
already know; some segments of the workforce are underrepresented in
the cybersecurity field. Women professionals make up only 11 percent of
the cybersecurity workforce despite the escalating growth in the field.
The participation of women in cybersecurity is at 11 percent
although women reported higher levels of education.
These underrepresented groups offer an opportunity to increase the
cybersecurity workforce in the near and long term.
This is important because both Gen Y and Gen Z have significant
numbers of minorities who could significantly close the cybersecurity
gap.
I look forward to working with the Chair and Ranking Members on
increasing diversity in the Federal cybersecurity workforce.
Thank you.
Mr. Richmond. I now want to welcome our panel of witnesses.
First, we have Mr. Wesley Simpson, the chief operating
officer for the International Information Systems Security
Certification Consortium, better known as (ISC)\2\.
(ISC)\2\ is the world's largest IT security organization
for cybersecurity professionals, and we rely heavily on the
studies they produce, and the data they use to track work force
trends in the United States and abroad. I had the pleasure of
speaking at their conference last year in New Orleans.
Next, I would like to welcome my friend, former colleague
in the Louisiana State House, former State senator, and
president Rick Gallot of Grambling State University, an HBCU in
Louisiana that produces 40 percent of the State's African
American computer science graduates, and plans to begin
offering a new bachelor's degree in cybersecurity this year.
I hope you will tell us how we can build better
partnerships to help the Federal Government leverage the talent
coming out of minority-serving institutions like Grambling
State University.
We also have Dr. Amelia Estwick from the National
Cybersecurity Institute at the Excelsior College.
Dr. Estwick has spent her career on the front lines of this
issue; first in the United States Army, then for 15 years at
the National Security Agency, where she was a technical
director for cyber threat operations.
I look forward to hearing her unique perspective as a
veteran, a former Federal official, and in academia, where she
is helping to educate the next generation of cybersecurity
professionals.
Finally, I would like to welcome Ms. Candace Worley, the
vice president and chief technical strategist for McAfee, who
will tell us about some of the good work being done in the
private sector to grow and diversify this cyber talent
pipeline.
Mr. Richmond. Without objection, the witnesses' full
statements will be inserted into the record. I will now ask
each witness to summarize his or her statement in 5 minutes,
beginning with Mr. Simpson.
STATEMENT OF WESLEY SIMPSON, CHIEF OPERATING OFFICER,
INTERNATIONAL INFORMATION SYSTEM SECURITY CERTIFICATION
CONSORTIUM
Mr. Simpson. Mr. Chairman and esteemed Members of the
committee, thank you for inviting me here today to testify on
behalf of (ISC)\2\ regarding the goal of a more inclusive and
diverse cybersecurity work force.
My name is Wesley Simpson, and I am the chief operating
officer for (ISC)\2\, headquartered in the United States.
(ISC)\2\ is the world's largest nonprofit membership
association of certified cybersecurity professionals. We
function as an advocate for the cybersecurity profession, and
as a training and certification body.
Our certifications are approved by the American National
Standards Institute, or ANSI, which the primary organization
for fostering the development of technology standards in the
United States.
As part of our association's stated mission to inspire a
safe and secure cyber world, we regularly commission market
research and a host of relevant industry topics that help to
inform our global base of more than 140,000 certified members
across more than 170 countries, as well as influence policy
discussions, corporate programs, and educational opportunities.
In the course of doing so, we have issued research related
to the size of the cybersecurity work force gap since 2004. The
state of the industry has changed quite a bit over that time,
and (ISC)\2\ is constantly identifying ways to improve its
research methodology to keep up with the evolution of the
marketplace.
As part and parcel of the work force research, we are in
position to be able to identify the demographic makeup of the
cybersecurity work force as it changes, and I am pleased to
share some of those findings with you today, as well as some
conclusions we might draw from them.
A recent round of work force research was conducted in
2018, and it reveals a cybersecurity work force shortage of
498,000 skilled professionals just in the United States, and
2.93 million globally. This points to a growing gap in the
amount of cybersecurity staff the private sector and governing
bodies indicate they need to maintain optimal security, and the
amount of skilled professionals currently available.
As a point of clarification, this is not meant to indicate
that there are currently one-half open--million open or
unfilled jobs.
As we collectively explore ways in which the talent pool
can be increased, it is important to recognize the clear
underrepresentation of women in the cybersecurity work force.
While Department of Labor statistics indicate that women
make up 47 percent of the overall U.S. labor force, our
research shows that only constitutes 22 percent of U.S.
cybersecurity staff, and only 24 percent of the global staff.
To be more specific, that figure includes anyone from whom
at least 20 percent of their daily job tasks consists of
security-related activities, not just those with cybersecurity
titles. This expands our view to include those with IT roles,
for example, who have some cybersecurity responsibilities. This
change to our methodology was made in 2018 to more closely
mirror the reality of how cybersecurity is executed around the
ground levels, and, more importantly, by who.
We also found that pay and equity between genders remains
an issue, and is something that could affect a woman's decision
to pursue a career in this field.
If we can find ways to attract women to cybersecurity and
make it a welcoming profession, we may be able to decrease the
cybersecurity work force gap to a large degree. There are more
findings specific to our 2019 ``Women in Cybersecurity'' report
found in my written testimony. But I want to highlight the
obvious underrepresentation as a key datapoint for our
discussion here today.
Another underrepresented group identified through our
research is ethnic and racial minorities. Our 2018 study titled
``Innovation Through Inclusion: The Multicultural Cybersecurity
Workforce,'' showed that just 26 percent of the U.S.
cybersecurity work force identifies as non-Caucasian. While
this compares favorably with the Department of Labor statistics
that shows only 22 percent of the overall U.S. labor force is
made up of minorities, this is still a low ratio that could be
improved by creating programs that specifically market the path
to a cybersecurity career to a wider talent pool.
Furthermore, employment among cybersecurity professionals
who identify as racial or ethnic minorities tends to be
concentrated in nonmanagement positions, with fewer occupying
leadership roles, despite being highly educated. Here as well,
our research showed that inequity in pay exists. Despite higher
levels of education, a cybersecurity professional of color
earns less than their Caucasian counterparts, on average.
Under-participation in cybersecurity by large segments of
our potential work force, be it women or minorities, represents
a loss of opportunities for individuals, and a loss of
collective creativity in solving the problems we face in the
field. Not only is this an issue of inequity, it is a threat to
our global economic viability as a Nation.
The major opportunities, as we see them, are stronger, more
focused on equal pay for women and minorities in cybersecurity,
more advancement and leadership opportunities for deserving
professionals, formalized mentorship programs to help unearth
untapped potential and hidden talent, and more programs that
expose young women and minorities to technical skills earlier
in their educational lives.
I thank you for your time today, and look forward to
answering any questions you may have to the best of my ability.
[The prepared statement of Mr. Simpson follows:]
Prepared Statement of Wesley Simpson
May 21, 2019
Mr. Chairman and esteemed Members of the committee, thank you for
inviting me here today to testify on behalf of (ISC)\2\ regarding the
goal of a more inclusive and diverse cybersecurity workforce. My name
is Wesley Simpson, and I am the chief operating officer for (ISC)\2\.
Headquartered right here in the United States, (ISC)\2\ is the world's
largest nonprofit membership association of certified cybersecurity
professionals. We function as an advocate for the cybersecurity
profession and as a training and certification body. Our certifications
are approved by the American National Standards Institute (ANSI), which
is the primary organization for fostering the development of technology
standards in the United States.
As part of our association's stated mission to inspire a safe and
secure cyber world, we regularly commission market research on a host
of relevant industry topics that help to inform our global base of more
than 140,000 certified members across more than 170 countries, as well
as influence policy discussions, corporate programs, and educational
opportunities. In the course of doing so, we have issued research
related to the size of the cybersecurity ``workforce gap'' since 2004.
The state of the industry has changed quite a bit over that time, and
(ISC)\2\ is constantly identifying ways to improve its research
methodology to keep up with the evolution of the market.
As part and parcel of our workforce research, we are in a position
to be able to identify the demographic make-up of the cybersecurity
workforce as it changes, and I'm pleased to share some of those
findings with you today, as well as some conclusions we might draw from
them.
Our most recent round of workforce research was conducted in 2018
and reveals a cybersecurity workforce shortage of 498,000 skilled
professionals in the United States alone, and 2.93 million globally.
This points to a growing gap in the amount of cybersecurity staff that
private sector and Government bodies indicate they need to maintain
optimal security, and the amount of skilled professionals currently
available. As a point of clarification, this is not meant to indicate
that there are currently one-half million open or unfilled jobs.
As we collectively explore ways in which the talent pool can be
increased, it's important to recognize the clear under-representation
of women in the cybersecurity workforce. While Department of Labor
statistics \1\ indicate that women make up 47 percent of the overall
U.S. labor force, our research shows that they only constitute 22
percent of U.S. cybersecurity staff, and only 24 percent of global
staff. To be more specific, that figure includes anyone for whom at
least 25 percent of their daily job tasks consist of security-related
activities, not just those with cybersecurity titles. This expands our
view to include those with IT roles, for example, who have some
cybersecurity responsibilities. This change to our methodology was made
in 2018 to more closely mirror the reality of how cybersecurity is
executed at the ground level, and more importantly, by who. We also
found that pay inequality between genders remains an issue and is
something that could affect a woman's decision to pursue a career in
our field.
---------------------------------------------------------------------------
\1\ U.S. Department of Labor--https://www.dol.gov/wb/stats/
NEWSTATS/latest/demographics.htm#LF-SecRaceEthnicity.
---------------------------------------------------------------------------
If we can find more ways to attract women to cybersecurity and make
it a welcoming profession, we may be able to decrease the cybersecurity
workforce gap to a large degree. There are more findings specific to
our ``2019 Women in Cybersecurity Report'' found in my written
testimony, but I wanted to highlight the obvious underrepresentation as
the key data point for discussion here today.
Another underrepresented group identified through our research is
ethnic and racial minorities. Our 2018 study titled, ``Innovation
Through Inclusion: The Multicultural Cybersecurity Workforce,'' showed
that just 26 percent of the U.S. cybersecurity workforce identifies as
non-Caucasian. While this compares favorably to Department of Labor
statistics that show only 22 percent of the overall U.S. labor force is
made up of minorities,\2\ this is still a low ratio that could be
improved by creating programs that specifically market the path to a
cybersecurity career to a wider talent pool.
---------------------------------------------------------------------------
\2\ U.S. Department of Labor--https://www.bls.gov/opub/reports/
race-and-ethnicity/2017/home.htm.
---------------------------------------------------------------------------
Furthermore, employment among cybersecurity professionals who
identify as racial or ethnic minorities tends to be concentrated in
non-management positions, with fewer occupying leadership roles,
despite being highly educated. And here as well, our research showed
that an inequity in pay exists. Despite higher levels of education, a
cybersecurity professional of color earns less than their Caucasian
counterparts on average.
Under-participation in cybersecurity by large segments of our
potential workforce, be it women or minorities, represents a loss of
opportunity for individuals and a loss of collective creativity in
solving the problems we face in the field. Not only is this an issue of
inequity, it is a threat to our global economic viability as a Nation.
The major opportunities as we see them are a stronger focus on equal
pay for women and minorities in cybersecurity, more advancement and
leadership opportunities for deserving professionals, formalized
mentorship programs to help unearth untapped potential and hidden
talents, and more programs that expose young women and minorities to
technical skills earlier in their educational lives.
I thank you for your time today and look forward to answering any
questions you may have to the best of my ability.
______
Following are key data points from (ISC)\2\'s two most recent
studies that touch on diversity. The first is the ``Innovation Through
Inclusion: The Multicultural Cybersecurity Workforce'' study (submitted
as Exhibit A) which was released in March 2018 (based on 2017 data from
the (ISC)\2\ Global Information Security Workforce Study--submitted as
Exhibit B). The second is the ``2019 Women in Cybersecurity Report''
(submitted as Exhibit D) (sourced from data within the 2018
Cybersecurity Workforce Study--submitted as Exhibit C). Key data points
from each are identified below.
minorities in cybersecurity
The diversity report was developed by (ISC)\2\ and The Center for
Cyber Safety and Education in partnership with Frost & Sullivan.
Although the study is global in its scope, questions of race and
ethnicity were asked only to respondents in the United States. This
report was developed by (ISC)\2\ in partnership with the International
Consortium of Minority Cybersecurity Professionals (ICMCP). Findings
were based on survey responses from 9,500 U.S. cybersecurity
professionals.
Employment among cybersecurity professionals who identify as a
racial or ethnic minority tends to be concentrated in non-management
positions, with fewer occupying leadership roles, despite being highly
educated.
Key Findings
Minority representation within the cybersecurity field is at
26 percent, which is slightly higher than the overall U.S.
minority workforce, which was at 21 percent at the time the
study was conducted.
62 percent of minorities in cybersecurity have obtained a
master's degree or higher, compared to 50 percent of
professionals who identified as White or Caucasian.
23 percent of minority cybersecurity professionals hold a
role of director or above, compared to 30 percent of their
Caucasian peers.
On average, a cybersecurity professional of color earns
$115,000, while the overall U.S. cybersecurity workforce
average is $122,000.
32 percent of cybersecurity professionals of color report
that they have experienced some form of discrimination in the
workplace.
To foster diversity in the workplace, 49 percent of minority
cybersecurity professionals said mentorship programs are very
important.
Conclusions
Despite higher levels of education, a cybersecurity
professional of color earns less and is underrepresented in
senior roles.
Racial and ethnic minorities tend to hold non-managerial
positions, and pay discrepancies, especially for minority
women (women of color make an average of $10,000 less than
Caucasian males and $6,000 less than Caucasian females), is
a challenge.
With the estimated global cybersecurity workforce shortage
at 2.93 million, we need to make the profession inviting to
all.
Understanding the challenges our profession faces related to
diversity is a critical first step in accomplishing that goal
and ultimately addressing the widening cybersecurity workforce
gap.
Mentorship programs and better representation in senior
roles are needed to help advance minority cybersecurity
professionals.
Companies with more diverse workplaces perform better
financially. (Data from McKinsey and Company report titled:
``Is There a Payoff from Top-Team Diversity?'')
Key Takeaway
Under-participation in cybersecurity by large segments of
our potential workforce represents a loss of opportunity for
individuals and a loss of creativity in solving the problems we
face in the field. Not only is this an issue of inequity, it is
a threat to our global economic viability as a Nation. The
major opportunities as we see them are a stronger focus on
equal pay for minorities in cybersecurity, more advancement and
leadership opportunities for deserving professionals, and
formalized mentorship programs to help unearth untapped
potential and hidden talents.
women in cybersecurity
On Tuesday, April 2, 2019, (ISC)\2\ issued its 2019 Women in
Cybersecurity Report (sourced from data within the 2018 Cybersecurity
Workforce Study). The headline finding from the report was that women
make up an estimated 24 percent of the global cybersecurity workforce.
It's important to understand where this number came from. The
figure is derived from the Workforce Study, which was actually fielded
twice within the 2018 calendar year in order to confirm the relative
accuracy and integrity of the data. Both waves of research produced the
same statistically valid results.
Last year's global Workforce Study was a departure from the way
past studies have been fielded and the way the workforce gap had been
calculated previously, and that's what has led to a seeming increase of
women in the field from 11 percent to 24 percent over the 2-year period
since we released our last Women in Cybersecurity report. As such, we
do not make the claim that there has been a 13 percent increase over a
2-year period, but we feel that our new methodology (explained in the
section below) provides a more accurate picture than ever before of the
true make-up of the workforce.
IMPORTANT: We did not address the issue of discrimination against
women in this report, so we don't have data to share. While it is an
important topic of discussion in our industry, this particular report
does not address it specifically and we focused on the demographic of
professionals in the workforce as opposed to the hurdles they face.
Methodology
Past (ISC)\2\ research had estimated the percentage of women
working in cybersecurity at 11 percent, but with a change to research
methodology--including surveying IT/ICT professionals who spend at
least 25 percent of their time on security activities--that number is
now believed to be 24 percent. Results presented in the report are
extracted from a study conducted by (ISC)\2\ and Spiceworks in August
2018. The sample structure was carefully designed to obtain feedback
from a diverse group of professionals working in cybersecurity roles
and the survey measured various aspects of working in the cybersecurity
field including workforce staffing shortages, education and skills
needed to do the job, and challenges faced in the profession. One
thousand four hundred fifty-two individuals from North America, Latin
America, and Asia-Pacific participated in the survey. The margin of
error for this research is plus or minus 3 percent at a 95 percent
confidence level.
Below are the 3 key messages that rise to the surface related to
the report. Following those, some notes on other relevant data points
that may be of interest.
Key Findings
(1) Today's figure reflects more women in cybersecurity than
previously estimated
24 percent of the overall cybersecurity workforce is female.
Recruiting from traditionally overlooked demographics will be a
huge part of closing the current global talent gap of 2.93
million. We need more women and more young talent to join us,
as well as individuals who want to transfer other skills into a
career in cybersecurity; and we need to show them why and how
they should do so.
(2) These women are younger, highly educated and moving into
leadership roles
45 percent of women surveyed are millennials, compared to
just 33 percent of men. This will radically alter the gender
balance in the cybersecurity profession in the next decade, as
the Baby Boomer generation continues to retire in larger
numbers.
Women also bring higher levels of education to
cybersecurity. More women (52 percent) in the survey hold a
post-graduate degree than their male counterparts (44 percent).
Women in the field are advancing to leadership positions.
Higher percentages of women than men are attaining senior
leadership and decision-making positions.
Chief Technology Officer--7 percent of women vs. 2 percent
of men
Vice President of IT--9 percent of women vs. 5 percent of
men
IT Director--18 percent of women vs. 14 percent of men
C-level/Executive--28 percent of women vs. 19 percent of
men
(3) There are still challenges to face, including pay inequity
17 percent of women globally reported annual salaries
between $50,000-$90,000, as compared to 29 percent of men, and
15 percent of women earn between $100,000-$499,999, while 20
percent of men earn at least that much.
Other key data points to be aware of:
Women and men have pretty much the same workplace values,
priorities, and aspirations. Both place a similar level of
importance on salary and working close to home and use the same
skills at work.
The report indicates that men and women share a lot of the
same concerns about their roles, including lack of commitment
from upper management, the reputation of their organization,
risk of seeing their job outsourced, lack of work/life balance,
the threat of artificial intelligence (AI) reducing the need
for cybersecurity workers and a lack of standardized
cybersecurity terminology to effectively communicate within
their organizations.
Key Takeaway
Although we now see women making up nearly one-quarter of
the cybersecurity workforce, we need more gender balance in
order to strengthen our National and global cybersecurity
readiness. The opportunities that exist revolve around making
cybersecurity a more attractive career path for women. This
could be supported by enforcement of equal pay between genders
and the creation of more programs that expose young women to
technical skills earlier in their educational lives.
In terms of breaking down the roles in which women participate in
cybersecurity (hence the jump from 11 percent to 24 percent), it is
difficult to draw any hard and fast conclusions and this is a pretty
nuanced point, but I think the first attachment to this email is a good
way to look at the differences. You can see that men disproportionately
outnumber women in the roles of Security Specialist and Security/
Compliance Officer, both of which would be considered ``cybersecurity''
titles that would have been included in our research prior to 2018.
When you add in roles such as Help Desk Technician, IT Director, VP IT
and CTO, you can see that there are a higher percentage of women. Of
course, that doesn't mean there are more women than men because women
still represent a 3-1 minority ratio of the overall total in the
profession, but you can see how that percentage of women starts to
shoot up from 11 percent to 24 percent with the inclusion of the more
general IT roles. Additionally, it's important to understand that our
data prior to 2018 also largely surveyed (ISC)\2\ members as part of
the sample, and our members are required to have at least 5 years of
professional experience in cybersecurity in order to earn a
certification. Therefore, when we opened up the survey to a broader
audience and adjusted the methodology, this led to the inclusion of
many other professionals who, while they have not been certified, are
still doing the work of cybersecurity. That added a larger percentage
of women to the overall count.
Mr. Richmond. Thank you, Mr. Simpson.
I now recognize Mr. Gallot to summarize his statement for 5
minutes.
STATEMENT OF RICHARD J. ``RICK'' GALLOT, JR., PRESIDENT,
GRAMBLING STATE UNIVERSITY
Mr. Gallot. Thank you, Chairman Richmond, Ranking Member
Mr. Katko, and the distinguished Members of the Homeland
Security Subcommittee on Cybersecurity and Infrastructure
Protection.
On behalf of the team at Grambling State University, the
University of Louisiana system, who is represented here by Dr.
Jim Henderson, system president, and historically black
colleges and universities across the United States of America,
we sincerely appreciate this opportunity, and coming
opportunities, to collaborate.
As president of Grambling State University, I am privileged
to lead a campus community that includes more than 5,200
students, and 550 staff and faculty, as well as students who
represent 42 States and 27 foreign countries, to help address
Louisiana and the United States' vital work force needs for the
past 118 years.
Founded in 1901, our university is well-known outside of
the classroom for our historic football and Coach Eddie
Robinson, our world-famed Tiger marching band, and as our motto
being ``the place where everybody is somebody.''
In contrast, it is our innovation inside the classroom that
is the true foundation for our legacy. That foundation is what
provides us the opportunity to share with you today.
For generations, Grambling State University has led
Louisiana in equipping and building the technology work force.
As I mentioned in our submitted testimony, Grambling State
University has produced technology leaders since 1972, partners
with America's largest technology companies on talent
development with IBM, CenturyLink, Microsoft, and many others.
We continue to lead Louisiana in producing African-American
computer science and computer information system graduates.
We are a small but mighty force along Interstate 20, which
is fastly becoming the cyber corridor of North Louisiana. Our
university's record-breaking enrollment growth, increases in
fiscal health and partnerships are helping create Louisiana's
most educated generation in history.
That generation includes students like Jarrid Richards.
Jarrid is a senior in our computer science program, who is a
great example of how holistic investment in minority students
produces expert talent in the fields of technology and
cybersecurity.
Today, we are able to help close the widening cybersecurity
job gap by supporting students like Jarrid. During his time at
Grambling State, there were a few semesters where he
encountered a gap, as many of our students do, between the
amount of aid and his cost to attend. While Jarrid worked three
jobs around campus, there were semesters when without
scholarships and grants, he may not have been able to continue
his education.
When Jarrid was looking for career experience, our
partnership with CLECO, a local energy provider, was able to
provide him his first hands-on experience with network security
and preventing cyber threats.
Those investments and the mentorship of his professor, Dr.
Reddy, positioned Jarrid to finish this year with multiple
internship offers and early conversations about full-time
opportunities when he graduates this fall.
He is just one example of how the collaboration between
HBCUs and powerful partners can help companies, communities,
and, most importantly, students.
I am excited to share that our Governor, Governor John Bel
Edwards, our Board of Regents, our University of Louisiana
system, and communities, see our power and have selected our
university to offer the State's first bachelor's degree in
cybersecurity.
We are honored to lead the next generation of Louisiana
innovation, and are excited to join this committee's historic
discussion on how we can support our country.
We thank you for this opportunity and look forward to
answering any questions, Mr. Chairman, and Ranking Member.
Thank you.
[The prepared statement of Mr. Gallot follows:]
Statement of Richard J. ``Rick'' Gallot, Jr.
May 21, 2019
Thank you to Chairman Richmond, Ranking Member Mr. Katko, and the
distinguished Members of the Homeland Security Subcommittee on
Cybersecurity and Infrastructure Protection. On behalf of the team at
Grambling State University, the University of Louisiana System, and
Historically Black Colleges and Universities across the United States,
we sincerely appreciate this and the coming opportunities to
collaborate on addressing one of America's most critical workforce
development needs.
As president of Grambling State University, I am privileged to lead
a campus community that includes more than 5,200 students, 550 faculty
and staff, and countless North Louisiana constituents who have helped
address the vital workforce needs in our State for 119 years. Founded
in 1901, our University's well-known outside of the classroom for our
historic and the most-winning football coach in history, Coach Eddie
Robinson; our world-famed and Super Bowl-performing Tiger marching
band; and being, as our motto states, ``the place where everybody is
somebody.''
However, it's our innovation inside of the classroom that is the
true foundation for our legacy and what provides the unique opportunity
to share with you.
Today, I am excited to provide background on why we were chosen as
home to Louisiana's first bachelor's degree in cybersecurity and how
HBCUs, like Grambling State, are well-positioned to deliver the highest
return on investment when developing talent in the fields of STEM,
cybersecurity, and related industries.
Since 1972, Grambling State has led Louisiana in producing African
American Computer Science graduates. Our former students have gone on
to lead information technology (IT) and threat prevention efforts for
America's leading companies. From technology providers like CenturyLink
and IBM to consumer and retail giants that include Sara Lee, General
Electric, and General Motors, we have a long legacy of growing the
senior-level talent that helps shape American technology.
Now, that might seem odd to hear of a small school located in rural
North Louisiana, but our achievement isn't uncommon if you know the
story of America's HBCUs. Today, we at Grambling State lead as
Louisiana's No. 1 producer of computer and information science
graduates--in fact, we outpace all others in our State by at least 27
percent. Today, we are weeks from launching America's 13th
Cybersecurity undergraduate program and the first in our State. Today,
we are realizing growth that includes a 5-year enrollment high, a 100
percent increase in our fiscal health score, and an economic impact of
more than $175 million.
In contrast, there is another impactful fact about today that
exists for us and our sister HBCUs. At GSU, while we have a long legacy
of partnering with America's technology giants to grow IT innovators,
we also lead in facing the challenges of deferred maintenance,
recruiting and retaining faculty, and competing for the Federal,
corporate, and partnership dollars that will help us realize our full
vision for workforce development through academic attainment.
Although our Nation's HBCUs make up just 3 percent of colleges and
universities, we produce 27 percent of African-American graduates with
bachelor's degrees in STEM fields. In addition, the National Science
Foundation reports that 21 of the top 50 institutions for educating
African-American graduates who go on to receive their doctorates in
science and engineering, are HBCUs.
At Grambling State, we are proud to stand as a member of a lean,
but mighty force of historically black schools who continue to prove
that we are the best partners for addressing America's workforce
challenges--most uniquely, those in the fields of cybersecurity and
data-driven threat prevention.
As we look forward to a world that is poised to spend $180 billion
on cybersecurity in the year 2021, we don't see our challenges, we see
an opportunity. With the right and robust support, we know that we are
one of America's most critical answers for filling the 3-million-person
job gap that exists globally in cybersecurity today.
The investments, that partners like the Department of Homeland
Security have the ability to make, will do more than just mitigate the
Nation's trillions of dollars in cyber risk. These investments will
also substantively change the trajectory of students, families, and the
communities who are served by HBCUs. Data from the Social Security
Administration shows that your partnership with HBCUs will help raise
the average salary of our graduates by more than 40 percent. In
addition, studies from McKinsey and Company show us that these more-
diverse workforces will help grow company earnings by 14 percent.
When it comes to investing in cybersecurity programs and
initiatives at HBCUs, there is only one way to lose--and that is
through inaction. We are extremely encouraged by the steps the Members
of this committee and leaders throughout our Nation are making to
include historically black schools in the conversation about how we
best protect our Nation.
The positive vibrations of the work you do here on Capitol Hill
will extend all the way to the classrooms and the lives of our students
in North Louisiana. When partners like Governor John Bel Edwards and
Federal agencies get involved, we are empowered to create opportunities
that change the lives of students like Jarrid Richards.
Jarrid is a senior in our computer science program who has ended up
in my office with a need many times. He is a great example of how a
holistic investment in minority students can help positively impact the
trajectory of a person and a company.
During Jarrid's time at Grambling State, there were a few semesters
where he encountered a gap, as many of our students do, between Federal
aid and his cost to attend. And, while Jarrid worked 3 jobs around
campus, there were semesters when without scholarships and grants, he
may not have been able to continue his education. When Jarrid was in
need of career development, our partnership with CLECO, a local energy
provider, was able to provide him his first hands-on experience with
network security and preventing cyber threats.
Those investments and the mentorship of his professor Dr. Reddy
positioned Jarrid to finish this school year with multiple internships
offers and at least two full-time job opportunities that will be
waiting when he graduates this fall.
And, while Jarrid's perseverance and grit may stand out among our
students, his needs do not. He is much like many students at minority-
serving institutions--who just need an opportunity and investment to
become the game-changing answers to the needs of American companies and
communities today.
It's my extreme honor to lead a university who produces thousands
of Jarrids and other innovators who history shows are changing the way
our world works. It is my hope that we, Grambling State and other
HBCUs, will be offered the opportunity to partner in continuing to
secure America's future and producing the workforce talent that will
help our Nation remain a leader in innovation.
Thank you.
Mr. Richmond. Thank you, Mr. Gallot.
All right. I now recognize Ms. Estwick to summarize her
statement in 5 minutes.
STATEMENT OF AMELIA ESTWICK, NATIONAL CYBERSECURITY INSTITUTE,
EXCELSIOR COLLEGE
Ms. Estwick. Thank you, Chairman Richmond and Ranking
Member Katko, and esteemed Members of the subcommittee.
I am proud and honored to appear before you today to
discuss the challenges for growing and diversifying the cyber
talent pipeline. As the director of the National Cybersecurity
Institute at Excelsior College, I will speak passionately on
this topic from my perspectives as a black woman, United States
Army veteran, cybersecurity practitioner, computer science
researcher, educator, and life-long public servant.
My career began in the early 1990's, when I enlisted in the
United States Army, to work in the information security field.
During the Gulf War, it became clear that safeguarding and
protecting our data and resources was paramount to our National
security. Since then, I have earned my bachelor's, master's,
and doctorate degrees in computer science, thanks to earning a
National Physical Science Consortium fellowship that was
sponsored by the National Security Agency while working as a
civilian in the intelligence community.
While 30 years have passed since my entry in the field, I
still have that same sense of urgency. This is why I feel
growing and diversifying the cyber talent pipeline is one of
the most important work force issues we address today.
The recent Executive Order on America's cybersecurity work
force highlights some important programs that the Federal
Government will explore in the near future. As we work
collaboratively to address work force needs, I would like to
recommend a focus on continued support for initiatives that are
already facilitating the growth and diversification of the
cyber talent pipeline.
For one, the importance of higher ed. The job market is
changing rapidly, and occupations in multiple disciplines
increasingly require technological ability, communication
skills, and post-secondary degrees. Associate degrees are often
great pathways to entry-level employment, and recent statistics
state 40 percent of people who earn associate degrees go on to
earn higher degrees.
Working adults can leverage their compensation from work
and tuition assistance benefits from employers to further their
education, and on-line models, like Excelsior College, provide
the flexibility required to continue education while working.
Second thing is creating opportunities for current Federal
employees to earn academic credentials. According to a recent
OPM profile of Federal civilian nonpostal employees, 51 percent
of the Federal work force has a bachelor's degree or higher.
In 2014, the OPM created the Federal Academic Alliance to
provide higher education opportunities to Federal work force at
reduced tuition rates to address the Government-wide skills gap
needs, including the shortages in cybersecurity.
Today, OPM endorses 15 colleges and universities, such as
Excelsior College, and support for more educational
opportunities would be beneficial to the Federal work force.
Three, fostering public and private partnerships.
Cooperation of private industry, academia, and Governmental
agencies on joint cybersecurity initiatives can take advantage
of each sector's complementary strengths. For example, through
apprenticeships, internships, and work-study programs, students
and employees can get first-hand experience with the cyber
threats facing businesses, governments, and nonprofits. Such
experiences are particularly important for individuals seeking
a career change to access the opportunities in cybersecurity.
Also providing employees with opportunities to cross-train will
address the upscaling and rescaling needed for creating a
pipeline of cybersecurity professionals.
Last, addressing the K-12 cybersecurity education. As an
educator and an advocate for equity and inclusion in STEM and
cybersecurity, my outreach activities often place me in
communities with little awareness about how cybersecurity is
applicable to their own lives. This troubles me, because I know
that we need to create sustainable STEM and cybersecurity
programs that emphasize problem solving, critical thinking, and
effective communication skills.
Programs to educate the K-12 ecosystem are important, not
only because there is a--a need--excuse me--to protect our
digital infrastructure, but also because our youth represent
the next generation of cybersecurity professionals.
Mr. Chairman, Ranking Member Katko, and subcommittee
Members, in closing, to address the hundreds of thousands of
jobs that are currently unfilled and will continue to grow
unfilled as technology advances, the work force will need to
have the breadth and diversity of initiatives across multiple
sectors to support the growth and diversity of the cyber talent
pipeline.
This pipeline can be sustained by recruiting, retaining,
and advancing populations, such as military and veterans with
transferrable skills, individuals from underrepresented groups
to include black, Latino, American Indian, Alaskan Natives,
funding initiatives to support cybersecurity programs at
minority-serving institutions, and support for advocacy groups
whose focus on broadening participation within the
cybersecurity field, such as Women in Cybersecurity and
International Consortium of Minority Cybersecurity
Professionals.
Cybersecurity is a shared responsibility, and until we
collaborate at all levels, to include local, State, and
Federal, we will continue to operate in silos with the same
results in the demographic composition of our work force.
I thank the Chairman and the Ranking Member and the
subcommittee for this extraordinary opportunity in providing me
with not only a seat at the table, but also a voice.
I am looking forward to answering any questions you may
have. Thank you.
[The prepared statement of Ms. Estwick follows:]
Prepared Statement of Amelia Estwick
May 21, 2019
Thank you, Chairman Richmond, Ranking Member Katko, and Members of
the House Homeland Security Subcommittee on Cybersecurity,
Infrastructure Protection, and Innovation. I am proud and honored to
appear before you today to discuss the challenges for growing and
diversifying the cyber talent pipeline. According to the 2018 (ISC)\2\
Cybersecurity Workforce Study, the shortage of cybersecurity
professionals is close to 3 million world-wide, with a shortfall of
approximately 500,000 in North America. In addition, the report states
``63 percent of respondents report that their organizations have a
shortage of IT staff dedicated to cybersecurity while 59 percent say
their companies are at moderate or extreme risk of cybersecurity
attacks due to this shortage.'' Technology has become ubiquitous and
necessary for conducting every facet of our daily lives; however, with
the ever-present host of cyber threats our Nation is facing, it is
imperative we have a workforce that is skilled and educated to address
cyber threats as well as our future technological needs.
My name is Dr. Amelia Estwick, director of the National
Cybersecurity Institute (NCI) at Excelsior College and faculty program
director for the Excelsior College School of Graduate Studies' Master
of Science in Cybersecurity Program. Prior to my academic position, I
spent more than 20 years in Government service within the intelligence
community (National Security Agency) and Uniformed Services (United
States Army). I was the first African-American woman to graduate from
NSA's Computer Network Operations Development Program, which was a 3-
year intense cyber operations technical leadership program focused on
all aspects of cyber operations to include: Attack, exploitation, and
defense. At NSA, I held multiple technical leadership positions,
including computer science researcher and senior cybersecurity analyst,
and prior to my departure in 2016, I was one of the few women technical
directors within NSA's Cyber Threat Operations Center; a 24/7/365 cyber
operations center responsible for monitoring and defending Department
of Defense (DoD) networks globally. For me, reaching the technical
director position was a great achievement, considering research by
(ISC)\2\ show that while ``minority representation within the
cybersecurity field is slightly higher (26 percent) than the overall
U.S. minority workforce (21 percent) . . . racial and ethnic minorities
tend to hold non-managerial positions, and pay discrepancies [prevail],
especially for minority women.'' Although I've had a rewarding
Government career, my concern for the lack of diversity amongst the
cybersecurity workforce ultimately drove me to leave Government service
and join academia to help with the Nation's need to grow and diversify
the cybersecurity talent pipeline.
In 2013, I joined Excelsior College as an instructional faculty
member and subject-matter expert for their graduate cybersecurity
courses. In 2016, I decided to join the college full-time as the NCI
director and cybersecurity thought leader because I believed in its
mission to provide educational opportunities to adult learners through
their on-line programs who live across the United States and
internationally. This call to service rang especially close to my heart
as a veteran and knowing how important it is to provide educational
services to active military members who may be stationed in remote
locations. In 2014, NCI was established as an academic, training, and
research center dedicated to assisting Government, industry, military,
and academic sectors meet the challenges in cybersecurity policy,
technology, and education. In addition, as part of its continuous
efforts to build the cybersecurity workforce and influence an informed
leadership base that implements cutting-edge cybersecurity policy, NCI
launched its Initiative for Women in Cybersecurity (NCI's IWICS). As
the director of NCI, I have been instrumental in collaborating with
organizations, such as Women in Cybersecurity (WiCyS) and the
International Consortium of Minority Cybersecurity Professionals
(ICMCP) to promote activities focused on recruiting, retaining, and
advancing women and minorities in cybersecurity.
cybersecurity across the academic curriculum
In March 2018, the Journal of The Colloquium for Information System
Security Education (CISSE) published an article ``What Constitutes Core
in a Cyber Security Curriculum?'' which discussed how expansive the
cybersecurity field is and stressed the importance of academic
institutions taking a multidisciplinary approach to teaching
cybersecurity concepts. Cybersecurity curricula was originally rooted
in computer science and technology programs; however, the
operationalization of cybersecurity in our digital society has
necessitated the expansion of a multidisciplinary curricula throughout
the academic landscape. This expansion has impacted all disciplines to
include business, law, health, and finance.
Cybersecurity's multidisciplinary approach is further supported by
the National Information Assurance (IA) Education and Training Programs
(NIETP), which manages the National Centers of Academic Excellence
(CAE) programs designated by NSA and the Department of Homeland
Security (DHS). The goal of the CAE program is ``to reduce
vulnerability in our National information infrastructure by promoting
higher education and research in Cyber Defense (CD) and to produce a
growing number of professionals with expertise in CD disciplines''.
U.S. academic institutions whose cybersecurity programs meet the
rigorous criteria to be either a CAE in Cybersecurity Defense Education
(CDE), Cyber Operations (CO), or Research (R) are given this
designation for a specified amount of years (usually 5 years) and an
institution must apply for redesignation before it expires.
Institutions with the CAE designation serve as National models for
capacity-building of information security programs in higher education,
while at the same time strengthening the Nation's infrastructure. CAE-
designated institutions benefit from internal and external recognition
for faculty and graduates, collaboration opportunities with other CAE-
designated institutions, and funding from Federal, State, and local
organizations. According to the National Centers of Academic
Excellence, more than 230 institutions have been granted the CAE-CDE
designation, including Excelsior College which was designated as a CAE-
CDE in 2014 (and subsequently redesignated in 2019).
Furthermore, a multidisciplinary approach helps to address the
recent Executive Order on America's Cybersecurity Workforce, which
proposed an establishment of a cybersecurity rotational assignment
program, to serve as a mechanism for knowledge transfer and a
development program for cybersecurity practitioners. Providing
educational opportunities along with the rotational assignment program
will encourage upskilling/reskilling the current Federal and non-
Federal workforce to meet the demands of the 21st Century.
the importance of partnering with community colleges
According to the American Association of Community Colleges'
January 2019 report, students enrolled for credit were 56 percent women
and 38 percent Hispanic/black. Comparing this to the current
demographic statistic from a 2019 (ISC)\2\ Cybersecurity Workforce
Study on Women on Cybersecurity, women make up 24 percent of the
cybersecurity workforce; therefore, partnering with community colleges
to create a cybersecurity career pathway could help to diversify the
cyber talent pipeline.
There are great benefits to partnerships between community colleges
and 4-year colleges that offer on-line education. Associate degrees are
often great pathways to entry-level employment. Working adults can then
often leverage their compensation from work and tuition assistance
benefits from employers to further their education, and on-line models
provide the flexibility required to continue education while working.
Excelsior College partners with more than 100 community colleges across
the United States with 26 of these partners designated as a Center of
Academic Excellence for 2-year programs (CAE2Y). Excelsior works with
community colleges to evaluate their programs for transfer credit into
our Bachelor of Science in Cybersecurity program and help fill the
growing need of cyber professionals. In addition, Excelsior provides
peer mentoring for community colleges that are working to become a CAE.
fostering public/private partnerships
In 2014, the Office of Personnel Management created the Federal
Academic Alliance (FAA) to provide higher education opportunities to
the Federal workforce at reduced tuition rates to address the
Government-wide skills gap needs, including the shortages in
cybersecurity. Today, OPM endorses 15 colleges and universities, and
focuses on providing tuition support to Federal employees, and in many
case, their partners and adult children.
With the endorsement of the Chief Human Capital Officers (CHCO)
Council, OPM began leading this effort to:
1. Address current Federal-wide and agency-specific skills gaps,
2. Support career development for Federal employees,
3. Provide greater opportunities for Federal employees to obtain
college degrees, certificates, and/or college credits,
4. Provide this opportunity with colleges and universities that
offer an on-line component to address our world-wide workforce,
5. Provide current college students with a greater understanding of
the Federal Government.
Colleges and universities that make up the FAA, such as Excelsior
College, are vetted by OPM to ensure they meet mission-critical
occupational needs; are in good standing; are not-for-profit; and are
regionally accredited. Most FAA member institutions offer cybersecurity
and/or information technology certificates and degrees (undergraduate
and graduate) to help fill Federal skill gaps. Providing the additional
option for certifications helps to support talent development and
career advancement opportunities.
educating students to prepare and protect our national critical
infrastructures
The number of cyber attacks targeting our Nation's critical
infrastructures are on the rise. Specifically, in 2013, 59 percent of
the attacks against our critical infrastructure were reported in the
energy sector (ICS-CERT, 2013). A skilled and educated workforce is an
essential component in improving the security posture of our critical
infrastructure. The security program of the nuclear sector is regulated
by the Federal Government with governance under the U.S. Nuclear
Regulatory Commission (NRC). In addition to being competent in
cybersecurity, professionals working in the nuclear and energy
industries need to be aware of specific standards, requirements, and
unique cyber threats.
Excelsior College has a long history of meeting the educational
needs of the nuclear workforce through innovative educational
solutions. In 2014, a degree program was created to address
cybersecurity challenges facing the nuclear industry. Cybersecurity
professionals in the nuclear sector require a broad range of technical
skills; however, few college programs currently exist at the
baccalaureate level to assure that these professionals have the unique
skill sets and knowledge domains needed to protect facilities and our
National security. Additionally, the critical and practical nature of
nuclear and energy sectors calls for enhanced simulation-based learning
to be developed. Due to Excelsior's innovative program, in June 2018,
Excelsior College received a Department of Energy Nuclear Energy
University Programs (DOE-NEUP) grant to purchase a web-based
pressurized water reactor simulator for use in the nuclear engineering
technology program. The �$250K grant provides funding to:
support plant simulation to enhance student achievement of
higher cognitive learning outcomes through ``learning by
doing,''
provide the ability to evaluate and analyze technical
information during ``dynamic'' situations
enhance our student's experiential learning activities, and
by doing so, enhance the student's ability to meet industry
needs
enable students to advance their understanding of key
theories and concepts in the nuclear technology field to better
protect against cyber threats.
The value of Government funding to support the development of these
lab-based activities means without such support, higher education
institutions might not be able to adopt this important technology.
Therefore, there is an increasing need to expand Government funding of
experiential learning, especially in an on-line environment, where
skills shortages in cybersecurity can only be filled by shifting people
from one industry/occupation to cybersecurity fields.
Excelsior works closely with RCNET (Regional Center for Nuclear
Education and Training) to partner community colleges and corporations
to further advance the integration of cybersecurity measures within the
energy field with the support of the National Science Foundation's
Advanced Technological Education (ATE) program. These programs
implemented at the College directly address the President's Executive
Order (EO) 13800 on Strengthening the Cybersecurity of Federal Networks
and Critical Infrastructure as well as EO on America's Cybersecurity
Workforce to identify and evaluate skills gaps for Federal and non-
Federal cybersecurity personnel with an emphasis on protecting our
Nation's critical infrastructures.
addressing k-12 cybersecurity education
According to Education Superhighway's 2018 State of the States
report, ``40.7 million more students have high-speed broadband in their
classrooms.'' With more than 44 million students connected to the
internet since 2013, this means ``98 percent of school districts can
take advantage of digital learning.'' This is an impressive number for
schools that can provide digital learning for their students in
addition to integrating technology into the classroom as schools become
increasingly reliant on technology and sophisticated IT systems for
teaching, learning, and school operations. If you consider millions of
mobile PCs (such as notebooks/Macs, netbooks, tablets, and Chromebooks)
are being purchased by U.S. K-12 schools every year, think about the
challenges these schools face trying to secure this infrastructure
against cyber threats; a daunting prospect for any school district to
counter. Programs to educate the K-12 ecosystem are important not only
because there's a need to protect these resources, but also this
demographic represents the next generation of cybersecurity
professionals.
One program addressing the K-12 population is the NSA/National
Science Foundation (NSF) GenCyber Program. The GenCyber program
provides summer cybersecurity camp experiences for students and
teachers at the K-12 level. ``The goals of the program are to increase
interest in cybersecurity careers and diversity in the cybersecurity
workforce of the Nation, help all students understand correct and safe
on-line behavior and how they can be good digital citizens, and improve
teaching methods for delivery of cybersecurity content in K-12
curricula. GenCyber is providing a solution to the Nation's shortfall
of skilled cybersecurity professionals by ensuring that enough young
people are inspired to direct their talents in this area, which is
critical to the future of our country's National and economic security
as we become even more reliant on cyber-based technology in every
aspect of our daily lives.''
In 2018, Excelsior College partnered with two Boards of Cooperative
Education Services (BOCES) serving 46 districts with a combined
population of more than 80,000 students throughout New York State's
Capital Region to offer one teacher camp for middle and high school
educators. The GenCyber �$100K grant provided Excelsior College and
BOCES an opportunity to offer the first GenCyber cybersecurity camp in
the New York State Capital Region. The camp taught 30 middle and high
school educators from different disciplines and diverse populations
about foundational cybersecurity concepts. GenCyber programs support
the President's EO on America's Cybersecurity Workforce on developing
and implementing educational programs for K-12 which is proposing to
reward an annual Presidential Cybersecurity Education Award to
elementary and secondary school educators who best instill skills,
knowledge, and passion with respect to cybersecurity and cybersecurity-
related subjects.
expanding opportunities for experiential learning
One of the keys to cybersecurity education is ensuring students are
prepared upon graduation with practical, hands-on skills. Employers
need employees with competencies that are directly related to the
threats they encounter within their organizations. Opportunities for
experiential learning allows the student to not only gain real-world
experiences but also the ability to reflect on those experiences and
build on their knowledge is important for reskilling/upskilling
cybersecurity professionals. Some examples of experiential learning
are:
Cyber Competitions/Capture-the-Flag (CTFs)/Cyber Ranges
Cyber competitions originated from cyber defense exercises that
were traditionally designed by the U.S. military service. Over the
years, cyber competitions or CTFs have become increasingly popular for
students to partake in to assess their competencies and skills. The
challenges are designed to replicate the type of threats that are
prevalent in the workplace and participants compete with other college
teams to identify and capture flags within the exercises. Besides the
hands-on experiences, students benefit from each other in acquiring the
soft skills that are sometimes lacking in the technical arena, such as:
Teamwork, leadership, communication, and problem solving which are all
crucial skills to have in cybersecurity. The President's EO on
America's Cybersecurity Workforce supports a plan to develop ``an
annual cybersecurity competition (President's Cup Cybersecurity
Competition) for Federal civilian and military employees. The goal of
the competition shall be to identify, challenge, and reward the United
States Government's best cybersecurity practitioners and teams across
offensive and defensive cybersecurity disciplines.'' NCI, through our
student chapter of the National Cybersecurity Student Association
(NCSA), has sponsored Excelsior students for the past 4 years to
compete in cyber competitions; which resulted in several of our teams
placing among the top 100 National teams.
Apprenticeships/Internships/Work-Study
While colleges and universities can and do infuse lab simulations,
tabletop exercises, and case studies within their courses, internships
(both virtual and in-person) provide opportunities for students to work
within the contexts of the real world. As part of these programs, they
can get first-hand experience with the issues facing business,
Government, and nonprofits. This is particularly important for
individuals looking to change their career to take advantage of
opportunities in cybersecurity. At Excelsior College, we have worked on
developing an option for students to complete an internship for credit.
By participating in internships, students gain practical work
experience that they can use to demonstrate their skills and potential
to future employers. For employers hosting interns, there is a
potential to increase capacity in the short term and build talent
pipelines in the long run. The internship course at Excelsior College
is a 15-week instructor-led course that runs simultaneous to the
internship experience. Students are expected to spend 9 hours per week
on their internship experience and work activities and write a weekly
reflective journal about the applicability of the experience to their
degree program and future career plans.
conclusion
Mr. Chairman, in closing, there are several efforts that support
growing and diversifying the cyber talent pipeline; however, we must be
mindful of how those programs are executed to ensure equitable
representation of women and minorities in the cybersecurity profession.
As stated by Rick Ledgett, former deputy director of the National
Security Agency, ``Getting more women and minorities into that cyber
security workforce will be the key to addressing the current and
expected labor shortfalls.''
With a shortfall of approximately 500,000 North America-based
cybersecurity jobs, as a society we should be using all resources at
our disposal to provide career pathways to ensure these jobs are
filled. For me, it starts with early education at the K-12 level where
education can help protect key resources and we are able to build
competencies in the next generation of cybersecurity professionals. It
continues with partnerships across multiple sectors, where
organizations can work together to expand the workforce. And it works
best when we have identified the key competencies and skills required
to protect our critical infrastructures specifically and our National
security generally.
Thank you for the opportunity to testify before you and the
subcommittee, and I look forward to any questions you may have.
Mr. Richmond. Thank you for your testimony. Thank you for
your service. Let me apologize for calling you Ms. Estwick as
opposed to Dr. Estwick. It was well-earned, and I should make
sure that I call you by that title.
We are going to stand in recess until we go vote. We will
be back, hopefully, at somewhere around 15 minutes--on the
worst side, maybe about 20, but it is Government, so who knows.
We will stand adjourned--in recess. I am sorry.
[Recess.]
Mr. Richmond. We are going to call the subcommittee back to
order, and we left off with Ms. Worley.
If you will take the time to summarize your testimony in 5
minutes, we appreciate it.
STATEMENT OF CANDACE WORLEY, VICE PRESIDENT AND CHIEF TECHNICAL
STRATEGIST, MC AFEE
Ms. Worley. Mr. Chairman, Ranking Member Katko, and Members
of the subcommittee: Thank you for the opportunity to testify
today. I am Candace Worley, vice president and chief technical
strategist for McAfee, a device-to-cloud cybersecurity company.
I am pleased to address the subcommittee on the need to
grow and diversify the cybersecurity talent pipeline. It goes
without saying that every cybersecurity organization, including
Government, suffers from a shortage of cyber talent.
No matter how committed we are to the cause of securing the
digital world, we have to have enough people, we need to train
enough people to fill these jobs.
It is not just about filling security roles. There is an
economic element to the cybersecurity challenge. McAfee worked
with CSIS in 2018 to refresh a study that we initially did in
2014 around the economics of cyber crime. That research showed
that cyber crime is worth approximately $170 billion in GDP
annually in North America and between $400- and $600 billion
globally.
If we can recapture even half of that money back into the
positive side of our economy, that would be a huge growth
engine for North American economy as well as the global
economy. We will not be able to do that unless we have cyber
professionals available and in organizations to help secure
both Government and the private sector against those attacks.
Today, I will make 5 recommendations for addressing the
cybersecurity talent shortage challenge.
First, we must increase the CyberCorps Scholarship for
Service program, SFS, which is administrated through the
National Science Foundation, and provides grants to
approximately 70 institutions across the country, enabling 10
to 12 students per institution to get those scholarships. After
they graduate, these students go to work in the Government for
at least the same amount of time as they receive support in
their education.
What we found is that they tend to remain in the Federal
Government even longer. So this program is not only a great
program for the student, it also enables the Federal Government
to compete more readily with private industry for those
employees. Because they are already employees of the Federal
Government, they tend to stay longer.
Since fiscal year 2018, the program's funding has remained
flat at $55 million annually supporting these scholarships.
That allows about 2,000 students to get scholarships. We are
recommending that Congress should increase these, funds to
around $200 million annually, which would enable about 6,400
students to receive scholarships and continue to enable the
Federal Government with cybersecurity talent.
SFS should also be made available to more than just the
current 70 land grant institutions. This stipulation is
needlessly limiting, if we really want to increase the talent
pool.
Second, we must expand the SF program to community
colleges, where approximately 57 percent of students are women
and 41 percent are minorities. Additionally, many individuals,
who are going back to retrain for a second or third career,
choose a community college rather than a 4-year institution.
That population has great experience that could be relevant in
addition to the cybersecurity curriculum for filling open
roles.
Third, a strong cybersecurity operation requires different
levels of skills. Not everyone needs a Ph.D. or a computer
science degree to work in a security operations center. We, in
industry, and Government, should be considering our hiring
requirements, and opening those requirements up to people
beyond those that just have a degree, for certificate and other
training programs, can do the job just as well for many of the
positions that are open. In fact, we may also contemplate other
opportunity for vocational programs to be developed.
Fourth, to ensure we are coming up with the most creative
solutions possible to address current and future cybersecurity
challenges, we must focus on a diverse pipeline of talent. We
need people with diverse perspectives and capabilities who can
think critically about the cybersecurity problems. That
talented pool should be diversified from many perspectives.
Certainly race, gender, experience, but also looking at people
like gamers, veterans, retirees, who bring a unique set of
experiences and capabilities to the discussion.
Finally, we must develop creative approaches to enabling a
public and private partnership, particularly during significant
cybersecurity events where we need that collaboration in order
to solve serious problems.
We should design a mechanism for cyber professionals to
move back and forth between the public and private sector so
that Government organizations would have a continual refresh of
expertise.
The Executive Order on America's cybersecurity work force,
issued earlier this month, is a good step in that direction. We
also support wide-spread adoption of the Cybersecurity
Workforce Framework developed by the National Initiatives for
Cybersecurity Education.
At McAfee, we are walking the walk when it comes to
implementing solutions to increase diversity and inclusion
among our ranks. We achieved pay parity, making McAfee the
first pureplay cybersecurity company to do so. To recruit
diverse talent, we ensure job descriptions have inclusive
language, and recruiters understand diversity and value-based
interviewing as an integral part of our process.
We also invest in enabling our employees to take time to
train local high schools and grade schools on an on-line safety
program that we have developed targeting children so that they
better understand the risks associated with the digital world.
Feeding the pipeline with smart, talented, and diverse
individuals is critical to developing and maintaining the next
generation work force that will defend American companies and
the Government from growing cyber threats.
Thank you for your interest in this topic, and I will be
happy to answer questions as it proceeds.
[The prepared statement of Ms. Worley follows:]
Prepared Statement of Candace Worley
May 21, 2019
Good afternoon, Chairman Richmond, Ranking Member Katko, and
Members of the subcommittee. Thank you for the opportunity to testify
today. I am Candace Worley, vice president and chief technical
strategist of McAfee, LLC.
I am pleased to address the subcommittee on the need to grow and
diversify the cyber talent pipeline. My testimony will address the
cybersecurity skills gap and workforce shortage, the need for
investment in training programs and cross-training more cyber experts,
the role the Federal Government can play to grow a diverse cyber
workforce generation and how we can work together to address the
challenges we currently face to diversify and grow the talent pipeline.
First, I would like to provide some background on my experience and
McAfee's commitment to cybersecurity and developing a diverse cyber
workforce. At McAfee, I manage a world-wide team of technical
strategists who drive thought leadership and advance technical
innovation in McAfee security solutions. I have held a number of
technology leadership positions, including 5\1/2\ years as the vice
president and general manager of McAfee's Enterprise Endpoint Security
business.
mc afee's commitment to cybersecurity and growing the talent pipeline
McAfee is the device-to-cloud cybersecurity company. Inspired by
the power of working together, McAfee creates enterprise and consumer
solutions that make our world a safer place for the benefit of all. Our
holistic, automated, open security platform and cloud-first approach to
building security solutions allow all security products to coexist,
communicate, and share threat intelligence with each other anywhere in
the digital landscape. Our customers range from Government agencies to
all sizes of business to millions of home users.
We and every other cybersecurity organization, including the
Government, suffer from a shortage of talent. No matter how committed
we are to the cause, if we want to truly make the world safer, we must
train more people to fill the jobs that ensure our security.
the cybersecurity talent gap
In 2016 the Center for Strategic and International Studies (CSIS)
and McAfee undertook a study titled Hacking the Skills Shortage based
on a global survey of IT professionals. Some of the findings about the
cybersecurity talent gap include:
82 percent of those surveyed reported a lack of
cybersecurity skills within their organization.
71 percent agreed that the talent shortfall makes
organizations more vulnerable to attackers, and 25 percent say
that lack of sufficient cybersecurity staff has actually
contributed to data loss or theft and reputational damage.
76 percent of respondents said their governments are not
investing enough in programs to help cultivate cybersecurity
talent and believe the laws and regulations for cybersecurity
in their country are inadequate.
Since that study nearly 3 years ago, the numbers haven't improved.
According to a recent (ISC) study, the global cybersecurity workforce
shortage has reached 2.93 million professionals. The cybersecurity
skills shortage is equally troublesome within the Federal Government.
Given the vital role Government agencies such as the Departments of
Defense, Homeland Security, as well as the intelligence agencies play
in protecting the United States, policy makers must address the skills
gap and work to reduce it.
Recent Administration Efforts
The President's Executive Order on America's cybersecurity
workforce, issued earlier this month, is a critical step toward helping
solve the cybersecurity skills shortage. As a cybersecurity company,
McAfee is a strong proponent of the wide-spread adoption of the
cybersecurity workforce framework created by the Department of Homeland
Security's (DHS) National Initiative for Cybersecurity Education (NICE)
and supports the development of a rotational program for Federal
employees to expand their cybersecurity expertise. McAfee has aligned
the skills it seeks in candidates and its job requirements with the
NICE guidelines.
We are also encouraged by the creation of the President's Cup
Cybersecurity Competition designed to reward top cyber performers. This
program was modeled after successful private-sector initiatives and
shows how cross-sector collaboration is essential to alleviating the
cybersecurity workforce shortage. It is critical that we work to
eliminate barriers for those entering the cybersecurity fields and
increase educational opportunities to ensure talented people from
diverse backgrounds can fill the growing IT and cybersecurity talent
deficit.
The administration's Executive Order is a step forward; however, it
can't on its own solve the issue of a dwindling cybersecurity
workforce. We have long advocated for eliminating barriers to entering
the cybersecurity fields, and we encourage the Government to support
programs that increase educational opportunities to ensure talented
people from diverse backgrounds can join the growing cyber industry.
Following are some recommendations for training and incentivizing
more people to enter the cybersecurity field.
recommendations
Increase the NSF CyberCorps Scholarships for Service Program
To grow the talent pipeline and close the cyber workforce gap,
Congress should focus on expanding existing programs that train
students in the fields valued by the cybersecurity industry.
The CyberCorps Scholarship for Service (SFS) program is designed to
increase and strengthen the cadre of Federal information assurance
specialists that protect Government systems and networks. The program,
administered through the National Science Foundation (NSF), provides
grants to about 70 institutions across the country to offer
scholarships to 10-12 full-time junior and senior college students
each. With this structure, students are awarded free tuition for up to
2 years in addition to annul stipends--$22,500 for undergraduates and
$34,000 for graduate students. There are also allowances for health
insurance, textbooks, and professional development.
Upon completing their coursework in areas relevant to cybersecurity
and a required internship, students earn their degrees and go on to
work as security experts in a Government agency for at least the amount
of time they have been supported by the program. After that, they can
apply for jobs in the public or private sector.
To date, the Federal Government has made a solid commitment to
supporting the SFS program. The program was funded at $55 million in
2019 and NSF is requesting the same amount for their 2020 budget. At a
baseline, an investment of $50 million pays for roughly 2,000+ students
to complete the scholarship program. We can do better!
Given the substantial cyber skills deficit, policy makers should
significantly increase the size of the program to the range of $200
million. If this level of funding were appropriated, the program could
support roughly 6,400 scholarships. This investment would make a dent
in the Federal cyber skills deficit, estimated to be in the range of
10,000 per year by Tony Scott, then Federal CIO, in 2015.
Unfortunately, the 10,000-person talent deficit continues to exist
today.
At the same time, this level of investment could help create a new
generation of Federal cyber professionals who could serve as positive
role models for middle and high school students across the country to
consider the benefits of a cyber career and Federal service. On a long-
term scale, this positive feedback loop of the SFS program might be its
biggest contribution.
While the CyberCorps SFS program is laudable, it is currently
available only to 70 institutions--and all are land grant colleges.
Current law limits SFS scholarships to research universities. This
policy needlessly limits access to scholarships for qualified students
from hundreds of universities and colleges around the country. In
addition to expanding the funding, the scholarship program should be
expanded to include other learning institutions, given the large number
of talented and deserving students in our country.
Expand the NSF CyberCorps Scholarships for Service Program to Community
Colleges
We should consider expanding--or creating a similar program--for
community colleges. If we are going to close the cybersecurity talent
gap across the country, we should focus resources on students pursuing
associate degrees, which are valued in an industry that does not
necessarily require a PhD or 4-year computer science degree. A strong
security operation requires different levels of skills, and having a
flexible scholarship program at a community college could benefit a
wide variety of applicants while providing the profession with other
types of necessary skills.
Community colleges also attract different types of students than 4-
year institutions. Some are recent high school graduates, but many are
working adults and returning students looking for a career change or
valuable skills training.
Recruiting from community colleges would further a diverse cyber
workforce. Data shows that 57 percent of community college students are
women and 41 percent are minorities. Additionally, community college
tuition is more economical than a 4-year university. In-State community
college tuition is about one-third the cost of in-State 4-year
colleges, meaning the scholarship funds would go further with a program
focused here.
Such an expanded program, through a public-private partnership,
could attract high school graduates who don't yet have specific career
aspirations into focusing on cybersecurity. The Federal Government
could fund all or part of the tuition remission for students, while
private companies could help develop coursework in cybersecurity.
Interested students would have the opportunity to learn from college
faculty and private-sector practitioners.
For example, an IT company could offer several faculty members or
guest lecturers to participate during a semester. Students would
receive free tuition--paid by a Federal program, perhaps with private-
sector contributions--but would not receive a stipend for living
arrangements, as 4-year college students do in the CyberCorps program.
Students would receive a 2-year certificate in cybersecurity that would
be transferrable to a 4-year school. Like the CyberCorps program,
graduates would spend the same amount of time as their scholarship
period working in a guaranteed Government job.
A program like this has the benefit of bringing in private-sector
experts, interesting younger students who have not yet made a career
commitment, interesting veterans, attracting a diverse range of
students, and likely costing the Government less--once the start-up
costs are accounted for. Such a program should not substitute but
rather complement the existing, highly-valued CyberCorps SFS program.
Furthermore, a candidate should not need to have a degree or
certificate from a college to be a well-trained cybersecurity
professional. Certificate programs provide valuable training, and there
are increasingly more of these. In order to take advantage of these
individuals, however, governments and businesses would have to change
their hiring requirements. It is not necessary to have a college degree
to work in cybersecurity, and requirements should be updated to reflect
that.
Foster Diversity of Thinking, Recruiting, and Hiring
Cybersecurity is one of the greatest technical challenges of our
time, and we need to be as creative as possible to meet it. In addition
to continually advancing technology, we need to identify people from
diverse backgrounds--and not just in the standard sense of the term. We
absolutely need to diversify the talent pool in terms of race,
ethnicity, gender, and age, all of which lead to creating an inclusive
team that will deliver better results. Research on large, innovative
organizations has shown that gender and racial diversity improves
organizations' financial performance. The title of this article in
Scientific American States the case well: How Diversity Makes Us
Smarter: Being around people who are different from us makes us more
creative, more diligent and harder working. McAfee believes we need to
focus on hiring a diverse workforce, which will in turn make us an even
stronger company.
There are, however, additional ways to diversify our talent pool.
We should seek out gamers, veterans, people working on technical
certificates, retirees from computing and other fields such as
psychology, liberal arts as well as engineering. There is no one
background required to be a cybersecurity professional. Of course we
need people with deep technical skills, but we also need teams with
diverse perspectives and capabilities.
Cyber attacks are diverse and complex, ranging in scope from
organized crime to recreational vandalism to hacktivism to State-
sponsored initiatives. Orchestrating a robust cyber defense requires a
breadth and depth of backgrounds, skills, and experiences to respond to
and mitigate innumerable threats, many of which haven't even been
invented yet.
When looking for cybersecurity talent, it's easy to ask, ``What
degrees are needed?'' or ``What certifications should be required?''
But cyber moves quickly; we need people who can think and move quickly
with it. McAfee's CTO Steve Grobman once said, ``Computer Science is a
great field for people who hate to be bored.'' Degrees and
certifications are a great way to demonstrate current knowledge. Yet
when I'm hiring, I care less about what you know now than what you have
the capacity to understand and respond to 2, 3, or 5 years from now.
Technology will change, the infrastructure will change, but the need to
think critically and respond to a variety of challenges will not
change. Complexity will only increase, and we need cybersecurity
professionals who will evolve with it.
Public-Private Sector Cross-Pollination
We also must develop creative approaches to enabling the public and
private sectors to share talent, particularly during significant
cybersecurity events. We know that the adversary is constantly
innovating and changing course, often reacting to new defensive
capabilities the private sector develops. It's unrealistic to think
that Government cyber practitioners would be able to keep up with such
a rapidly evolving environment without private-sector assistance. We
should design a mechanism for cyber professionals--particularly
analysts or those who are training to become analysts--to move back and
forth between the public and private sector so that Government
organizations would have a continual refresh of expertise.
One way to accomplish this would be for DHS to partner with
companies and other organizations such as universities to staff a cadre
of cybersecurity professionals--operators, analysts, and researchers--
who are credentialed to move freely between public and private-sector
service. These professionals, particularly those in the private sector,
could be on call to help an impacted entity and the Government respond
to a major attack in a timely way.
Both Government and private-sector cybersecurity professionals
would benefit from regular job rotations of possibly 2 to 3 weeks each
year. This type of cross-pollination would help everyone share best
practices on technology, business processes, and people management. DHS
should include a flexible, public-private pool of certified
professionals in its plan to rewrite its cybersecurity hiring and
retention plan. If DHS is not ready to act, Congress should establish a
blue-ribbon panel of public and private-sector experts to study how a
flexible cadre of cybersecurity professionals could be started and
managed. Much like the National Guard, a flexible staffing approach to
closing the skills could become a model of excellence.
how technology can help alleviate the problem
Even though we should work hard and think creatively to fill it,
the cyber skills gap won't be closed any time soon. In the mean time,
we must rely on technology more and more.
Human-Machine Teaming
One strategy for addressing the cybersecurity skills deficit is to
use automation--through such solutions as machine learning and
artificial intelligence. Legacy IT systems, however--like many of those
in the Federal Government--lack the ability to take advantage of the
most contemporary security architectures and development techniques.
While it is possible to isolate or wrap security around a legacy
system, the approach is far inferior to a well-designed secure
implementation designed for the security challenges of 2019 and beyond.
This speaks to the need for investments in IT modernization and
modern cybersecurity solutions, which an earlier Executive Order
addressed. We support these much-needed policy changes, which will
allow for better use of automation, or machine learning.
The ideal situation for now is what McAfee calls human-machine
teaming. This means taking advantage of the particular strengths of
each. Machine learning can save security teams both time and energy, as
it is the fastest way to identify new attacks and push that information
to endpoint security platforms. Machines are excellent at repetitive
tasks, such as making calculations across broad swaths of data. That's
one of the strengths of machine learning: Its ability to crunch big
data sets and draw statistical inferences based on that data, detecting
patterns hidden in the data at rapid speed.
Humans, on the other hand, are best at insight and analysis. With
the assistance of machine learning, human analysts can devise new
defenses quickly, adapting to attackers' automated processes and
limiting their effectiveness. The human intellect is capable of
thinking like an adversary and understanding a scenario that might
never have been executed in any environment previously. Machines can
take over some simple processes--automating them so the humans can be
free to understand context and implication, such as why a bad actor
might want to attack a Government agency.
mc afee's commitment to closing the skills gap
While we recognize there is still more to do, we're proud to
describe the strides we're making at McAfee. We believe we have a
responsibility to our employees, customers, and communities to ensure
our workplace reflects the world in which we live. Having a diverse,
inclusive workforce is the right thing to do, and after we became an
independent, stand-alone cybersecurity company in 2017, we made and
have kept this a priority.
At McAfee, we're walking the walk when it comes to implementing
solutions to increase diversity and inclusion among our ranks. This
business model is essential to the cybersecurity industry's success.
Studies show time and again that diverse perspectives and human
experiences lead to more creative approaches to solving challenges, and
we know that inclusive teams deliver better results.
Pay Parity
Our most recent accomplishment was to audit our global employee
base to look into pay parity. In April 2019 we achieved pay parity,
making McAfee the first pureplay cybersecurity company to do so. It
required an investment of $4 million to make salary adjustments on
April 1. We'll continue to adjust the pay gap and uphold pay parity
with annual analysis.
Holding Ourselves Accountable
In 2018, our first year as an independent company, we released our
first Inclusion and Diversity Report. The report demonstrates our
commitment to building a better workplace and community. Highlights
include:
In 2018, 27.1 percent of all global hires were female and 13
percent of all U.S. hires were underrepresented minorities.
In June 2018, we launched our ``Return to Workplace''
program for men and women who have paused their career to raise
children, care for loved ones, or serve their country. The 12-
week program offers the opportunity to reenter the tech space
with the support and resources needed to successfully relaunch
careers. As a result, 80 percent of program participants were
offered a full-time position at McAfee.
Last year, we established the Diversity & Culture Council, a
volunteer-led global initiative focused on creating an
infrastructure for the development and maintenance of an
integrated strategy for diversity and workplace culture.
Council responsibilities include implementing a company-wide
inclusive culture by supporting diversity goals, providing a
platform for open and efficient employee feedback, and enabling
best-practice sharing from local sites on company initiatives.
McAfee CEO Chris Young joined CEO Action for Diversity
Inclusion, the largest group of CEOs and presidents committed
to act on driving an inclusive workforce. By taking part in CEO
Action, Young personally commits to advancing diversity and
inclusion with the coalition's three-pronged approach of
fostering safe workplaces:
Create and maintain trusting workplace environments that
support open dialog,
Share best practices and lessons from unsuccessful
practices for others to learn from,
Implement and expand unconscious bias education.
When hiring new talent, we keep to these principles:
Inclusive language in job descriptions.--We leverage tools
to better understand the impact of our language in job
descriptions. After analysis, we made alterations that now
offer gender-neutral language that speaks to all candidates.
Recruiters who know diversity.--Our dedicated team of
trained recruiters know where to show up and more importantly,
how to show up, to recruiting events. In 2018, we expanded our
team focused on diverse hiring to bring top talent into our
pipeline.
Values-based behavioral interviewing.--All recruiters and
hiring managers are trained to use our values-based behavioral
interview approach, which encourages interviewers to ask
questions related to our values, resulting in more meaningful
interactions.
Diverse representation on hiring panels.--We have trained
more than 60 female employees in values-based behavioral
interviewing, and we leverage them across the globe to ensure
diverse representation on each interview panel.
Referral bonuses for diverse hires.--In 2018, we launched a
global referral bonuses for hires of female employees into the
Sales organization. As a result, our Sales organization
experienced a 131 percent increase in new female hires.
Outreach at conferences and events.--In 2019, we plan to
continue our investment in events that focus on diversity and
will hone our approach, so we attend fewer, more strategic
events and build stronger relationships.
Investing in the Next Generation Workforce
Investing in a diverse pipeline is essential to the development of
a strong cyber workforce for the future. McAfee is proud to support the
community to establish programs that provide skills to help build the
STEM pipeline, fill related job openings, and close gender and
diversity gaps. These programs include an On-line Safety Program, on-
site training programs, and internships for high school students. Our
employees also volunteer in schools help educate students on both
cybersecurity risks and opportunities. Through volunteer-run programs
across the globe, McAfee has educated more than 500,000 children to
date.
As part of the McAfee's new pilot Achievement & Excellence in STEM
Scholarship program, McAfee will make 3 awards of $10,000 for the 2019-
2020 school year. Twelve students from each of the 3 partner schools
will be invited to apply, in coordination with each partner
institution's respective college advisor. Target students are college-
bound, high school seniors with demonstrated passion for STEM fields,
who are seeking a future in a STEM-related path. This type of a program
can easily be replicated by other companies and used to support the
growth and expansion of the workforce.
next steps to address the challenges
Finally, I would like to stress the importance of allocating time
for advocacy by current cyber professionals to recruit and retain the
next generation. As a woman in tech, I know first-hand the pressure to
prove yourself--not only for your own career success, but as a
representative of your culture or gender. It can be extremely difficult
to deliver excellence in your day job and carve out time to engage and
lift up the next generation. If we are going to inspire and empower a
new and diverse corps of cybersecurity professionals, we must
prioritize time for current role models to advocate, inspire, and
recruit.
McAfee strongly recommends that any future initiative include
commitments by industry to provide diverse technical professionals--not
only by gender and race, but skillset and experience--to teach and
mentor. We also recommend that students accepted into a CyberCorps
program spend time teaching cyber safety to America's K-12 youth. When
we build an entire continuum--each stage of cybersecurity experts
uplifting and empowering the generation after it--then we will truly,
systemically achieve our National objective.
conclusion
It has been an honor to appear before this distinguished panel of
policy makers. Thank you, Chairman Richmond and Ranking Member Katko,
for your dedication to growing and diversifying the cybersecurity
workforce. Feeding the pipeline with smart, talented, and diverse
individuals is critical to developing and maintaining the next
generation workforce that will defend American companies and the
Government from growing cyber threats. The future of cybersecurity can
be bright, if we're able to harness the potential of all people to
create a growing and diverse talent pipeline.
In the near future, I hope that we think of cyber as one of the
most diverse fields of people and skill sets who will meet the
challenges of protecting public and private-sector institutions from an
array of cybersecurity threats. We should increase the NSF CyberCorps
Scholarships for Service Program to include more students, encourage
students from community colleges to pursue careers in cyber, and focus
on diversity and inclusion in the pipeline.
Thank you, and I'll be happy to answer any of your questions.
Mr. Richmond. I want to thank all of the witnesses for
their testimony. I will remind each Member that he or she will
have 5 minutes to question the panel.
I will recognize myself. I will yield it to Ms. Slotkin.
Other than that, we may not have the time to get you in and out
of here. So I will yield my time to Ms. Slotkin.
Ms. Slotkin. Thank you, Mr. Chairman.
So I am from Michigan, and in my district, we have this
fantastic cybersecurity program at one of our local high
schools. I went and visited there. So young people are
literally starting to learn to code and to do all of the sort-
of training for cybersecurity experts. They are being recruited
straight out of college, right? Some of them are being asked to
forego any higher education just because we are so desperate in
Michigan for cybersecurity talent.
So tell me what more we can be doing, particularly in rural
areas, right. The high school I am talking about is a rural
school, and it has been a fantastic program for us.
Tell me what I can do if I have rural schools who want
their kids to go into this desperately-needed job, but they
just don't know where to look first?
Mr. Gallot. Well, I guess I will just jump in real quick.
I think creating partnerships and pipelines within
education is a key. One of the things that we do in--in
Louisiana, we have got Bossier Parish Community College that
provides an associate's degree. Grambling will have the
bachelor's degree; Louisiana Tech, 5 miles down the road, has a
master's program.
So creating the pipeline from that high school to either a
community or junior college and then to university, I think, is
something that has worked for us. When you think about the
support we provide at Cyber Innovation Center, Barksdale Air
Force Base in Bossier City, and the other private companies in
that area, I think creates a good pipeline and a diverse
pipeline of cybersecurity workers.
Ms. Slotkin. I apologize. We mentioned this when I wasn't
here. But, you know, we have experience, particularly in the
U.S. military, with saying certain career fields are really in
desperate need, and we have incentives for people to join the
military, they have special skills, like if they speak Chinese
or Russian.
Can you tell me what you would do to incentivize,
particularly the military and Government agencies, since we
often lose out to private sector who pay better?
Mr. Simpson. Sure. I will jump in here on this one. So
there are a lot of great transitioning veteran programs out
there. So there are a number of States that we currently work
with at (ISC)\2\, that we work with that are funded by the
actual State for transitioning veterans.
So there is programs already set up, they are already in
place. They are very, very successful----
Ms. Slotkin. Sorry. Just because I have a short time, not
to help the veterans when they get out, because I have
certainly seen a lot, but to get them in--like to get them in
the uniformed military, to get them in the Federal agencies,
since cybersecurity is going to be the battlefield of the
future, and we don't pay as much--I am a former Federal
Government employee. We don't pay as much as the private sector
for a cybersecurity professional. What should we be doing in
the Federal Government to incentivize getting people in rather
than when they are done? Helping them out?
Ms. Worley. Certainly on the topic of getting them in the
Federal Government versus the services themselves, I think the
SFS program is a great way to do that. Continuing to fund that
program to a greater degree, where I give you 2 years of
college, you give me 2 years of service in the Federal
Government, right? Now you have them working in the Federal
Government, they understand that mission, they get a feel for
what it is like to work in Government. We saw some stats at
about 70 percent of those who go into the Federal Government in
that program stay for at least a year longer.
So I think the program that you currently have in place is
actually serving that goal pretty well. On the front of
military, I think that may be a more difficult challenge. But
certainly, I think, this program is helping you at the Federal
level.
Ms. Slotkin. Thank you.
Mr. Chairman, I yield back.
Mr. Richmond. Ms. Estwick, did you----
Ms. Estwick. No, that is OK. No. So I just wanted to add
one thing about earlier when you talked about the K-12. So I
don't know if you are familiar with the NSA, National Security
Agency, National Science Foundation's GenCyber program. That is
a program that has been around for about, I want to say, 5 to 6
years now.
They do K-12 camps, student camps, and teacher camps, and
they award various organizations--you can be a nonprofit and
schools--Excelsior College, we were actually awarded a grant
last year, and we held a cybersecurity camp for middle and high
school teachers in the New York State capital region. What that
does, they have goals in mind, of course, to increase interest
in cybersecurity, but other goals, of course, is to diversify
the work force.
There is just--just a host of opportunities there for kids.
Exposure is the thing, right? So you want to make sure you get
as much exposure. Of course, there is cyber competitions as
well, cyber patriot programs and things like that as well.
Ms. Slotkin. Thank you.
Mr. Richmond. The gentlelady yields back.
I now recognize the gentleman from New York, Mr. Katko.
Mr. Katko. Thank you, Mr. Chairman.
I want to start with Ms. Worley, but actually this question
applies to everybody.
I think the National Science Foundation CyberCorps
scholarships are a great place to start, because they have a
time commitment after they get the scholarship.
Are any of you aware of any problems with implementing, or
getting enough professors involved, or enough universities
involved? Is anybody aware of any problems with that part of
it?
Ms. Worley. So what I would say is that I see an increased
number of educational institutions, certainly at both the--the
university as well as the community college level, who are
beginning to implement cybersecurity programs, either as an
augmentation to existing computer science and engineering
programs, or as a pure cybersecurity program. So I am certainly
seeing increased interest in availability, but I am sure other
folks----
Mr. Katko. I guess my question is really focused that--
there is requirements that go along with these programs. Some
universities either aren't capable of reaching the requirements
or have the desire to. Have any of you heard of that issue
before, any of that problem?
Ms. Worley. I have not.
Mr. Katko. Dr. Estwick.
Ms. Estwick. So I would say there has been a little bit of
a bottleneck in getting faculty members to teach in
cybersecurity.
Mr. Katko. Tell me about that. Why?
Ms. Estwick. We have been lucky enough to pull from private
industry to have some adjunct faculty. But I would say, across
the board--like computer science programs are having the same
issues, actually. A lot of the companies--like she said,
cybersecurities align and synergize a lot with the computer
science programs.
So, for now, yes, I think this is where private industry
and those, of course, coming from Government, can help step up
and fill some of these faculty positions.
Mr. Katko. So that--filling faculty positions will help us
utilize a program we have now, because I think it is a terrific
idea. I am not speaking for the Chairman, but I think he
agrees--actually then, I am speaking for him. We both think
that plussing up this program would be a very good place to
start. We have to make sure that the universities are prepared
to implement the program.
So, if there is changes that any of you think need to be
done with the criteria so that we can make it more easy for
these universities to get involved with these programs and get
these kids these scholarships, please make sure you let us
know, OK,
Ms. Estwick. Yes.
Mr. Katko. Thank you very much.
Now, is it--we have had a lot of testimony from all of you
today. I just want to hear kind of some spit-balling here.
What other ways that we can do other than what you have
heard--you know, you have heard from Ms. Worley and the others.
Is there something else, for example, Mr. Simpson or Mr.
Gallot, that we can do to increase, at the college level, and
get kids in? That is No. 1.
No. 2, if you want to add to it, do they always--do they
have to have a college degree to do these programs? Because I
think that they don't, and I would like to hear about that as
well.
Mr. Simpson. That is an excellent question. Thank you very
much for asking.
Let me first start for the first part of the question. I
think if you are targeting college, you are too late. The
majority of students choose their careers in high school. So in
high school, we need to start sending that message of why
cybersecurity is a great career, and why they need to get into
it.
So when they go to college, if they choose to go to
college, they can plan those curriculums and those degrees that
align with that profession of cybersecurity that they want to
get into.
Not all people go to college, though, so we understand
that. That is the great relationship that academic colleges, as
well as the certification and certificate organizations play,
is that there is room for all of us, and that there is no one
way to get into cybersecurity. There is multiple ways to get
in.
People learn differently. There is nothing wrong with going
through a hands-on technical program, certificate program, or
certification program, or going through an advanced degree. It
just depends on that individual. The most important thing is
that they are going into cybersecurity and we help outline the
different pathways and that journey map and that career map of
how they can get into it.
Mr. Katko. Now, the NSF scholarships, that applies strictly
to universities, does it not? I mean, should it be expanded to
apply also to certificate programs as a way of incentivizing
kids to get into it?
Mr. Simpson. For us, absolutely. So when you look at how
people are getting into cybersecurity, whether it is through
certificates, certifications, or through education,
scholarships play a huge path for that. Especially for those
folks that can't afford it. You start looking at some of these
demographics in these areas, and then these individuals, they
can't afford to go to college, they can't even afford some of
these certifications.
The more we can infuse these programs of being able to cast
a wider net and apply to a greater amount of students, that is
how you are going to help with some of that inflow.
Mr. Katko. Go ahead, Mr. Gallot.
Mr. Gallot. Thank you, Mr. Katko, for that----
Mr. Katko. By the way, I absolutely love your band at that
university. Every time I see them on TV, I just stop what I am
doing and watch. They just ooze talent, confidence, and fun. It
is just a blast to watch them.
Mr. Gallot. Thank you so much. We have a number of computer
science graduates--computer science students in the band.
Mr. Katko. I bet.
Mr. Gallot. You know, quite honestly, you know, it is
difficult enough for minority candidates in applying for jobs.
For our graduates, I think, they are better prepared, both from
a knowledge base, but also a maturity base, when they are going
to either Government or the private sector applying for jobs.
So for a black student who is going and applying for a job,
I think he or she stands a better chance of being seriously
considered for that job if they have a degree. You know, that
is part of the reality of the environment that we live in.
So, you know, certainly, I respect the fact that we have
different entry points for different individuals. Ms. Worley, I
think, did an excellent job of talking about the different
needs that can be fit by some who have college degrees or not.
But our society now, I think, requires the students that I
serve, they are much better prepared to go in and actually land
that job with a degree as opposed to not having it.
Mr. Katko. Thank you very much.
Last, I will just note, Mr. Chairman, perhaps we should
consider when we are looking at the funding for the CyberCorps
to make it more wide-spread for certificate schools, but also
at the high school level, so kids who want to take college
courses in high school might be able to have scholarship
opportunities available for them. Then that gets them into the
pipeline before they are out of high school.
I yield back.
Mr. Richmond. The gentleman from New York yields back. Now
we will have the gentleman from Rhode Island, Mr. Langevin.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank you
for holding this hearing. I want to thank our witnesses for
your testimony. You have all had important things to say about
the cyber work force, something that I have been worried about
for quite some time. This is an issue that I have been working
on now for more than--more than a decade.
We often hear about the challenges in--in cyber and, you
know, how does the, for example, the Federal Government compete
and attract, and also retain people with the right cyber
skills? I think that is the wrong focus to say how do we
compete per se. It is really how do we grow the pie. So that is
what we really need to focus on, so that we are not trying to
compete or take from the private sector, but again we are
growing the size of the pie so there are more people available
to fill these jobs that are necessary.
There are hundreds of thousands of cybersecurity jobs right
now that go unfilled every year. That number is going to grow
exponentially. We are probably looking into the millions
several years out, as the cybersecurity challenges continue to
grow.
So, you know, Mr. Simpson, I think you had some important
things to say, too, about getting--how do we attract the kids
at even younger ages and start thinking about a job in this
field?
Certainly, I support the Scholarship for Service program. I
led a letter to appropriators again this year asking for
increased funding for the Scholarship for Service program. I
think CyberCorps, it is a wonderful program, and anything we
can do to grow or replicate those types of programs, we need to
do that.
How do we create a program that talks to the--speaks to the
kids at the high school level, so that they are thinking about
that as a career? I think that we need a sort-of a--a program
model so the Scholarship for Service program that we are--that
we are reaching out to kids that are in college, right, now we
can replicate that if we start talking to kids at the freshman,
sophomore year, and saying the junior year, getting ready to go
off to college, that you go into a cybersecurity field in a
Scholarship for Service-type of program, your college in your--
your freshman and sophomore year will be paid for, in a similar
way, perhaps, that the junior and senior year will be paid for
if you are in the Scholarship for Service program.
So have you thought about those types--how we can partner
with the private sector and the Federal Government can go in
that direction so that kids, as they are thinking about a
career in cyber--or we get them thinking about a career in
cyber, and they are starting to think about it in their high
school years?
Mr. Simpson. Yes. Thank you for your question, sir.
It all starts with the awareness to the individual. So the
kids today, they are not aware. When you look at the--the
amount of, you know, Gen X and baby boomers that are about to
retire over the next 5 to 10 years, there is not a wave of army
that is coming over to help backfill them. So we have got to
get into the school systems at a much earlier learning area to
start to teach them. You have got to do that through
investment.
Invest into the students, invest into the learnings, so on
the back end, as they are going through middle school and high
school, they are already aware, they have already got
curriculum that has been put in there by the State into the
schools. The broader that net that you can get across all of
the--all of the schools within each State's district is going
to start to yield that value as they transition, whether they
go on to college, into a cyber career, whether it is through
STEM or through STEAM or through certificates or
certifications.
But bringing that technical, hands-on training, exposure at
the high school level, is how you start to plant those seeds.
It has got to be done through investment into those school
systems and into the children.
Ms. Worley. Yes, I think there is--excuse me, Mr.
Congressman. I think there is another opportunity, and that is,
I think we often forget that high school kids are probably as
digitally savvy as most 4-year graduates were 10 or 15 years
ago. I mean, they are digital natives. They can code at, you
know, junior high, maybe earlier, in many cases. So there is
probably opportunity where Government and private industry
could partner together around internships at the high school
level.
Often internships are something that is reserved for
college, right? You get an internship once you get to college.
We have got savvy high school students who are very capable,
you know, from a cyber perspective. We should be looking at how
we can partner together from a private and public perspective
to create internship programs for those high school students.
You get them into a research facility with a bunch of cyber
tech researchers, believe me they are going to get excited
about this field, right?
I mean, you know, when they start looking at what they will
get to do and the implications of that, we will get them
excited. But I think there is an opportunity for us to partner
that way.
Mr. Langevin. I know my time as expired.
But, you know, you are right on point. When they can do
more hands-on learning, I think that is the better--so I--I
agree also with what you had to say. I hope you don't--it is
not necessary that you need a Ph.D. right away to start going
into the cyber field. We also need to include certification
programs so that they can get the entry-level jobs in
cybersecurity, even as they pursue other academic opportunities
in either a junior college or a 4-year degree.
So thank you, Mr. Chairman. I could go on and on, but my
time is gone. I will yield back.
Mr. Richmond. The gentleman from Rhode Island, Mr.
Langevin, yields back.
The gentleman from Texas, Mr. Taylor, is recognized for 5
minutes.
Mr. Taylor. Thank you, Mr. Chairman.
I appreciate being here.
So just to kind-of expand on this. So as I understand the
current program, it is for--it is at 68 4-year universities, so
it is for a 4-year college degree, right? Is that basically how
it works out?
So--and I just going back to saying we need more children
to learn in high school. They need an associate's degree, maybe
some community college, maybe some Ph.D. Is it a program that
we should expand out in terms of, you know--you know, being
thoughtful that, hey, sometimes it takes a Ph.D., sometimes it
takes a college degree, sometimes it takes an associate's
degree, sometimes it just takes a really sharp high school kid
who has had 1 year of coding in high school so that we are
looking at this in a kind-of a holistic level, because it is
not just one entry point, like: Hey, this is the only thing you
need. Like, we don't need any Ph.D.s or--am I thinking about
that right, is it expanding this out?
Ms. Worley, since you are----
Mr. Gallot. Congressman, I guess, part of what you--what I
am here to talk about in terms of creating a diverse, you know,
pipeline of cyber talent--and I think more globally, I think
you make an excellent point. But specifically, what is it--what
is that barrier that stands between this minority student and
the cyber work force, and how--how do we bridge that--that gap,
which I think is the part that we have to--and if you look at,
again, the students that we typically serve, many of them are
still first generation college students.
Trust me, they--they find a way to figure it out. You know,
not that everybody graduates from Morehouse and gets their
student loans paid off. Some of our students, you know,
actually work 3 jobs and figure out, like Jarrid Richards did,
how to be an A and B student and get closer to that degree.
So I think part of it is resource and capacity to give us
the opportunity to open this up to the students that--and the
work force that I think the committee is here to talk about and
address, and that is, how do we provide more access and
resources, either through NSF or other agencies that you-all
have that give us more capacity to provide access to the
diversity that I think everyone is looking for?
Mr. Taylor. Ms. Worley, just going to you as an employer,
right? So you are employing, you know, in my district, but also
around the country, many thousands of people who are in this
space. I mean, as we discussed before, I mean, you are hiring
Ph.D.s and college graduates and associates--I mean, you have
hiring all levels, right? Is that a fair statement?
Ms. Worley. In fact, there is a number of engineers in the
office that I work in that do not have a college degree, but
they are brilliant coders.
Mr. Taylor. Right.
Ms. Worley. So, you know, I fundamentally believe in
education. I worked my way through college as well. I paid for
both my undergraduate and graduate degree, you know, cocktail
waitressing, waitressing, cooking, whatever it took. So I
understand that 4-year degree and the importance of that.
But there is also a population in our work force today that
maybe has, you know, 20 years of experience in a job doing data
analysis, but they have never worked in cybersecurity. But
believe me, that data analysis experience they have would be
outstanding as an incident responder in a cybersecurity
operations center.
We need to look at the requirements, not just the hard-
coded requirements of working in cybersecurity. What are the
skill sets we need--critical thinking, problem-solving
analytics that apply? And then create programs, whether those
are through certification programs, vocational programs, a
community college program that allow them to take the skills
they already have and translate them into the language of
cybersecurity. That doesn't necessarily take the 4-year degree.
If I am fresh out of high school, that 4-year degree
probably is going to be really important. If I am an
experienced person, maybe less important.
Mr. Taylor. Sure. I know in my own State of Texas, we are
at about 24 percent of our population has a 4-year college
degree. We are trying to get to the National average, which is
27 percent. In that effort, we are actually not leaving anybody
behind. We are actually--we have implemented a 60/30 plan to
try to get 60 percent of the population by 2030 to have some
kind of post-high school degree or certification, right?
Whether it is a welding certificate or an associate's degree or
a 4-year college degree.
But it seems in this space, the requirements are such that
if you focus only on the college degree, you are missing key
pieces under and below that you have got to have in order to
have an effective work force.
Ms. Worley. Furthermore, given where we stand right now, if
we rely solely on 4-year degrees, we will never catch up. We
have to look at creative ways to educate people with
experience, to educate people with core capabilities in this
space, and we still need lots of college graduates. There is no
doubt of that, because if you start looking at things like data
science around artificial intelligence, that requires
education. But we should not bypass a lot of those other
individuals that have core capabilities relevant to this field
because they simply don't have a degree. We should enable them
to move forward into the field.
Mr. Taylor. Right. I should point out that an associate's
degree could be on the way to getting a college degree, right?
So you encourage somebody to get an associate's degree, they
work for a couple of years, and they say, you know what? I am
going to go back, and I am going to finish up my bachelor's
degree.
Ms. Worley. Absolutely.
Mr. Taylor. I am out of time. Mr. Chair, I yield back.
Mr. Richmond. The gentleman from Texas, Mr. Taylor, yields
back.
The gentlewoman from New York, Miss Rice, is recognized for
5 minutes.
Miss Rice. Thank you so much, Mr. Chairman.
You know, what I am hearing here today is very encouraging.
I think that what I would love for the Chairman and the Ranking
Member on this committee to do is to put together all of these
parts, right? We have educators, we have the private sector who
needs to employ people, and we have Government that has a
vested interest in educating and training a work force for the
future.
I think people fall into two categories: You have those
heading into college or who are already in college. I was just
at my nephew's graduation at Catholic University, my alma
mater. I said, Thank God he went into business, because maybe
he has a chance of getting a job when he graduates. So we have
that whole universe. How do we get qualified teachers at the
high school level? Maybe--I am just going to throw a bunch of
questions out, and whomever thinks they can answer them, answer
them.
But we need to have faculty in high schools, grammar
schools and high schools, that are up-to-date on IT issues and
cyber issues, so we can get kids interested at a high school
level. You know--and I think that is where you increase the
chances of diversity going forward.
But we also have a large number of people in this country
who got a degree that maybe cannot help them get a job. I mean,
every time you talk to people who are based in Silicon Valley,
they say we have millions of jobs that we cannot fill because
we do not have a trained work force in this country.
So do we partner together--there are three legs to this
stool. We need educators, we need the Government, and we need
private business. Everyone has a vested interest in coming up
with a system that will work.
Now, the reason why I think it is important to go in at a
high school level is because there is still out there that
sentiment that I need to get a 4-year degree. No offense to
anyone who heads universities that offer 4-year degrees. That
is not true. Maybe an associate's degree is OK; maybe you just
need to go to vocational training. But there still seems to me
to be somewhat of a stigma, right, around not going and getting
a 4-year degree, when we have all of these kids who are
graduating with crushing student loans that is ultimately going
to become the taxpayer problem, right?
So here is one question: How do we ensure that we get a
faculty in high school who can actually begin to get these
young kids interested in these sciences, technologies, AI,
whatever it is, and how do we address the issue of there being
a stigma to maybe just going and getting vocational--a
vocational education that, by the way now, you can end up
making more money than someone who graduates with a 4-year
degree?
So it is just a lot of stream of consciousness. But,
literally, I was just sitting with my nephew and I thought:
Thank God he has a job. But there are--how many of his
classmates don't and they have got these crushing student
loans.
So anyone who has any thoughts on that?
Ms. Estwick. Congresswoman, thank you for those questions.
I really would like to jump in and say this, because I feel
passionately just like you about our educators.
Educators are our force multipliers, right? What we are
doing is, I feel like we are teaching our students, like, who
are digitally natives, right--digital natives, and they are
surpassing the teachers. We have communities where--you may not
know this, but the teachers share a--a lot of the educators
shares this--you know, students are going in and changing their
grades, because they know how to hack the systems and they know
how to compromise weaknesses, right, in the network.
So they already have that capacity and that intellectual
curiosity, where our educators are sitting there trying to keep
up. So I think programs that are focused around trying to help
our educators so they can feel empowered to then be a force
multiplier and explain cybersecurity jobs, not in the form of
the cool stuff they see in Hollywood and hacking, right, but
also things to protect our National security, right?
Miss Rice. What is the biggest obstacle to getting that
work force that is ahead of young kids that, you know, as you
say, are better than any of us?
Ms. Estwick. Absolutely, absolutely. So I think there are
programs--and I can't stress this enough, because GenCyber is
such a major program that I don't think it gets funded enough,
to tell you the truth. This is a National program that has been
around for about 5 or 6 years, and they host camps,
cybersecurity camps, and they teach the fundamentals. They come
out of the--the budget comes out of, I believe, National
Security Agency, National Science Foundation.
But what it is, is that about 130 camps were awarded this
year. The camps are there--they have teacher camps, student
camps, and a combination sometimes of teachers and students. So
you have kind-of train-the-trainer effect.
So last year when we hosted--Excelsior College, we hosted
and was awarded a grant to host a middle and high school
cybersecurity camp. We provided them with tools, many
computers--we called them raspberry pies. We taught them
lessons. So now they are taking that--and our teachers were
diverse. They weren't just, you know, our comp sci or our
biology or our STEM teachers. We have librarians, because they
are now the house--they are the custodians of the technology,
sometimes in the high schools and the schools.
So we have librarians, we have our technical teachers who
do the vocational training, and we had various disciplines in
the camp, about 30 educators in there. Just teaching them and
providing them with the curricula so they are able to, again,
then train their teachers and then that kind-of replicates
throughout the system. But naturally, these programs need to be
supported to expand.
Miss Rice. Uh-huh.
Mr. Gallot. I would like to add, we have, at Grambling,
several summer programs. We have one high-ability program for
rising juniors. So they come to the campus, essentially are
college students for the summer program. We could have 10 times
of number of students that we have, if we had the resources to
fund that program.
We also have computer camps. We have STEM camps. We are
joining a partnership with Dr. Calvin Mackie from New Orleans,
which is STEM NOLA, where we are making it STEM Grambling.
There are a lot of--we have the ability to do a lot more if
we had resources. I would say that, you know, what Mr. Walker
and Senator Scott are doing every year with HBCU Fly in, it
gives HBCU presidents a platform to interact with agency heads,
with--with industry at the request of Members of Congress.
So using your platform to connect us with the resources,
both at your respective agencies that you oversee, as well as
the businesses that are always looking to have a relationship
with you to put them in the room with us.
So, I thank Mr. Walker and Senator Scott for what they have
done for the past 3 years in giving us a forum to develop these
relationships. We see greater capacity, but we could do even
more if we had greater resources.
Miss Rice. Well, it is clear that all of us are aware in
this room that we are all in this together, and I think we just
need to kind-of get in the same room and figure out how we do
this.
So thank you all.
I yield back. Thank you, Mr. Chairman.
Mr. Richmond. I thank the gentlewoman from New York.
I now recognize the gentleman from North Carolina, Mr.
Walker.
Mr. Walker. Thank you, Mr. Chairman. Thank you, President
Gallot, for those kind words. It was great to see you again
this past February. Of course, I won't talk any North Carolina
A&T shade, although obviously I get to represent the great
university. As you know, my wife went to Winston-Salem State
University, so that whole Aggie Pride Ram. I can tell Mr.
Morehouse is over there looking down at me already. But we will
leave that alone for today.
But I do appreciate your commitment in helping these young
students to exceed in all aspects of life.
I read through a little bit of your testimony. It is
apparent that Grambling State is becoming a leader--already a
leader, and even expanding that in cybersecurity education
efforts.
Can you describe how Grambling State began its partnership
with the IT companies?
Mr. Gallot. Graduating qualified members of the work force.
I think, you know, showing that we are graduating not only 40
percent of the African-American graduates in the State of
Louisiana in computer science and CIS, but those who can
actually come in on Day 1 and make a difference. Even with our
interns--and I highlighted earlier, one of our students who did
an internship at an electrical utility who came in, and his
supervisors complimented him on being prepared to come in and
do meaningful work as an intern, as opposed to just, you know,
fetching coffee or doing something menial.
So, I think the quality of our graduates is what has opened
the doors to many of the relationships that we currently have.
Mr. Walker. I don't want to be too technical. If it is,
take a pass on this. But I would like to kind-of dig a little
deeper. Can you describe the difference between a cybersecurity
course versus a computer science course?
Mr. Gallot. I defer. I could--I could read the curriculum.
Of course, there are foundations of cybersecurity.
Mr. Walker. Sure.
Mr. Gallot. There is the technical aspect of it of the what
to do, but there is also the why. So there is the ethics around
it all----
Mr. Walker. Exactly.
Mr. Gallot [continuing]. Of course. So that is a part--it
is a holistic approach that we are taking with our new program.
But I would certainly defer to----
Mr. Walker. Well, and I would have to as well. I get to
read the questions sometimes with the good staff work, just to
be honest with you here, on some of the dig the thing out, if I
can be honest with you here for a second.
Let me do a follow-up. Maybe this helps. A 2016 study
showed that only 1 of the top 36 computer science programs
required any cybersecurity course to graduate.
Do you think that more schools--and I will open this up--I
won't pick on President Gallot--do you think that more schools
should include cybersecurity components in these computer
science programs?
Mr. Simpson. So I will jump in here real quick. So I
actually think it should be part of--it should go further
beyond computer science. I think it should be part of Common
Core.
When we look at cybersecurity, this is an epidemic issue
that we are going through globally. If we don't start getting
out the education awareness and building this into our school
systems, it is just going to continue to grow.
Typically, we just go after the STEM candidates, the
science, the technology, as well as engineering and math. We
need to go broader than that. We need to really get into the
STEM--STEAM, which brings in the arts.
Cybersecurity should be part of, at least, a course in all
degrees, because when we look at how we are going to solve
this, especially in the workplace, it is not just the
cybersecurity team; it is everybody. It is all of the employees
need to know what their hand is in this and how they are going
to be able to help.
Mr. Walker. Ms. Worley, go ahead.
Ms. Worley. May I?
Mr. Walker. Yes, of course.
Ms. Worley. Thank you, Congressman.
So I think it absolutely has to be part of the core
curriculum--I agree with Mr. Simpson--in that as we contemplate
the internet of things and the continued digitization of
everything that we live with in our world today, enabling
students who are going to be designing--whether that is
designing software or designing hardware, et cetera, to be
designing with security in mind from the beginning, from
architecture and development, is absolutely critical to the
security of everything that we use at home, in our companies,
and in Government.
Enabling them with the basic tenets of cybersecurity,
whether they are going to be software coder or a hardware
developer or a cybersecurity expert is absolutely fundamental
to ensuring kind-of a secure digital ecosystem as we move
forward.
Mr. Walker. I am glad to hear that.
As Ranking Member on counterintelligence and terrorism on
this specific subcommittee on Homeland Security, I can tell
you, the Chinese try to hit us 20,000 times a day, Russia as
well. We need strong young people that are coming into this
environment that can speak this language, for lack of better
expression there. I think that is crucial.
One survey found that only 37 percent of students said that
a teacher discussed with them cybersecurity as a career option,
with a contributing factor possibly being the lack of skilled
teachers.
How do you change that factor? Because you can only educate
for people that you have to--from the educators down to the
students.
Somebody want to address that? My time is expiring with
that question.
Dr. Estwick, you want to take a look at that?
Ms. Estwick. Right. So thank you for that question,
Congressman.
So you are talking about, as far as how do we get
cybersecurity and computer science in conjunction and also, how
do we get teachers? I think--educators, right?
So I think the thing is that there is work that is being
done. Looking at the Common Core standards--we talk about this
all the time, about the standardization, right, and looking at
how we are already infusing computer science into the
curricula, as well as synergies between that and, you know,
infusing the cybersecurity components.
But I have to tell you, sir, without question, we are
playing catch-up, right? So we have educators who are trying to
wrap their heads around the standards as it is, and then we
have a hodgepodge of standards, as you know, Nationally, right?
So some States are a little bit more mature than others.
When you look at the standards--I am going to reach out
there and say, like, New York--because our school is based in
New York, so I know a little bit about their standards, and I
am on the K-12 subgroup through NIST, actually, that is trying
to synergize between computer science and cybersecurity. You
will see that there is a lot of commonality. But you will also
see that those tenets that we talked about that is part of
cybersecurity, educators need to be educated on that as well.
So it is not just a curricula for the students. It is also a
curricula for the educators who are trying to be the force
multipliers in the classroom.
Mr. Walker. Thank you.
Mr. Chairman, I yield back.
Mr. Richmond. The gentleman from North Carolina yields
back.
I will recognize myself for a round of questions.
Let me go back and just start kind of at the basic. I will
start with you, Dr. Estwick.
Based on your experience in the Army, National Security
Agency, now academia, how important is it for Federal agencies,
National security agencies, intelligence agencies with those
missions, like DHS, FBI, DOD, to have a diverse cyber work
force?
So, I guess the ultimate question is, do you think that
having a lack of a diverse work force actually creates inherent
blind spots in our security?
Ms. Estwick. Well, thank you, Mr. Chairman, for that
question.
I feel that, you know, there has been--already studies out
that--the importance of diversity in the work force.
Especially, I would feel in the cybersecurity and in the
National security framework, diverse perspectives are
important.
For my experience, I feel that there is certain ways--
experiences I bring to the table that other people just don't
have. Having a multitude of people around you with all of those
different perspectives will--we are able to see different areas
of a problem.
I think for me working 10 years in cyber operations, there
were different avenues that I was able to identify ways that
maybe we, you know, can get ahead of the adversary and not be
so prone to always be on the defensive side and playing whack-
a-mole, frankly, when we are trying to protect our resources.
So I think it is important that we--diversity, we know, is
a business problem, right? We know diversity needs to be
focused and brought to the table. But I think it is also that
we talk about diversity a lot in conversations. It is a little
frustrating for me sometimes, because we talk a lot about it,
but I don't see it in action, unfortunately.
What that means is there needs to be some entrenched--there
is entrenched issues that need to be addressed. Some of that
could be not just mentoring, but also with sponsorships. So how
do we bring people through the different grade levels so they
are able to be a part of problem sets and be a part of the
overall solutions to how do we address diversity and, again,
protect our National security.
Mr. Richmond. Thank you.
Let me ask Mr. Gallot. We have talked about the CyberCorps
Scholarship for Service, which it appears that everybody up
here supports.
I would assume, Ms. Worley, you would tell me that if we
doubled it, you think everybody would use the money and
continue to create more of a pipeline. But besides the
CyberCorps Scholarship for Service, what about programs like
DHS or NSA Centers for Academic Excellence, how can they better
partner with you? How can--what else should we be asking them
to do to help create that diverse pipeline, maybe partnering
with HBCUs or other minority-serving institutions?
Mr. Gallot. Well, I think part of the solution is providing
additional support resources. I am not just talking about
writing a check. But when you think about our shop, for
instance, our sponsored program director, Dr. Walton, is also
serving as our provost. So her ability and time to--although
she has increased our research grants by 254 percent in the
last 2 years, there is so much more that could be done if there
were more of--more workers in her shop to help us connect with
those resources.
So having an agency like--like DHS to provide a resource
person to connect us with that--with those opportunities, I
think, is something tangible that would assist us. Again, it is
not about just writing a check; it is about giving us some help
to build our capacity to compete for these opportunities.
Mr. Richmond. Well, I am glad you brought up the professor.
I think about people like Calvin Mackie, STEM NOLA, and you all
partnering.
The question is, how long will we keep them in the public
service sector before the corporations who need people, who
have deeper pockets, come along?
So, I mean, how hard is it to retain department chairs and
professors? Because if you are talking about a 489,000-person
shortage in the country, at some point they are going to start
picking off our professors to start working in the high-paying
jobs. Then all of a sudden, who is training the next
generation? So do you see a problem with retaining and
recruitment?
Dr. Estwick, you also.
But do you-all see a problem in the future of retaining the
talent that is teaching the next generation of cybersecurity
talent, and how can we help you all keep them in academia as
opposed to going off into the private sector by Ms. Worley and
making a whole lot of money?
Mr. Gallot. Mr. Chairman, I think if you all as Congress
can incentivize the private sector to better partner with us, I
think would certainly be a good start. They certainly want to
know how they can continue to do business with you. If their
contracting documents require a certain level of partnership
with academia, I think that incentivizes them to be a better
partner with us, because you are requiring them to do it as a
part of doing business with you. Does that make sense?
Mr. Richmond. I understand what you are saying.
Dr. Estwick.
Ms. Estwick. Yes. I can also--thank you, Chairman, for the
question.
I can also add that I think in the Executive Order, they
spoke about rotational assignments. I think it is important to
have kind-of that cross-pollination, right? So you have folks--
and, again, it incentivizes the program. But being able to have
private industry go into Government, Government go into private
industry, academia, and just have this continuous cross-
pollination of information, of experiences, of expertise, I
think would be important, too.
So when we talk about this in the framework of the
Executive Order and the rotational assignments, I would like to
see that really expanded to include not just the Government,
but also with private industry and the academic communities as
well.
Mr. Richmond. I see that my time has expired. So I will
yield back.
Before I close the hearing, I will recognize Mr. Katko for
additional time.
Mr. Katko. There is no question. I just want to make a
brief observation, based on all of the excellent questions and
input from the panel today. That is my experience with a
program called P-Tech in high schools. I am not sure many of
you have heard of it, but what it does, it has kind-of come out
of an outgrowth of a need in the STEM fields, electrical
engineering and all of those types of things. But also in some
of the rural areas, it is a way of getting people into the
building trades.
What they do is they marry up the industry with the kids in
high school in an earlier level, 8th, 9th grade, and they get
them in the college-type--college-level courses, but also give
them practical experience. They are being taught oftentimes, at
least at a guest lecture, and sometimes in the classroom
setting, by members from the industry.
So, by the time they get out of high school, they have a
lot of college credits, they have a career goal, and they know
what they are doing. Oftentimes these are first-generation kids
going to college. It is working everywhere it goes.
So all of the talent in the industry--you want to talk, Mr.
Gallot, about bridging the gap, right, and having Government
help augment things. Industry can augment Government by getting
their people out into the field and reaching to these kids at
these early levels in a P-Tech type program. You could do that
all over the country, and I think would have a huge effect as
well. Then you couple that up with the scholarships--and us
plussing-up the scholarships, you might really start having a
force multiplier that we haven't seen before.
But getting industry not just looking for talent, getting
them out into the field to help cultivate that talent would be
a very big thing.
With that, Mr. Chairman, I yield back.
Mr. Richmond. I ask unanimous concept to submit a statement
for the record from New America.
Hearing no objections, so ordered.
[The information follows:]
Statement of Laura Bate, Policy Analyst, New America
May 21, 2019
Chairman Richmond, Ranking Member Katko, Members of the
subcommittee, thank you for the opportunity to provide written
testimony for today's hearing on ``Growing and Diversifying the Cyber
Talent Pipeline.'' The Members of this subcommittee undoubtedly
understand the critical importance of effective cybersecurity.
Protecting data and information systems throughout the Federal
Government and military is fundamental to protecting National security,
but our considerations must extend beyond that.
The Nation's economic health is a building block of National
security. The United States is currently losing between $57 and $109
billion dollars a year to cybersecurity failures.\1\ Fostering an
environment in which major corporations, small and medium enterprise,
and individuals can curtail these losses and secure their own digital
assets is integral to providing homeland security. This undertaking is
only possible if the United States can cultivate a strong, skilled
cybersecurity workforce, not just within the Federal Government, but
throughout the whole of the economy.
---------------------------------------------------------------------------
\1\ Council of Economic Advisors. The Costs of Malicious
Cybersecurity Activity to the US Economy. Executive Office of the
President of the United States, 2018. https://www.whitehouse.gov/wp-
content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-
U.S._Economy.pdf. (Accessed May 2019).
---------------------------------------------------------------------------
I work with partners in higher education, private industry, and
public service to improve our understanding of the dynamics that shape
the cybersecurity workforce. As a policy analyst with the Cybersecurity
Initiative at the think tank New America, my research encompasses both
how we expand that workforce and how we strengthen it through diverse
perspectives and educational pathways that evolve to meet the
challenges of cybersecurity's changing landscape.
I have been encouraged to see both Congress and the administration
redouble efforts to fill cybersecurity jobs in recent weeks. The
introduction of new proposed legislation from both Chambers of Congress
and on both sides of the aisle is an important step, as is the
President's Executive Order on America's Cybersecurity Workforce. As
commendable as these steps are, however, they are only a part of a very
long path to filling the empty chairs in the U.S. cybersecurity
community. I will focus on three particular aspects of this challenge:
(1) The critical need for building a more diverse workforce, (2)
incentivizing the development of apprenticeships and other new pathways
into cybersecurity jobs, and (3) improving our understanding of the
workforce through empirics.
diversity is a feature of strong cybersecurity teams
Diversity is critically important in the cybersecurity workforce
for three reasons:
1. Inadvertently limiting diversity artificially narrows hiring
pipelines. We cannot afford to overlook entire demographics
when we consider the pool of available talent. The United
States needs to fill more than 300,000 cybersecurity jobs.
There are an estimated 715,715 workers currently employed in
cybersecurity jobs,\2\ which means that the industry must grow
by more than 40 percent just to meet current needs, let alone
future requirements. Given the scale of the demand and the
importance of these jobs, the country is best served by
prioritizing the identification and removal of the barriers
that discourage diversity in the cybersecurity industry.
---------------------------------------------------------------------------
\2\ Cybersecurity Supply/Demand Heat Map. CyberSeek. https://
www.cyberseek.org/heatmap.html. (Accessed May 2019).
---------------------------------------------------------------------------
2. Diversity makes teams stronger. Research indicates that diverse
teams focus more on facts, process those facts more carefully,
and are more innovative.\3\ Because we are discussing the teams
that will protect Americans' lives and livelihoods, we cannot
afford to field anything less than the best teams possible.
---------------------------------------------------------------------------
\3\ Rock, David and Heidi Grant. Why Diverse Teams are Smarter.
Harvard Business Review, November 4, 2016. https://hbr.org/2016/11/why-
diverse-teams-are-smarter. (Accessed May 2019).
---------------------------------------------------------------------------
3. Cybersecurity jobs pay well. Ensuring that these economic
opportunities are equally accessible to all members of our
communities is simply the right thing to do.
Increasing diversity, equity, and inclusion within the workforce is
not an easy task. Successful efforts require more than a policy or law;
they require significant structural and cultural changes throughout the
entire education and training ecosystem. Such widespread change takes
time and deliberate effort. To support this goal, policy makers must
make workforce diversity an integral and explicit feature of future
cybersecurity workforce development programs.
When diversity is not an explicit consideration in the creation of
new programs, innovations that might otherwise be beneficial run the
risk of unintentionally decreasing diversity. For example, consider
Section 2(c) of the recent Executive Order on America's Cybersecurity
Workforce, which directs administration leadership to identify and
implement aptitude assessments that can be deployed across the non-
cybersecurity Federal workforce to identify employees who are promising
candidates for cybersecurity training.
It is unclear how aptitude would be defined in these tests, but an
easy mistake would be to seek out individuals that display
characteristics that reflect those of individuals that currently
succeed in cybersecurity roles. Such a test could quite possibly
identify candidates with backgrounds and experiences similar to the
current workforce, thus reinforcing the industry's current
demographics. These tests could be very beneficial in rapidly expanding
the Federal cybersecurity workforce, but if they are not implemented
with very careful attention to the impact on diversity, they could do
more harm than good.
It is not enough to expect diversity to grow as a byproduct of
workforce development programs. Diversity must be an explicit and
integral feature of the future cybersecurity workforce.
innovation responds to incentives
Growth in the cybersecurity workforce is hampered by limited
opportunities for potential employees to enter the field and gain
experience. The most commonly requested professional certification,\4\
the CISSP, is not granted in full until candidates can demonstrate 5
years of relevant work experience.\5\ Notably, in the United States
there are currently more job postings seeking candidates with this
certification than there are certification holders throughout the whole
of the economy.\6\ The large majority of open cybersecurity jobs
require several years' experience in the field and a minimum of a
bachelor's degree.\7\ \8\ The cumulative effect of these requirements
for degrees, certifications, and experience is that it can be quite
difficult to find that first job in cybersecurity, especially for job
seekers without a degree in computer science or a related field.
---------------------------------------------------------------------------
\4\ Cybersecurity Supply/Demand Heat Map. CyberSeek.
\5\ CISSP--The World's Premier Cybersecurity Certification.
(ISC)\2\. https://www.isc2.org/Certifications/CISSP. (Accessed May
2019).
\6\ Cybersecurity Supply/Demand Heat Map. CyberSeek.
\7\ Job Market Intelligence: Cybersecurity Jobs, 2015. Burning
Glass, 2015. https://www.burning-glass.com/research-project/
cybersecurity/. (Accessed May 2019).
\8\ Cybersecurity Supply/Demand Heat Map. CyberSeek.
---------------------------------------------------------------------------
Extrapolating from the data available, an estimated 88,000 students
graduate from computer and information science programs in the United
States in an academic year,\9\ and presumably only a small portion of
these graduates will choose to go into careers in cybersecurity. Other
disciplines like engineering and mathematics also contribute future
cybersecurity employees, but nonetheless, it quickly becomes clear that
we cannot fill the hundreds of thousands of open jobs with the tens of
thousands of available candidates graduating each year.
---------------------------------------------------------------------------
\9\ The latest official data available is from 2015-2016, in which
64,405 students graduated. Extrapolating from percentage change between
years between 2010-2011 to 2015-2016 (49.5 percent, or 8.25 percent per
year on average), we might expect some 88,436 students to graduate from
computer and information science programs during academic year 2018-
2019. See: Table 325.35. Degrees in computer and information sciences
conferred by postsecondary institutions, by level of degree and sex of
student: 1970-71 through 2015-16. The National Center for Education
Statistics, November 2017, https://nces.ed.gov/programs/digest/d17/
tables/dt17_325.35.asp?current=yes.
---------------------------------------------------------------------------
Filling cybersecurity jobs at scale means that the cybersecurity
community must build new ways to bring in employees and build
experience. Some large employers and a very few small businesses have
developed innovative solutions to provide ``on-ramps'' for
inexperienced employees, but enabling such programs to propagate
throughout the economy will require incentives.
Apprenticeship programs offer a particularly promising opportunity
to create entry points into cybersecurity jobs. These work-based
learning programs provide a way of connecting with more candidates--and
particularly those candidates that might otherwise be overlooked by
hiring programs that rely on conventional degrees as a filter.
Moreover, they provide a means of responding to employers who
consistently indicate that they are not finding the skills they need
among job applicants.\10\ By actually teaching skills in the workplace,
employers are integral to shaping their future workforce.
---------------------------------------------------------------------------
\10\ State of Cybersecurity 2019: Current Trends in Workforce
Development. ISACA, 2019. http://www.isaca.org/cyber/Documents/State-
of-cybersecurity_res_eng_0316.pdf. (Accessed May 2019).
---------------------------------------------------------------------------
With careful implementation, workers, employers, and educators all
stand to benefit from more widespread adoption of cybersecurity
apprenticeships.\11\ Simply spreading the model, however, is not
enough; quality matters in apprenticeship programs. In order for the
cybersecurity community to benefit from apprenticeship programs in a
sustainable way, measures to expand apprenticeships should support
programs that ensure four basic features, drawn from the Apprenticeship
Forward Collaborative:
---------------------------------------------------------------------------
\11\ Prebil, Michael. Teach Cybersecurity with Apprenticeship
Instead. New America, April 14, 2017. https://www.newamerica.org/
education-policy/edcentral/teach-cyber-apprenticeship-instead/.
(Accessed May 2019).
``Paid, structured, productive on-the-job training combined with
related classroom instruction; clearly defined wage structure with
increases commensurate with skill gains or credential attainment; high
quality third-party evaluation of program content, apprenticeship
structure, mentorship components, and standards to meet business demand
and worker need; and on-going assessment of skills development
culminating in an industry-recognized credential and full-time
employment.''\12\
---------------------------------------------------------------------------
\12\ Definition and Principles for Expanding Quality Apprenticeship
in the U.S. Apprenticeship Forward Collaborative. https://
www.nationalskillscoalition.org/resources/publications/file/Definition-
and-Principles-for-Expanding-Quality-Apprenticeship-in-the-U.S..pdf.
(Accessed May 2019.)
These characteristics are particularly important in evaluating
opportunities to invest in the development of the cybersecurity
workforce. Not every program that calls itself an apprenticeship leads
to the same benefits. Programs that do not ensure a high level of
quality can lead to negative outcomes for the students and the larger
cybersecurity ecosystem. Moreover, such programs would divert
resources, interest, and credibility from programs that do deliver
high-quality learning opportunities.
Responsible support for apprenticeship programs in cybersecurity
must also account for local industry requirements. As discussed in New
America's prior work, cybersecurity jobs are extremely
heterogeneous,\13\ and not all cybersecurity work roles are equally in
demand in all regions. In order to make best use of resources,
policies, and legislation to support the expansion of cybersecurity
apprenticeships should require rigorous analysis of local job markets
to ensure alignment between learners and the specific cybersecurity
work roles that are in demand.
---------------------------------------------------------------------------
\13\ Bate, Laura. Cybersecurity Worlforce Development: A Primer.
New America, November 1, 2018. https://www.newamerica.org/
cybersecurity-initiative/reports/cybersecurity-workforce-development/.
(Accessed May 2019).
---------------------------------------------------------------------------
Incentives to spark the development of alternative pathways into
cybersecurity can take many forms. Such incentive programs could focus
on supporting students, for example, through tuition waivers for those
pursuing a designated cybersecurity training path.\14\ Alternatively,
funding could come through competitive grants focused on program
development or through reimbursement systems. Tax credits to businesses
that utilize emerging systems like cybersecurity apprenticeships, akin
to the tax credits proposed in the LEAP Act, could also spur the
development of new programs.
---------------------------------------------------------------------------
\14\ There is precedent for such tuition waivers and other systems
to support the instructional costs of apprenticeship at the State
level, such as in Texas, California, and North Carolina. See https://
evolllution.com/revenue-streams/workforce_development/got-you-covered-
how-states-can-support-the-costs-of-apprentice-instruction/.
---------------------------------------------------------------------------
Not all incentives need to come in the way of direct funding.
Government can lead by example by implementing innovative models in
their own workplaces. Similarly, setting contracting requirements for
information technology and cybersecurity services that encourage the
promotion of new systems can also be a powerful incentive for the
private sector. This is especially true in cybersecurity, where the
Federal Government comprises a particularly large part of the market.
There are many emerging options for increasing the pathways into
cybersecurity jobs. Providing incentives to implement these programs
widely and continue efforts to innovate further will be key to
maximizing the benefit of such programs.
good data is scarce
As different pathways into cybersecurity begin to emerge,
establishing mechanisms to evaluate these options will become an
important means for allocating resources and improving systems. Right
now, the cybersecurity community has very little data on which to base
its understanding of the current workforce. A few resources--most
notably CyberSeek, a joint project between the National Initiative for
Cybersecurity Education, Burning Glass, and Comp TIA--provide an
understanding of the needs outlined in cybersecurity job postings.
However, data on the current workforce is extremely limited.
For example, it is difficult to know which pathways brought current
cybersecurity workers to their present positions. Anecdotal evidence
would suggest the military, intelligence community, self-taught
instruction, and conventional 4-year degrees are all major
contributors, but we have very little means to judge those in relation
to one another or to identify other major pathways. Similarly, we have
very little longitudinal data from employees in cybersecurity fields to
identify which pathways lead to best outcomes for learners over the
course of their career.
Requiring that properly-anonymized data collection mechanisms be
made a part of Government-supported efforts would provide an
opportunity to mitigate the current lack of data and would provide a
basis on which to evaluate and constantly refine new programs and
pathways in cybersecurity education and training. Funding for programs
designed to incentivize the development of innovative workforce
solutions should include specific requirements for the on-going
analysis of program effectiveness and learner outcomes in order to
enable future evidence-based policy making.
Cybersecurity workforce development is receiving an unprecedented
amount of attention from the highest levels of Government and industry,
and yet we still cannot authoritatively and consistently answer even
very basic questions about the current workforce: What percent of the
U.S. cybersecurity workforce is female? How many cybersecurity
professionals does the U.S. Government employ? What makes a
cybersecurity employee--in any role--effective? When these questions
are answered at all, the answers vary significantly depending on whom
you ask, and the field is rife with studies with inconsistent
methodologies and unacceptably small and biased samples.
The lack of credible foundational research in cybersecurity
workforce development becomes particularly pernicious when we look
toward the future. Current research and rhetoric tends to extrapolate
future workforce demand based largely on the growth from the prior
year. While it may be intuitive, this approach is overly simplistic and
fails to take into account major trends that will shape the future of
the cybersecurity industry. Most notably, the increasing reliance on
machine learning tools is likely to reduce workforce requirements in
some roles while increasing demand for experts in artificial
intelligence, roles that often require postgraduate degrees. In order
to responsibly invest in the future of the cybersecurity workforce, we
must also invest in understanding what that future looks like.
Grants and funding opportunities to develop specific models and
types of programs for cybersecurity workforce education and training
already exist within the Department of Homeland Security, the National
Science Foundation, and other agencies. While these opportunities are
critically important to driving innovation, they do not necessarily
further our fundamental understanding of the workforce. Providing these
agencies with an opportunity to fund foundational research would make
significant strides in improving the current models and informing
future investment priorities. What is more, such research would have a
profound impact well beyond Government hiring and spending. Making this
information available to the public would enable the whole of the
economy to better understand and strengthen their cybersecurity
workforce.
We cannot keep guessing when it comes to the cybersecurity
workforce. Funding foundational research to answer these questions must
be a priority.
Thank you for the opportunity to provide input. I hope that New
America and I can continue to be a resource to the subcommittee on this
issue.
Mr. Richmond. We are trying to give one of our colleagues a
moment to get here, and I think that she would add valuable
insight into the conversation.
But let me just also add that we really need to find better
ways to fund, especially our CyberCorps scholarship program.
The fact that I believe every year in the budget, it is
identified as something that would and should be cut. I am sure
that it is very hard to--to have a strategic plan if you don't
know if that funding is going to be there on a yearly basis.
Maybe we ought to look at some long-term funding for it or
making sure that we know it is there so that you can plan
accordingly.
Now, Mr. Gallot, I guess when I was coming up in high
school, we had Upward Bound and all of those programs where
kids could go to college and get introduced to biology and all
of those pre-med--not that I got into any of the Upward Bound
programs, but I certainly knew that they were there.
So is that what you-all are doing in terms of cyber and
computer information systems? At what grade do you start?
Mr. Gallot. So those--we don't have TRIO or Upward Bound.
Southern University, of course, in Baton Rouge has that. Ours
are self-supported programs. Our high-ability program, again,
for rising juniors who are able to come and earn college credit
on a college campus, as well as our--we have coding camp. We
have a robotics camp.
Mr. Richmond. How do you pay for all of that?
Mr. Gallot. Mainly, we absorb the cost or through some
grant opportunities. But for the most part, we absorb the cost.
Because, again, a lot of students we serve lack the resources
to--to pay for that. Of course, with our--our partnership with
Dr. Mackie and STEM Grambling, that is going to provide us
additional opportunities. Entergy, for instance, has been a
great partner of his program, and so, we look to utilize those
as well.
But again, we have the ability and the know-how to do it.
It is just simply a matter of having expanded resources to
expand our capacity to reach these kids who are really very
hungry, and they are like sponges. I mean, they soak it up
very, very quickly. You just have to give them an environment
to do it.
I think about my 6- and 7-year-olds who are using iPads in
Kindergarten and 1st grade. So these kids growing up now are,
you know, way more technologically advanced than we ever were,
and they pick up on this stuff.
Again, we just need more capacity and resources, and we can
certainly do a better----
Mr. Richmond. Now, are there any Government programs or
grants out there for the universities to help you augment or
offset those costs for those programs? Or is that something you
would like to see us look at creating?
Mr. Gallot. We would certainly welcome the opportunity.
Mr. Richmond. OK. With that, I want to thank the witnesses
for their valuable testimony and the Members for their
questions.
The Members of the committee may have additional questions
for the witnesses, and we ask that you respond expeditiously in
writing to those questions.
Without objection, the committee record shall be kept open
for 10 days.
Hearing no further business, the committee stands
adjourned.
Thank you.
[Whereupon, at 4:13 p.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Honorable Lauren Underwood for Amelia Estwick
Question 1a. Right now, there are 300,000 unfilled cybersecurity
jobs in this country. For the sake of our National security and our
international competitiveness, that needs to change.
Fermi National Lab, in my District, is working to make that change
by bolstering the cybersecurity pipeline for veterans through their
innovative VetTech internship program. These paid internships provide
training in computing, software development, and electrical
engineering, providing the skills needed to enter the cyber workforce.
This past year, the VetTech program received more than 50 applications
for 12 openings.
As a veteran yourself, can you tell us more about why targeted,
Federally-supported programs like VetTech are so important for widening
the cyber workforce pipeline?
Answer. Programs such as the Fermi National Lab VetTech's
internship program are so important for widening the cyber workforce
pipeline because this program and other internship programs tap into a
resource of highly-skilled individuals who may already possess some of
the technical competencies to work in the cyber workforce, to include,
critical analysis and engineering, as well as soft skills such as
leadership, communications, and business acumen. Internships (both
virtual and in-person) provide opportunities for veterans to work
within the contexts of corporate culture which oftentimes is different
from their military work culture. As part of these programs, they
acquire first-hand experiences with the cyber issues facing business,
Government, and nonprofits. This is particularly important for
individuals looking to change their career to take advantage of
opportunities in cybersecurity. At Excelsior College, our student
demographic is 30 percent military/veteran and we have worked on
developing an option for students to complete an internship for credit.
By participating in internships, students gain practical work
experience that they can use to demonstrate their skills and potential
to future employers. For employers hosting interns, there is a
potential to increase capacity in the short term and build talent
pipelines in the long term.
Question 1b. In addition, your statement, ``the VetTech program
received more than 50 applications for 12 openings'', speaks to the
need and desire of veteran programs such as VetTech that cater and
support their career transition.
What are best practices that institutions of higher education and
technical education programs can implement to attract more veteran
applicants?
Answer. Some of the best practices higher education institutions
and technical education programs can implement to attract more veteran
applicants are to provide as many opportunities to aid veterans in
their career pathways. For higher education, this means support for
veterans in acquiring their academic credentials by offering flexible
options for them to use their GI Bills (to include the original GI Bill
of 1944 and Post-9/11 Veterans Educational Assistance Act of 2008),
landmark pieces of legislation that have helped millions of veterans
pay for post-secondary education. Providing flexible options which
include virtual and in-person, would benefit the veteran especially if
they are currently working and need the academic credential or
vocational training to advance in their career path.
In addition, according to the Association of American Colleges and
Universities, it's imperative to have effective programmatic elements
to meet veterans' unique needs, which may include collaboration with
other community support services to ensure successful transition and
matriculation throughout college. For example, Excelsior College
established the Center for Military and Veteran Education (CME), which
offers supportive services to service members and veterans, such as:
``Provide specific points-of-contact to aid in higher education
governance. For many veterans, higher education can be a culture shock
in understanding the institutional governance; therefore, the CME
provides specific points-of-contact for all services (e.g. registrar,
academic advisement, tuition assistance, career services, etc.) to
alleviate veteran student frustrations.
``Create veteran-specific learning communities. Excelsior College's
student demographic is 30 percent service member and veteran;
therefore, creating learning communities that focus on this student
population (e.g. social media groups, etc.) has benefited many of our
service members and veterans by enhancing their student experiences and
fostering a supportive network of peers.''
Finally, educational programs that emphasize internships,
apprenticeships, externships, and mentor/protege programs that will
assist in guiding veteran applicants during their career transition,
can be used to attract veteran applicants. These experiences help to
reinforce skills learned and provide veterans with practical
experiences that can help shape their career pathway.
Question 1c. What could Congress and the Federal Government do to
help make veterans more aware of opportunities within the cybersecurity
field?
Answer. Initiatives Congress and the Federal Government can
implement to make veterans more aware of opportunities within the
cybersecurity field are supporting outreach and workforce development
programs that reach veterans. Outreach in the form of marketing
campaigns targeting veterans for cybersecurity jobs, such as social
media, advertisements on public transportation, radio, as well as
strategic partnering with the U.S. Department of Veterans Affairs and
Department of Defense; leverage the existing platforms and services
currently used by veterans. Also, there should be an emphasis on
sponsoring National job fairs for veterans as well as collaborating
with private organizations to incentivize veteran recruitment, and
continue funding for free cybersecurity training for veterans, such as
the Federal Virtual Training Environment (FedVTE). Finally, using
cybersecurity professional organizations such as Women in Cybersecurity
(WiCyS) and International Consortium of Minority Cybersecurity
Professionals (ICMCP), that target affinity groups such as veterans and
other diverse populations, are another great resource to bring
awareness to veterans about opportunities within the cybersecurity
field.
Question 2a. Even with VetTech's success in attracting applicants,
I've heard from stakeholders in my district that further engagement
with community colleges and 4-year universities is also necessary for
cybersecurity training programs to be sustainable.
Dr. Estwick, what support do colleges and universities need from
Congress to fill the growing demand in the cybersecurity workforce?
Answer. Public and Private partnerships are paramount to growing
the cybersecurity workforce. Cooperation of private industry, academia,
and Governmental agencies on joint cybersecurity initiatives can take
advantage of each sector's complementary strengths. For example, in
2014 the Office of Personnel Management (OPM) created the Federal
Academic Alliance (FAA) to provide higher-education opportunities to
the Federal workforce at reduced tuition rates to address the
Government-wide skills gap needs, including the shortages in
cybersecurity. Today, OPM endorses 15 colleges and universities, such
as Excelsior College and support for more educational opportunities
like the FAA would be beneficial to fulfill the demand in the
cybersecurity workforce.
In addition, according to a recent International Information System
Security Certification Consortium, (ISC)\2\ 2018 study titled,
``Innovation Through Inclusion: The Multicultural Cybersecurity
Workforce,'' 26 percent of the U.S. cybersecurity workforce identifies
as non-Caucasian. One strategy to address the underrepresentation of
racial and ethnic minorities in the cybersecurity field is to fund
cybersecurity educational programs at minority-serving institutions
(MSI). More funding for MSI's to create cybersecurity educational
curricula that addresses cybersecurity topics (e.g. data breaches,
threats to internet of things (IoT), artificial intelligence (AI)
expansion, etc.) would help to educate and sustain the cybersecurity
workforce while broadening participation within the cybersecurity
field.
Finally, the number of cyber attacks targeting our Nation's
critical infrastructures are on the rise. Specifically, in 2013, 59
percent of the attacks against our critical infrastructure were
reported in the energy sector (ICS-CERT, 2013). A skilled and educated
workforce is an essential component in improving the security posture
of our critical infrastructure. The security program of the nuclear
sector is regulated by the Federal Government with governance under the
U.S Nuclear Regulatory Commission (NRC). In addition to being competent
in cybersecurity, professionals working in the nuclear and energy
industries need to be aware of specific standards, requirements, and
unique cyber threats.
Excelsior College has a long history of meeting the educational
needs of the nuclear workforce through innovative educational
solutions. In 2014, a degree program was created to address
cybersecurity challenges facing the nuclear industry. Cybersecurity
professionals in the nuclear sector require a broad range of technical
skills; however, few college programs currently exist at the
baccalaureate level to assure that these professionals have the unique
skill sets and knowledge domains needed to protect facilities and our
National security. Additionally, the critical and practical nature of
nuclear and energy sectors calls for enhanced simulation-based learning
to be developed. Due to Excelsior's innovative program, in June 2018,
Excelsior College received a Department of Energy Nuclear Energy
University Programs (DOE-NEUP) grant to purchase a web-based
pressurized water reactor simulator for use in the nuclear engineering
technology program. The �$250K grant provides funding to:
support plant simulation to enhance student achievement of
higher cognitive learning outcomes through ``learning by
doing,''
provide the ability to evaluate and analyze technical
information during ``dynamic'' situations,
enhance our student's experiential learning activities, and
by doing so, enhance the student's ability to meet industry
needs,
enable students to advance their understanding of key
theories and concepts in the nuclear technology field to better
protect against cyber threats.
The value of Government funding to support the development of these
lab-based activities means without such support, higher education
institutions might not be able to adopt this important technology.
Therefore, there is an increasing need to expand Government funding of
experiential learning, especially in an on-line environment, where
skills shortages in cybersecurity can be filled by shifting people from
one industry/occupation to cybersecurity fields.
Question 2b. As both a veteran and woman of color, what do you
believe are the most impactful barriers to entry that need to be
addressed to attract and retain these underrepresented groups?
Answer. As a veteran and woman of color, some of the challenges to
recruitment and retention within the cybersecurity workforce have and
continue to be: Lack of understanding of military transferable skills,
discrimination, and inequities with pay and access to career
opportunities.
Female veterans need more support in articulating their military
experiences and identifying transferrable skills important to the
cybersecurity domain. Since there's no direct mapping of military
careers to current cybersecurity jobs, the lack of understanding by
many employers when it comes to hiring veterans gets further
complicated when the veteran is unable to articulate the importance of
their military jobs. Therefore, employers need to implement recruitment
programs with hiring managers who understand the immeasurable value
female veterans bring to the cybersecurity workforce.
According to a recent 2017 Global Information Security Workforce
Study, 51 percent of women in the cybersecurity workforce have
experienced discrimination. Although this statistic did not
disaggregate how many were female veterans or women of color, we can
surmise these female populations face discrimination as well. To
further support these statistics, the (ISC)\2\ 2018 report referenced
in an earlier question stated ``32 percent of cybersecurity
professionals of color report they have experienced some form of
discrimination in the workplace.'' Awareness programs that address
diversity, inclusion, and equity are important for organizations to
recruit and retain veterans and women of color in the cybersecurity
workforce.
Finally, from my personal experience, it's important that we
continue mentorship programs; however, sponsorship programs have
directly impacted my career advancement. Sponsors take a direct role in
the advancement of their proteges and usually work within the same
organization. It was through sponsorship and endorsement of my
technical competencies by senior leaders that advanced my career from a
multitude of roles that garnered more responsibility at each level,
while affording me the opportunities to earn raises and promotions
along the way. Without sponsorship, my cybersecurity career path would
have likely stalled in non-managerial roles negatively impacting my pay
and access to technical leadership programs. Unfortunately, the
inequity issues with pay and access are not unique; according to the
(ISC)\2\ 2018 report referenced in an earlier question:
``Despite higher level of education, a cybersecurity professional of
color earns less and is underrepresented in senior roles . . . tend to
hold non-managerial positions, and pay discrepancies, especially for
minority women (whereas women of color make an average of $10K less
than Caucasian males and $6K less than Caucasian females).''
In conclusion, there are several barriers impacting veterans and
women of color in the cybersecurity field; however, based on my
experiences; the inability to articulate transferrable skills, the lack
of pay equity and access to career opportunities due to discrimination
would need to be addressed to recruit and retain veterans and
especially women of color within the cybersecurity field.
Sources: https://cme.excelsior.edu/, https://fedvte.usalearning.gov/,
https://www.wicys.org/, https://www.icmcp.org/, https://www.isc2.org/-/
media/Files/Research/Innovation-Through-Inclusion-Report.ashx, https://
www.isc2.org/-/media/B7E003F79E1D4043A0E74A57D5B6F33E.ashx.