[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
GROWING THE NATIONAL CYBERSECURITY
TALENT PIPELINE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY AND INFRASTRUCTURE
PROTECTION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
FIRST SESSION
__________
JUNE 22, 2023
__________
Serial No. 118-19
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
54-126 PDF WASHINGTON : 2023
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas Bennie G. Thompson, Mississippi,
Clay Higgins, Louisiana Ranking Member
Michael Guest, Mississippi Sheila Jackson Lee, Texas
Dan Bishop, North Carolina Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida Eric Swalwell, California
August Pfluger, Texas J. Luis Correa, California
Andrew R. Garbarino, New York Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia Shri Thanedar, Michigan
Tony Gonzales, Texas Seth Magaziner, Rhode Island
Nick LaLota, New York Glenn Ivey, Maryland
Mike Ezell, Mississippi Daniel S. Goldman, New York
Anthony D'Esposito, New York Robert Garcia, California
Laurel M. Lee, Florida Delia C. Ramirez, Illinois
Morgan Luttrell, Texas Robert Menendez, New Jersey
Dale W. Strong, Alabama Yvette D. Clarke, New York
Josh Brecheen, Oklahoma Dina Titus, Nevada
Elijah Crane, Arizona
Stephen Siao, Staff Director
Hope Goins, Minority Staff Director
Natalie Nixon, Chief Clerk
Sean Jones, Deputy Chief Clerk
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida Eric Swalwell, California, Ranking
Mike Ezell, Mississippi Member
Laurel M. Lee, Florida Sheila Jackson Lee, Texas
Morgan Luttrell, Texas Troy A. Carter, Louisiana
Mark E. Green, MD, Tennessee (ex Robert Menendez, New Jersey
officio) Bennie G. Thompson, Mississippi
(ex officio)
Cara Mumford, Subcommittee Staff Director
Moira Bergin, Minority Subcommittee Staff Director
Alice Hayes, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Chairman, Subcommittee on
Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Eric M. Swalwell, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 3
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 6
Witnesses
Ms. Anjelica Dortch, Senior Director, U.S. Government Affairs,
SAP America, Inc.:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Mr. Will Markow, Vice President of Applied Research, Advocacy,
Global Markets, and Member Engagement, Lightcast:
Oral Statement................................................. 13
Prepared Statement............................................. 14
Ms. Tara Wisniewski, Executive Vice President, Advocacy, Global
Markets, and Member Engagement, ISC2:
Oral Statement................................................. 20
Prepared Statement............................................. 22
Colonel Chris Starling, USMC (Ret.), Executive Director,
California, Npower:
Oral Statement................................................. 26
Prepared Statement............................................. 27
For the Record
The Honorable Eric M. Swalwell, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Cybersecurity and Infrastructure Protection:
Statement of The Information Technology Industry Council....... 50
GROWING THE NATIONAL CYBERSECURITY TALENT PIPELINE
----------
Thursday, June 22, 2023
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:07 a.m., in
room 310, Cannon House Office Building, Hon. Andrew R.
Garbarino (Chairman of the subcommittee) presiding.
Present: Representatives Garbarino, Gimenez, Ezell, Lee,
Swalwell, and Menendez.
Also present: Representative Clarke.
Mr. Garbarino. The Committee on Homeland Security,
Subcommittee on Cybersecurity and Infrastructure Protection
will come to order.
Without objection, the Chair may declare the subcommittee
in recess at any point.
The purpose of this hearing is to receive testimony from
industry experts on the national cybersecurity work force.
I now recognize Ranking Member Swalwell for the purposes of
seeking unanimous consent.
Mr. Swalwell. Chair, I would seek unanimous consent that my
colleague, Yvette Clarke, be allowed to waive on for the
purpose of this hearing.
Mr. Garbarino. Without objection, so ordered.
I now recognize myself for an opening statement.
Thank you all for joining us today for a discussion of my
biggest priority as Chairman of the subcommittee, addressing
the cybersecurity work force shortage.
Over the last several months, this subcommittee has taken a
broad look at the Cybersecurity and Infrastructure Security
Agency, or CISA's, development since 2018 and its increasingly
important role in mitigating risk across Federal networks and
critical infrastructure. But in order for CISA and any public
or private entity, for that matter, to be successful in
executing important mission, it must have a robust
cybersecurity work force.
Some estimates say that the United States currently has
more than 660,000 cyber job openings nationally. I've heard it
almost as high as 750,000. So that's a lot. In addition to the
overall shortage of cyber professionals, 61 percent of those
who are employed say they are burned out after triaging years
of major cyber incidents.
Research from ISACA, a notable nonprofit organization that
conducts an annual study of the state of cyber work force,
shows that 54 percent of government and military stakeholders
believe a lack of skills and training are the top obstacle for
obtaining digital trust in an organization.
I've said it before and I will reemphasize my belief that
we not only--we need not only enough people but the right
people with the right skills in the right jobs to meet the
growing cyber threat.
In April, the FBI director testified to Congress that even
if all FBI cyber agents and intel analysts focused on the China
threat, Chinese hackers would still outnumber our FBI cyber
personnel at least 50 to 1. That is extremely concerning.
It is clear that the shortage of talent and burnout are
issues that both the public and private sector face. Therefore,
it is an issue we must tackle together. Our Nation's cyber work
force challenges are widespread and must be addressed through a
strategic and crosscutting approach that avoids duplication.
It's important for Congress to evaluate the appropriate roles
and responsibilities for Federal agencies and the private
sector to develop the cyber work force.
I am pleased to welcome four expert witnesses who can shed
light on private-sector efforts to move the needle forward. I
hope to hear about what cyber work force initiatives are
successfully developing private-sector talent and where
improvements could be made. I'm specifically interested in
hearing about creative models of education and training, like
apprenticeships and community college programs, and also about
some of the efforts to quantify challenges we face and provide
scalable solutions.
These creative models from our witnesses and other leaders
in the field will be key as we see increased demand for skill
sets in emerging technologies such as AI. I encourage CISA to
leverage the innovative initiatives of the private sector to
grow the national cyber work force at all levels via both
traditional and nontraditional pathways.
This hearing will be a starting point for our subcommittee
to evaluate the current state of the national cybersecurity
work force and discuss solutions. As we anticipate the Office
of National Cyber Director's National Cyber Workforce and
Education Strategy, I hope to tease out specific areas where
Congress can complement and build upon existing lines of effort
across the Federal Government.
I look forward to addressing this challenge in a bipartisan
manner with my colleagues across the aisle. Thank you all again
for being here today, and thank you for being great partners to
the Government in this endeavor.
[The statement of Chairman Garbarino follows:]
Statement of Chairman Andrew R. Garbarino
June 22, 2023
Thank you all for joining us today for a discussion on my biggest
priority as Chairman of this subcommittee--addressing the cybersecurity
workforce shortage.
Over the last several months, this subcommittee has taken a broad
look at the Cybersecurity and Infrastructure Security Agency, or
CISA's, development since 2018 and its increasingly important role in
mitigating risk across Federal networks and critical infrastructure.
But in order for CISA, and any public or private entity for that
matter, to be successful in executing its important mission, it must
have a robust cybersecurity workforce.
Some estimates say that the United States currently has more than
660,000 cyber job openings nationally. In addition to the overall
shortage of cyber professionals, 61 percent of those who are employed
say they are burned out after triaging years of major cyber incidents.
Research from ISACA, a notable nonprofit organization that conducts an
annual study of the state of the cyber workforce, shows that 54 percent
of Government and military stakeholders believe a lack of skills and
training are the top obstacle for attaining digital trust in an
organization.
I have said it before and I will reemphasize my belief that we need
not only enough people but the right people with the right skills, in
the right jobs to meet the growing cyber threat.
In April, the FBI director testified to Congress that even if all
FBI cyber agents and intel analysts focused on the China threat,
Chinese hackers would still outnumber our FBI cyber personnel at least
50 to 1. That is extremely concerning.
It is clear that the shortage of talent and burnout are issues that
both the public and private sector face, therefore, it is an issue we
must tackle together. Our Nation's cyber workforce challenges are wide-
spread and must be addressed through a strategic and cross-cutting
approach that avoids duplication. It is important for Congress to
evaluate the appropriate roles and responsibilities for Federal
agencies and the private sector to develop the cyber workforce.
I'm pleased to welcome four expert witnesses who can shed light on
private-sector efforts to move the needle forward. I hope to hear about
what cyber workforce initiatives are successfully developing private-
sector talent, and where improvements could be made. I'm specifically
interested in hearing about creative models of education and training,
like apprenticeships and community college programs, and also about
some of the efforts to quantify the challenges we face and provide
scalable solutions.
These creative models, from our witnesses and other leaders in the
field, will be key as we see increased demand for skillsets in emerging
technology such as AI. I encourage CISA to leverage the innovative
initiatives of the private sector to grow the national cyber workforce
at all levels via both traditional and non-traditional pathways.
This hearing will be a starting point for our subcommittee to
evaluate the current state of the national cybersecurity workforce and
discuss solutions. As we anticipate the Office of the National Cyber
Director's National Cyber Workforce and Education Strategy, I hope to
tease out specific areas where Congress can complement and build upon
existing lines of effort across the Federal Government.
I look forward to addressing this challenge in a bipartisan manner
with my colleagues across the aisle. Thank you all again for being here
today and thank you for being great partners to the Government in this
endeavor.
Mr. Garbarino. I now recognize the Ranking Member, the
gentleman from California, Mr. Swalwell, for his opening
statement.
Mr. Swalwell. Great. I thank the Chairman for his
leadership and focus on this area, and also want to welcome our
witnesses.
You know, you sit at a table that many witnesses have
beared witness to some of the most divisive, gridlocked, muddy
issues that our country faces. But you are not among those
witnesses because you are here for an issue where I don't think
there's much daylight between my Republican colleagues and my
Democratic colleagues. I think we understand this issue and
want to know from you all what we can do together--together
inside the Congress and together outside with stakeholders.
So it's incredibly important topic, as the Chairman said,
and we're focused on addressing the shortage of trained
cybersecurity professionals, which you all know is not a new
problem; it's actually a growing problem.
I represent two national laboratories, Lawrence Livermore
and Sandia in Livermore, California, where I live. We have
heard from them and tech and cybersecurity firms about the
tremendous challenge that they're facing every day in meeting
their cyber needs.
After engaging with a range of stakeholders in both the OT
and IT spaces, I and my team have learned a lot about the
complexity of the workforce challenge and the range of skill
sets needed to ensure that we secure the network technologies
we rely upon every day.
Last Congress, I introduced and passed the Industrial
Control Systems Cybersecurity Training Act, which authorized
CISA's ICS training program, which was enacted into law as part
of the National Defense Authorization Act. Through that
program, CISA trains over 25,000 students every year, either in
person or virtually, to secure the hardware and software used
in water treatment facilities, power transmission and
distribution, and other high-value critical infrastructure.
As we look to build on and build out on previous work like
the ICS bill, we must continue to expand the Federal
Government's support for cybersecurity training while also
tailoring efforts to align with the skills needed by private-
sector employers.
This hearing today will help our subcommittee gain a better
understanding of the specific causes contributing to the
cybersecurity work force shortage and help us develop solutions
going forward.
As the White House works to finalize its National Cyber
Workforce Education Strategy, it's critical that Congress can
be an active partner in implementing policies and providing
resources to expand the cyber talent pipeline and ensure we
have the work force necessary to maintain, as the Chairman
said, our advantage against adversaries who are outnumbering
us, like China and Russia.
Addressing this problem requires a coordinated approach
that brings together multiple Federal agencies, our Nation's
universities, community colleges, and too often as we've seen,
K-12 schools, as well as the private sector.
With CISA's extensive experience in public-private
partnerships, I know it will have an important role as a part
of this broader strategy, and the subcommittee stands ready to
make sure it has authorities and resources necessary to play a
role in the work force shortage.
Finally, the National Cybersecurity Strategy released
earlier this year makes clear that addressing the lack of
diversity in the work force is, ``both a moral necessity and a
strategic importance.'' We simply will not be able to close the
gap between employer demand and the available talent pool if we
do not do more to bring women, people of color, immigrants, and
other underrepresented groups into the cyber talent pipeline.
Building a robust cyber work force also provides an
opportunity to train and leverage the talent of our veterans,
who bring with them the experience, skill, and discipline that
makes them an irreplaceable asset to any cybersecurity team.
Look forward to hearing from the panel of witness. Again, I
thank the Chairman for what I think is going to be a very
productive hearing.
I yield back.
[The statement of Ranking Member Swalwell follows:]
Statement of Ranking Member Eric M. Swalwell
June 22, 2023
Good morning. I want to thank my friend, Chairman Garbarino, for
holding today's hearing on growing the national cybersecurity talent
pipeline.
It is an incredibly important topic, and one that both of us share
as a top priority for this Congress.
The shortage of trained cybersecurity professionals is not a new
problem.
For years, I have heard from the national labs and the tech and
cybersecurity companies in my district about the tremendous challenges
they face filling cybersecurity positions.
After engaging with a range of stakeholders in both the OT and IT
spaces, I learned more about the complexity of the workforce challenge
and the range of skill sets needed to secure the networked technologies
we rely on every day.
For that reason, last Congress, I introduced the Industrial Control
Systems Cybersecurity Training Act, authorizing CISA's ICS training
program, which was enacted into law as part of last year's National
Defense Authorization Act.
Through that program, CISA trains over 25,000 students annually--
either in-person or virtually--to secure the hardware and software used
in water treatment facilities, power transmission and distribution, and
other high-value critical infrastructure our adversaries target.
As we look to build on previous work like that legislation, we must
continue to expand the Federal Government's support for cybersecurity
training, while tailoring efforts to align with the skills needed by
employers and the demands of emerging technologies.
In doing so, we must ensure our cybersecurity curriculum and
training programs are not static and instead evolve as we deploy new
technologies like Artificial Technology and Machine Learning that can
both improve network security and introduce new risks.
This hearing today will help the subcommittee gain a better
understanding of the specific causes contributing to the cybersecurity
workforce shortage and help us develop solutions going forward.
As the White House works to finalize its National Cyber Workforce
and Education Strategy, it is critical that Congress be an active
partner in implementing policies and providing resources to expand the
cyber talent pipeline and ensure we have the workforce necessary to
maintain our advantage against adversaries like Russia and China.
Addressing this problem will require a coordinated approach that
brings together multiple Federal agencies, our Nation's universities,
community colleges, and K-12 schools, and our private sector, which
includes many of the world's leading technology and cybersecurity
firms.
With CISA's extensive experience in public-private partnerships and
its cybersecurity expertise, I know that it will have an important role
as part of this broader strategy, and this subcommittee stands ready to
ensure it has the authorities and resources necessary to contribute.
Finally, the National Cybersecurity Strategy released earlier this
year makes clear, addressing the lack of diversity in the cybersecurity
workforce ``is both a moral necessity and a strategic imperative.''
We simply will not be able to close the gap between employer demand
for skilled cybersecurity professionals and the available talent pool
if we do not do more to bring women, people of color, and other
underrepresented groups into the cyber talent pipeline.
Building a robust cyber workforce also presents an opportunity to
train and leverage the talent of our veterans, who bring with them the
experience, skill, and discipline that would make them an asset to any
security team.
I know our panel of witnesses today shares this priority, and I
look forward to hearing their ideas for how we can address this
challenge.
As we look to implement cyber workforce policies, I am committed to
ensuring they reflect the need for our cyber workforce to include the
full diversity of our Nation.
I thank the witnesses for joining us today and look forward to
their testimony.
I yield back.
Mr. Garbarino. Thank you, Ranking Member Swalwell.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
June 22, 2023
Good morning. I want to thank Chairman Garbarino and Ranking Member
Swalwell for holding this important hearing.
Growing the national cybersecurity talent pipeline has been a long-
standing priority for the Homeland Security Committee.
While we have done important work in recent years in enacting
legislation for CISA to provide critical assistance for industrial
control systems cybersecurity training and for K-12 cybersecurity
education, the cybersecurity workforce shortage has proven to be a
stubborn challenge.
It is apparent that much more needs to be done to develop the next
generation of cyber talent, re-skill our current workforce to fill
cybersecurity vacancies that exist today, and build a more inclusive
workforce that makes full use of the diversity that makes our Nation so
great.
To help cultivate the next generation of diverse cybersecurity
leaders, I worked with then-Intelligence Committee Chairman Adam Schiff
to establish the DHS Intelligence and Cybersecurity Fellowship Program,
providing a diverse set of college students the opportunity to work for
a summer at DHS on intelligence and cybersecurity matters.
Earlier this month, I had the opportunity to meet the inaugural
class of fellows and was impressed by their knowledge and commitment to
public service.
Unfortunately, just this week, Republicans on the Appropriations
Committee have advanced a fiscal year 2024 appropriations bill that
would eliminate funding for this important program.
This is the exact opposite of what we need to do if we are going to
address our shortage of cyber talent.
The young people I met this month are precisely the kind of bright
and talented individuals we need working in cybersecurity, especially
in the Federal Government where the challenge of recruiting qualified
cyber professionals has been particularly acute.
As we move through the appropriations process, I will fight to
restore funding for this important program, and I hope the bipartisan
membership of this committee will support me in this effort.
Instead of following the lead of the Appropriations Committee in
cutting back support for the development of the cyber workforce, we
must continue to look for innovative ways to bring more people into the
talent pipeline.
The panel of witnesses we have before us today have extensive
expertise on both the causes of our existing shortage and the solutions
that we must implement if we are to grow our cyber workforce.
We know that there is no single program that will solve this
problem overnight, but if we build cybersecurity education into our K-
12 curriculum, expand opportunities for cybersecurity training--whether
in the form of certifications, apprenticeships, or degrees--and
increase outreach to women and people of color, we should be able to
make real progress.
With partners in the Executive branch like Acting National Cyber
Director Kemba Walden, DHS Secretary Alejandro Mayorkas, and CISA
Director Jen Easterly, who all share our interest in tackling this on-
going problem, I am confident that we will have a National Cyber
Workforce and Education Strategy that reflects this multi-pronged
approach.
I look forward to working with the Members of this committee to
ensure we have the legislation and resources necessary to implement it.
I thank our witnesses for sharing their perspectives with us.
I yield back.
Mr. Garbarino. I am pleased to have four witnesses before
us today to discuss this very important topic. I ask that our
witnesses please raise--rise and raise their right hand.
[Witnesses sworn.]
Mr. Garbarino. Let the record reflect that the witnesses
have answered in the affirmative.
Thank you. Please be seated.
I would now like to formally introduce our witnesses.
Anjelica Dortch is the senior director for the U.S.
Government Affairs at SAP America. She manages the company's
cybersecurity, artificial intelligence, and work force policy
portfolio. Ms. Dortch also spent 10 years working in the
Federal Government, including in the Executive Office of the
President as a senior technology advisor, where she led the
coordination of several Government-wide cyber work force
initiatives.
Will Markow is the vice president of applied research at
Lightcast. He oversees Lightcast's consulting and research team
focused on strategic work force planning and the impact of
emerging trends and technologies on the work force. Mr. Markow
leads the development of cyberseek.org, a cybersecurity work
force, analytics, and career platform to provide data on the
cybersecurity work forces across the United States.
Tara Wisniewski is the executive vice president for
advocacy, global markets, and member engagement at ISC2. She is
responsible for leading growth of the ISC2 global advocacy
program and oversees the association's Center for Cyber Safety
and Education.
Finally, Colonel Chris Starling is the executive director
of NPower California. In this role, he recruits and trains
veterans, veteran spouses, and young adults in IT fundamentals
and places them in IT jobs across California. Colonel Starling
is a United States Marine Corps veteran with 26 years of
active-duty service. Thank you for your service, sir.
Thank you all for being here today.
Ms. Dortch, I now recognize you for 5 minutes to summarize
your opening statement.
STATEMENT OF ANJELICA DORTCH, SENIOR DIRECTOR, U.S. GOVERNMENT
AFFAIRS, SAP AMERICA, INC.
Ms. Dortch. Thank you.
Chairman Garbarino, Ranking Member Swalwell, and Members of
the Subcommittee on Cybersecurity and Infrastructure
Protection, thank you for the opportunity to appear before you
today to discuss the importance of growing our Nation's
cybersecurity talent pipeline.
My name is Anjelica Dortch, and I am the senior director of
U.S. Government affairs and head of cybersecurity policy at--
for SAP, the world's largest enterprise software application
provider.
On behalf of SAP, I commend the subcommittee for working
together to highlight innovative approaches that address the
long-standing challenges we face as a Nation in developing,
attracting, and retaining cybersecurity professionals.
My testimony will address the role SAP plays in creating
opportunities for current and future cybersecurity
professionals and our commitment to help close the
cybersecurity skills gap. Let me share some of our most recent
achievements in this area.
For over 50 years, SAP has worked to foster trust through
responsible actions. As of 2023, the SAP Global Security team
has surpassed the national average of women working in
cybersecurity, and it has more than doubled the number of women
in cybersecurity management roles.
Additionally, the generational diversity of the SAP Global
Security team is drastically different than that of the U.S.
Federal Government. Over 60 percent of the organization is
comprised of millennial and Gen Z cybersecurity professionals.
Meanwhile, only 4 percent of technology professionals in the
U.S. Federal Government are under the age of 30.
Our Government Security and Secrecy team, or GS2, is
comprised of former national security professionals who spent
upwards of 30 years working for the Government. In the past 12
months alone, the GS2 team has grown 34 percent by attracting
cleared national security professionals to SAP. Close to 40
percent of the team is made up of women, and they are only 7
percent away from reaching 50/50 gender parity of women in
management roles.
But how are we growing a diverse cybersecurity talent
pipeline at SAP? I'll briefly highlight three programs.
SAP established the Global Security Early Talent Program.
This is a 2-year program that is designed for high-performing
early career individuals with little to no professional
experience. All participants conduct rotations in the United
States and abroad, and after completing the program,
participants move into a new full-time role that best matches
their skill sets and their interests. This model has expanded
and diversified our pool of cybersecurity candidates, along
with achieving higher rates of retention. Additionally, these
types of rotational programs provide greater exposure and
flexibility for young professionals to explore different
specialties within this field rather than locking them into
distinct roles or occupational series.
Now, at SAP, we view neurodiversity as a competitive
advantage. That's why in 2013 we launched a groundbreaking
Autism at Work Program which leverages the unique abilities and
perspectives of colleagues on the spectrum to foster inclusion
at SAP. We have the longest-running Autism at Work Program
among major companies. We support neurodiverse professionals
during the hiring process, and offer a variety of resources to
facilitate the success of employees once they are onboarded.
But to help neurodiverse professionals realize their potential,
most organizations must adjust their recruitment selection and
career development policies to reflect a broader definition of
talent.
Last, SAP National Security Services, or NS2, an
independent U.S. subsidiary of SAP, established a nonprofit
called NS2 Serves. This program was founded to support and
empower veterans in their transition into critically-needed
national security roles. NS2 Serves is committed to train and
place 600 veterans in national security careers by 2025. To
date, we have trained over 400 veterans and achieved more than
90 percent graduation rate. As a result, all graduates of NS2
Serves have gained job offers, and SAP NS2 will continue to
make the necessary investments to provide veterans with a
pathway into national security careers.
In closing, it has been an honor to appear before this
subcommittee today on behalf of SAP. It is my hope that my
testimony supports the advancement of positive change that
leads to a more secure Nation.
Thank you, Chairman Garbarino, Ranking Member Swalwell, and
Members of the subcommittee, for your dedication to growing our
Nation's cybersecurity talent pipeline. I'd be happy to answer
any of your questions.
Thank you.
[The prepared statement of Ms. Dortch follows:]
Prepared Statement of Anjelica Dortch
June 22, 2023
Chairman Garbarino, Ranking Member Swalwell, and Members of the
Subcommittee on Cybersecurity and Infrastructure Protection, thank you
for the opportunity to appear before you today to discuss the
importance of growing our Nation's cybersecurity talent pipeline. My
name is Anjelica Dortch, and I am the senior director of U.S.
Government Affairs and Head of Global Cybersecurity Policy for SAP--the
world's largest enterprise software application provider.
On behalf of SAP, I commend this subcommittee for working together
to highlight innovative approaches that address the long-standing
challenges we face as a Nation in developing, attracting, and retaining
cybersecurity professionals. My testimony will address the role SAP
plays in creating opportunities for current and future cybersecurity
professionals and our commitment to help close the cybersecurity skills
gap.
I would first like to provide the subcommittee with a brief
overview of my professional background. Prior to joining SAP, I led
scale-up of tech policy positions at IBM within the Government and
Regulatory Affairs team with a focus on artificial intelligence, hybrid
cloud, and intellectual property. I spent 10 years working for a
variety of U.S. Federal agencies including the Executive Office of the
President as a senior technology advisor where I led coordination of
several cybersecurity workforce initiatives to include leading the
first-ever Government-wide tech and cyber hiring event and the Federal
cybersecurity reskilling academy. Additionally, I contributed to the
development of U.S. policies and strategies including the 2018 National
Cybersecurity Strategy, the Presidential Executive Order on America's
Cybersecurity Workforce, the U.S. Federal Cloud Computing Strategy (or
Cloud Smart), and the Administration's Report on Artificial
Intelligence. Last, I'm passionate about getting individuals who look
like me into the cybersecurity field.
about sap
SAP is a globally-recognized technology leader helping
organizations of all sizes and in all sectors run at their best. Our
customers generate 87 percent of total global commerce ($46 trillion).
Additionally, 99 out of the 100 largest companies in the world are SAP
customers. We operate in over 150 countries and have over 100,000 team
members world-wide. From manufacturing and distribution of vaccines to
modernizing the U.S. Department of Defense travel management system,
SAP's core purpose is to help the world run better and improve people's
lives. I believe SAP is uniquely suited to provide the subcommittee
with insights today into the opportunities and challenges we face in
addressing critical shortages in America's cybersecurity talent
pipeline.
our achievements
For over 50 years, SAP has worked to foster trust through
responsible actions in the context of security, privacy, compliance,
and transparency. To achieve this, we rely on talented cyber and
national security professionals from around the world. I'd like to
highlight two organizations at SAP that play a critical role in (1)
strengthening the security of SAP and our customers and (2) ensuring we
fulfill national security requirements and comply with critical
infrastructure regulations.
Our SAP Global Security team (or SGS) is responsible for product
and application security, cyber defense and design, security risk and
compliance, physical security, and most of all trust. Through the
leadership of our SAP chief security officer, Mr. Timothy McKnight, we
have made significant inroads in attracting, retaining, and growing a
diverse and high-performing global security team. As of 2023, the SAP
Global Security team has surpassed the national average of women
working in cybersecurity, and it has more than doubled the number of
women in cybersecurity management roles. The office of the chief trust
officer within our security organization has reached 50/50 gender
parity. Furthermore, the generational diversity of the SAP Global
Security team is drastically different than that of the U.S. Federal
Government. Over 60 percent of the organization is comprised of
Millennial and Gen Z cybersecurity professionals. Meanwhile, only 4
percent of technology professionals in the U.S. Federal Government are
under the age of 30. As you can see, the SAP Global Security Team is
committed to providing equal opportunities and ensuring that everyone
has a chance to develop and grow in the cybersecurity space.
For SAP to serve government customers world-wide, we must also work
collaboratively with the national security community. Our Government
Security and Secrecy team (or GS2) led by Mr. Martin Merz, ensures the
fulfilment of national security requirements, and manages cooperation
and coordination with all relevant Government security authorities.
Most of this team is comprised of former national security
professionals who spent upwards of 30 years working for the Government.
In the past 12 months alone, the Government Security and Secrecy team
has grown 34 percent by attracting cleared national security
professionals to SAP. Close to 40 percent of this team is made up of
women, and they are only 7 percent away from reaching 50/50 gender
parity for women in management roles.
how are we growing a diverse cybersecurity talent pipeline at sap?
Early Talent Program
To attract and recruit young or early career cybersecurity
professionals, SAP established the Global Security Early Talent
Program.\1\ This 2-year program is designed for high-performing early
career professionals, with little to no professional experience, and
have a basic understanding of information technology and security
topics. All participants start the program with their first rotation at
our SAP America headquarters in Newtown Square, Pennsylvania, and spend
at least one rotation abroad at our SAP global headquarters in Waldorf,
Germany. The 6 months abroad is fully covered by the Global Security
Early Talent Program. After completing the Security Rotational Program,
participants move into a new full-time role within the SAP Global
Security team that best matches their skills and interests. This model
has expanded and diversified our pool of cybersecurity candidates,
along with higher retention rates once program participants shift to
full-time roles. Additionally, these types of rotational programs
provide greater exposure and flexibility for early career cybersecurity
professionals to explore different roles or specialties within this
field rather than immediately locking them into a distinct role or
occupational series.
---------------------------------------------------------------------------
\1\ Global Security Early Talent Program at SAP--https://
www.sap.com/documents/2022/01/de2934fb-127e-0010-bca6-
c68f7e60039b.html.
---------------------------------------------------------------------------
Autism at Work Program
At SAP, we view neurodiversity as a competitive advantage. That's
why in 2013 we launched a groundbreaking Autism at Work program which
leverages the unique abilities and perspectives of colleagues on the
spectrum to foster inclusion at SAP.\2\ We have the longest-running
Autism at Work program among major companies. The SAP Autism at Work
program provides a pathway and support for neurodiverse cybersecurity
professionals. We support neurodiverse candidates during the hiring
process and offer a variety of resources to facilitate the success of
the employee once they are onboarded. Neurodiverse individuals
frequently need workplace accommodations, such as headphones to prevent
auditory overstimulation in order to activate or maximally leverage
their abilities. In many cases the accommodations are manageable, and
the returns are great for both the employee and employer. But to
realize the benefits, most organizations must adjust their recruitment,
selection, and career development policies to reflect a broader
definition of talent.
---------------------------------------------------------------------------
\2\ SAP Autism at Work Program--https://www.sap.com/about/careers/
your-career/autism-at-work-program.
---------------------------------------------------------------------------
SAP NS2 Serves
The U.S. Department of Veteran Affairs estimates there are over 19
million living veterans in America. To address the growing need to
support veterans and their transition into critically needed national
security roles, SAP National Security Services (or NS2)--an independent
U.S. subsidiary of SAP--established NS2 Serves.\3\ The program was
founded to empower veterans and ease their integration into civilian
life by providing free, skills-based training for today's high-demand,
high-tech careers. NS2 Serves provides free training and employment
assistance to veterans. The program is available to impending or
honorably discharged post-9/11 U.S. military service veterans, who have
left service in the last 10 years and reservists (including disabled
veterans), service members with orders to leave active duty, and Gold
Star spouses who meet eligibility requirements. The 8-12-week intensive
program provides students at all technical levels with world-class
software solutions training and certifications for a variety of well-
paying careers within U.S. national security and commercial
enterprises. NS2 Serves is committed to train and place 600 veterans in
new national security careers by 2025. To date, we have trained over
400 veterans and achieved more than a 90 percent graduation rate. As a
result, all graduates of NS2 Serves have gained job offers. This
program gives veterans valuable skill sets and a high degree of
employability. They can achieve a strong sense of purpose that often
averts some of the impacts of Post-Traumatic Stress Disorder (PTSD),
homelessness, and other mental health challenges. Many of our veterans
want to continue to contribute to their country, and they can do so
across our Government where SAP technologies are widely used. SAP NS2
is making the investment to provide veterans with that pathway. The
next cohort will launch Fall 2023.
---------------------------------------------------------------------------
\3\ NS2 Serves Training & Employing Veteran Program--https://
ns2serves.org/.
---------------------------------------------------------------------------
Apprenticeships
As a multi-national organization operating in more than 150
countries, SAP views apprenticeships as an integral part of the
development, recruitment, and retention of our workforce. At the SAP
global headquarters in Waldorf, Germany approximately 25 percent of our
team members joined through an apprenticeship. Last year, the
administration announced the 120-day Cybersecurity Apprenticeship
Sprint to increase awareness of current cybersecurity-related
registered apprenticeship programs while recruiting employers and
industry associates to expand and promote apprenticeships. However, the
pathway to establish a U.S.-based apprentice program comes with
obstacles and challenges that this committee should explore.
An Ambitious Diversity, Equity, and Inclusion (DEI) Strategy
The data is clear, a diverse and inclusive workplace leads to more
innovation and allows us to better serve and represent our customers
around the globe. At SAP, DEI is part of our DNA. We are intentional
about addressing representation gaps within the technology sector to
include cybersecurity roles. In 2017, we set a goal of 35 percent women
in our workforce by 2030, and in December 2022, we achieved that goal.
Our next goal is to reach 50/50 gender parity globally. We hold
ourselves accountable by publishing our progress and specific goals,
including increasing the number of women in technical roles to 40
percent and doubling the number of women and underrepresented
minorities in senior roles by 2030. We intentionally work to attract,
hire, retain, and develop talented people of diverse backgrounds,
points of view, and experiences. Our strong commitment to allyship
drives a more open, accepting, and inclusive culture, so people can
bring their whole selves to work and perform at their best.
SAP University Alliances
For more than 25 years, SAP has worked to establish relationships
with academic institutions across the world through our University
Alliances Program. In the United States, we engage between 125,000 to
150,000 students per year through roughly 400 established partnerships
with universities and community colleges. The program includes Minority
Serving Institutions (MSIs) to include Morehouse, Spellman, and
Fayetteville University. We continue to expand these alliances across
the world to create new awareness and enthusiasm for SAP and career
opportunities in the cybersecurity field.
An Education-Focused Corporate Social Responsibility Strategy
SAP believes that investing in education is investing in the skills
and talents of the next generation--the foundation for the future
growth and prosperity of our Nation. We invest in innovative education
models and foster our engagement with multistakeholder partnerships to
enable pathways to employment and entrepreneurship in the digital,
social, and green economy for youth in need (under-represented, under-
served, and under-privileged youth between the age of 16 to 24). Last
year, SAP began supporting the Last Mile Education Fund \4\--a program
focused on increasing diversity in tech by addressing critical gaps in
financial support for low-income underrepresented students. For
example, Sadie, a first-generation college student and a member of the
Tohono O'odham Tribe, triumphed over the challenges of growing up on a
rural reservation where she faced unique challenges due to the limited
resources and opportunities. Despite the scarcity of Native Americans
in tech, Sadie became one of the first in her village (Pisinmo'o) to
earn a cybersecurity degree. Now, she is on her way to becoming a
product manager at a leading cybersecurity company, blazing a trail for
others in her community. Sadie's journey embodies resilience,
determination, and the power to redefine what is possible in the
cybersecurity space. More partnerships and investments into innovative
programs like the Last Mile Education Fund are needed to help
individuals overcome socioeconomic barriers to starting a career in
cybersecurity.
---------------------------------------------------------------------------
\4\ SAP Partners with Last Mile Education Fund--https://
news.sap.com/2022/06/last-mile-close-technology-gender-gap/.
---------------------------------------------------------------------------
international observations and trends
Immigration Reforms Outside the United States
With a global footprint spanning over 150 countries, SAP can share
international observations and growing trends in workforce development.
The global cybersecurity talent shortage has forced some of our allies
to explore reforms to their immigration policies for the purposes of
removing migration hurdles for high-skilled workers in technology and
cybersecurity roles. Canada, Australia, and Germany are currently
instituting reforms that amend education, employment, language, and
compensation requirements. In some instances, the path to achieving
dual citizenship has been lowered to ensure retention of migrants who
make significant contributions to the economic prosperity of the
country. Some of these reforms include launching a streamlined process
powered by user-friendly web-based applications that provide
immigration decisions within 30 to 60 days. Overall, the competition
for American cybersecurity professionals will continue to increase as
allied nations enact ``cyber visas'' to attract top talent to their
regions.
European Union Cybersecurity Skills Academy
In April, the European Union launched the Cyber Skills Academy \5\
which is a European initiative aimed at bringing together existing
cybersecurity education programs and improving their coordination, to
close the cybersecurity talent gap and boost European Unions's
competitiveness, growth, and resilience. The Cyber Skills Academy is
built on four pillars. The first pillar addresses education and
training to foster E.U. cybersecurity knowledge. The second pillar will
provide information on certification capacity and visibility into
funding opportunities. The third pillar includes stakeholder
involvement, and the fourth pillar will monitor progress of the
initiative. E.U. member states and industry have been urged to support
the development and recognition of micro-credentials, and the E.U.
Commission is tasked with creating a centralized repository for all
E.U. cybersecurity programs, trainings, and certifications via the
``Digital Skills and Jobs Platform'' by the end of 2023. The success of
the European Union's efforts to bolster its cybersecurity pipeline will
depend on a strong collaboration with industry and E.U. member-states.
We encourage the subcommittee to continue monitoring the progress of
this national initiative.
---------------------------------------------------------------------------
\5\ European Union Cybersecurity Skills Academy--https://digital-
skills-jobs.europa.eu/en/cybersecurity-skills-academy.
---------------------------------------------------------------------------
recommendations
With growing demands for cybersecurity talent, Congress has an
opportunity to drive impactful reforms that can give Americans multiple
pathways into cybersecurity careers. The United States has a tremendous
opportunity to engage, employ, and develop a more inclusive and diverse
workforce into high-demand, high-paying cybersecurity jobs that can
strengthen our national security and economic prosperity. SAP submits
the following recommendations and actions for consideration by
Congress:
1. Pass the Jumpstart Our Businesses by Supporting Students Act of
2023 (or the JOBS Act), cosponsored by Representatives Bill
Johnson, Lisa Blunt Rochester, Michael Turner, and Miki
Sherrill. The bill would extend Pell grant eligibility to
short-term job training programs for high-demand occupations
like cybersecurity.
2. Scale and centralize successful job training and employment
programs that transition veterans more easily into cyber and
national security roles.
3. Identify and highlight best practices for providing neurodiverse
Americans a pathway to join the cybersecurity workforce.
4. Shift the U.S. Federal Government away from ``home-grown'' human
capital management solutions and toward trusted and robust
commercial solutions that can reduce the time-to-hire and
improve the user experience for cybersecurity professionals
seeking to join the civil service.
In closing, it has been an honor to appear before this subcommittee
today on behalf of SAP. It is my hope that these recommendations,
observations, and best practices support the advancement of positive
change that leads to a more secure Nation. Thank you, Chairman
Garbarino, Ranking Member Swalwell, and Members of the subcommittee for
your dedication to growing our Nation's cybersecurity talent pipeline.
I'll be happy to answer any of your questions.
Mr. Garbarino. Thank you, Ms. Dortch.
Mr. Markow, I now recognize you for 5 minutes to summarize
your opening statement.
STATEMENT OF WILL MARKOW, VICE PRESIDENT OF APPLIED RESEARCH,
ADVOCACY, GLOBAL MARKETS, AND MEMBER ENGAGEMENT, LIGHTCAST
Mr. Markow. Chairman Garbarino, Ranking Member Swalwell,
and Members of the subcommittee, thank you for the opportunity
to speak with you today.
As the lines between our physical and digital lives
continue to blur, protecting our digital security has emerged
as a defining challenge of our time. Although this challenge
must be met by stakeholders across our Nation, the ultimate
responsibility for our digital security rests firmly on the
shoulders of our cybersecurity work force. However, this work
force faces persistent talent challenges that choke our cyber
talent pipeline and hobble efforts to build the work force we
need to secure our digital infrastructure.
It is against this backdrop that Lightcast has researched
the cybersecurity work force for over a decade. Lightcast is
the leading global authority on the labor market, with over 20
years of experience providing best-in-class data and insights
to thousands of educators, employers, government agencies, and
other institutions.
Throughout this time, our research has consistently pointed
to a sobering conclusion: The cybersecurity talent pipeline is
severely broken. In the past 12 months, there were over 660,000
cybersecurity job openings in the United States, but we only
had 69 skilled cybersecurity workers for every 100 that
employers demand. This means we are stepping onto the digital
battlefield missing nearly a third of our army, and the
consequences of this talent shortage echo across our country.
We find that this talent shortage stems from two critical
gaps: A talent gap resulting from rapid growth and skill
evolution in the field, and an expectations gap resulting from
the belief among many employers that they must hire workers
with inflated credentials or many years of work experience.
These gaps have formed a perfect storm of market failures. As a
result, fixing the cyber talent pipeline has become a problem
of remarkable complexity, and solving this problem is
impossible without shared visibility for all stakeholders into
the needs of our cyber work force.
It was this need for shared visibility that catalyzed our
development of cyberseek.org, a cybersecurity work force
exploration platform. CyberSeek includes a supply-and-demand
heat map, cyber career pathways, and a map of local training
providers, all of which are completely free to the public.
CyberSeek also includes links to other resources and maps
market data to the NICE Workforce Framework for Cybersecurity.
Since its release, CyberSeek has become widely used within
the cyber community, from students and professors to policy
makers and hiring managers. Lightcast is proud to develop
CyberSeek in partnership with NICE and CompTIA, thanks to
funding through a grant from NIST.
In addition to CyberSeek, Lightcast also supports cyber
talent development by providing data, software, and consulting
services directly to employers, educators, and other
stakeholders working to grow our Nation's pool of cybersecurity
professionals.
Our work across the cyber ecosystem gives us a unique
vantage point on how the Federal Government may help strengthen
the cybersecurity talent pipeline. In our view, there are three
main levers that Federal actors have at their disposal:
information, incentives, and standards. In practice, this means
that Federal agencies such as CISA and NIST can share
information about cyber training and hiring best practices, and
Federal employers can even become exemplars for innovative
skills-based hiring, such as lowering job requirements,
training for high growth and high-value skills, and building
career pathways to support internal advancement and mobility.
The Federal Government can also offer incentives that
improve the economics of growing the cyber work force, such as
joint training or talent-sharing programs with private
employers or expanded access to tools, funding, tax incentives,
or other resources.
Last, the Federal Government can develop standards that
detail best practices related to cyber work force development,
training, and hiring, as well as promote existing best-in-class
standards such as the NICE Framework.
In conclusion, expanding the cybersecurity talent pipeline
is undoubtedly a complex issue. It requires coordination across
a constellation of educators, employers, and individuals.
Aligning this diverse ecosystem of stakeholders requires a
shared understanding of the problem and clear, level-headed
guidance on how to solve it.
Thankfully, thousands of stakeholders across the country
are already facing this challenge head-on. Lightcast is
committed to working with these stakeholders, and we welcome
collaboration with anyone interested in creative, data-backed
solutions to cybersecurity's talent pipeline challenges.
Thank you, again, for the opportunity to participate in
this hearing, and I look forward to answering your questions.
[The prepared statement of Mr. Markow follows:]
Prepared Statement of Will Markow
June 22, 2023
introduction
Chairman Garbarino, Ranking Member Swalwell, and Members of the
committee, on behalf of Lightcast, thank you for the opportunity to
appear before you today.
As the lines between our physical and digital lives continue to
blur, protecting our digital security has emerged as a defining
challenge of our time. Although this challenge must be met by a mix of
people, process, policy, and technology, the ultimate responsibility
for our digital security rests firmly on the shoulders of our
cybersecurity workforce. However, this workforce faces persistent
talent challenges that choke our cyber talent pipeline and hobble
efforts to build the workforce we need to secure our digital
infrastructure.
It is against this backdrop that Lightcast researches and
quantifies the cybersecurity workforce. We work with institutions
across the public and private sectors to arm them with the data and
insights they need to expand the cybersecurity talent pipeline and
build a world-class cybersecurity workforce.
lightcast is the leading global authority on the labor market--in
cybersecurity and beyond
Lightcast is the leading global authority on the labor market. We
connect people with jobs by providing businesses, communities, and
education institutions with the best labor market data and insights
possible. Our data-driven insight enables better, faster decisions. To
that end, we provide software products, APIs, and consulting services
to employers, educators, governments, nonprofit organizations, and
other institutions. We collect data from government agencies, on-line
job postings, worker histories, and other sources from over 130
countries across the globe. Lightcast has worked with two-thirds of the
Fortune 100, 30 States, numerous Federal agencies, hundreds of
educational institutions, and dozens of nonprofits, among other
clients.
Lightcast provides data and insights on all jobs and all
industries, but we have been researching the cybersecurity workforce in
further depth for over a decade. In 2013, we found that data about
cybersecurity jobs were limited, if not missing entirely. This lack of
data created an information gap that was exacerbating the cybersecurity
talent gap.
Since then, we have released multiple reports on the state of the
cybersecurity workforce in an effort to close this information gap. Our
research has examined topics such as growth in cybersecurity hiring
demand, key drivers of cybersecurity talent shortages, emerging
cybersecurity skill requirements, and unique cybersecurity hiring
challenges faced by the Federal Government, among other areas of
relevant research.
the cybersecurity workforce faces two critical gaps: a talent gap and
an expectations gap
Lightcast's research over the past 10 years has consistently
pointed to a sobering conclusion: the cybersecurity talent pipeline is
broken. From May 2022 through April 2023, there were over 660,000
cybersecurity job openings in the United States, but we estimate that
the United States only has 69 skilled cybersecurity workers for every
100 that employers demand. This means we are stepping onto the digital
battlefield missing nearly a third of our cyber army.\1\ In practical
terms, this means we need over 460,000 new skilled cybersecurity
workers to meet employer demand.\2\
---------------------------------------------------------------------------
\1\ Reflects the latest data from https://www.cyberseek.org/.
\2\ https://lightcast.io/resources/blog/cyberseek-06-06-2023.
---------------------------------------------------------------------------
The consequences of the cybersecurity talent shortage echo across
the economy. The scale and impact of cyber attacks is well-known, but
the consequences for companies do not end with digital breaches. Hiring
costs for cybersecurity workers have skyrocketed, and cybersecurity
salaries are now 10 percent higher than for other IT workers--despite
IT already ranking among the highest-paid career fields. Cybersecurity
jobs also take 21 percent longer to fill than other IT roles,\3\
meaning many cybersecurity positions remain empty as our digital
threats continue to mount.
---------------------------------------------------------------------------
\3\ Lightcast analysis referenced on https://www.cyberseek.org/.
---------------------------------------------------------------------------
The root causes of our broken cybersecurity talent pipeline are
varied, but they can be simplified into two critical gaps: a talent gap
between supply and demand of cybersecurity workers, and an expectations
gap between employer demands and the realities of the cybersecurity
talent pool.
The Cybersecurity Talent Gap
The talent gap between supply and demand of cybersecurity workers
stem from the rapid growth and evolution in the field. Historically,
cybersecurity was not a clearly-delineated field and there was limited,
if any, training infrastructure in place to prepare cyber workers. As a
result, many workers found themselves in cybersecurity by happenstance,
rather than intention. As our world became increasingly digital,
however, cyber crime flourished. As a result, annual demand for
cybersecurity workers has grown 200 percent in the past 10 years. Such
rapid growth is difficult for our education system to catch up with in
any field, let alone one as technically demanding and dynamic as
cybersecurity.
Compounding this problem is the rapid evolution of skill
requirements in cybersecurity. Cyber threats evolve daily, and the
skills needed to defend against these threats must evolve as well. In
just the past 2 years, 24 percent of the top skills for cybersecurity
professionals have changed. Moreover, demand for emerging cybersecurity
skills--especially those related to cloud security, automation, and
secure application development--have grown faster than virtually any
other skills that Lightcast tracks. These skills cost employers even
more to fill. Just one emerging skill related to cloud security, for
example, can command an annual salary premium of $15,000 or more.
In the face of such rapid skill change and inflated hiring costs,
most employers struggle to keep the skills of their cybersecurity teams
up to date. This struggle is even more severe for the Federal
Government, and many Federal employers lag their private-sector
counterparts when it comes to adopting emerging skills. Our research
finds that cybersecurity teams in the private sector are 87 percent
more likely to request emerging skills than Federal employers. If the
skills on our Federal cybersecurity teams don't remain current, neither
can our cyber defenses.
Last, the cybersecurity talent gap extends to cybersecurity
leadership as well. Our research found that only 22 percent of
cybersecurity managers have prior managerial experience. This means
that nearly 8 in 10 cybersecurity teams are led by someone with no
prior leadership experience. We also found that, on average, managers
have been out of school for 11 years--more than enough time for their
skills to grow stale in such a fast-moving field. This adds another
dimension to cybersecurity training challenges and requires employers
to invest in training for business acumen and leadership skills
alongside technical mastery.\4\
---------------------------------------------------------------------------
\4\ All data in the preceding section, ``The Cybersecurity Talent
Gap'', reflect Lightcast analysis of proprietary Lightcast data. The
data related to Federal cybersecurity hiring is from Lightcast's report
on the Federal cybersecurity workforce, titled ``Securing a Nation.''
---------------------------------------------------------------------------
The Cybersecurity Expectations Gap
The second broad cause of the broken cybersecurity talent pipeline
is an expectations gap between the requirements employers demand and
the realities of the cybersecurity talent pool.
In particular, many employers request inflated education and
experience requirements that limit entry-level cyber opportunities.
Employers request at least a bachelor's degree in 84 percent of
cybersecurity job openings. Employers also request at least 3 or more
years of prior work experience in, again, 84 percent of cybersecurity
job openings.\5\ Such elevated requirements are not aligned with the
existing cybersecurity workforce and are rarely needed to perform the
duties of a cybersecurity job. As a result, they unnecessarily
constrain the pipeline of entry-level workers and limit opportunities
to reach a more diverse set of candidates. They also negatively impact
employee retention: in 2022, the turnover rate for cyber analysts with
at least a bachelor's degree was 64 percent higher than the turnover
rate for cyber analysts with an associate degree.\6\
---------------------------------------------------------------------------
\5\ Reflects Lightcast analysis of proprietary Lightcast data.
\6\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
Inflated certification requirements are also rampant. While
certifications can be valuable signals to employers that a candidate
has a certain level of knowledge, many employers have overloaded their
job requirements with certifications that are unnecessary for the job
for which they are hiring. This can artificially filter out otherwise
qualified candidates who have the right skills, just not the right
credentials.
We also have found a misalignment between the degree levels
students pursue and the degree levels employers request in entry-level
job opportunities. Every year in the United States, we graduate around
3,000 fewer students from bachelor's programs in cybersecurity-related
fields than there are entry-level cybersecurity jobs requesting a
bachelor's degree. At the same time, we graduate over 2,900 more
students from associate and master's degree programs in cybersecurity
than there are entry-level openings demanding these degrees.\7\ If
employers reduced their degree requirements in roughly one-third of
entry-level cybersecurity openings, this would nearly erase the degree-
level misalignment between graduates and entry-level job opportunities.
---------------------------------------------------------------------------
\7\ Reflects Lightcast analysis of 2021 IPEDS data from the
Department of Education plus proprietary Lightcast data.
---------------------------------------------------------------------------
This mix of talent challenges, across both the talent gap and
expectations gap, has formed a perfect storm of market failures. As a
result, fixing the cybersecurity talent pipeline has become a problem
of remarkable complexity.
cyberseek.org: deciphering the cybersecurity job market
Fixing the cybersecurity talent pipeline requires solutions for
both the underlying talent gap and the expectations gap. To solve the
talent gap, we must motivate more workers to enter the field and build
the training infrastructure to support them. To solve the expectations
gap, we must provide employers with the resources they need to make
informed hiring decisions.
These solutions require tight coordination across employers,
educators, Government, students, and many other groups throughout the
country. Aligning this patchwork of stakeholders is impossible without
shared visibility into cybersecurity workforce needs within communities
across the country.
It was this need for shared visibility that catalyzed the
development of CyberSeek.org, a cybersecurity workforce analytics and
career pathway platform that is freely available to the public.
CyberSeek was developed in 2016 through a partnership between
Lightcast, NICE, and the technology industry association CompTIA. It is
funded by a grant from the National Institute for Standards and
Technology. The platform provides actionable, accessible, and up-to-
date information about the cybersecurity workforce in communities
across the country.
CyberSeek is a unique tool that provides best-in-class data and
interactive visualizations to connect the dots between employer needs
and career opportunity. It includes a supply-and-demand heatmap, cyber
career pathways, skill-based job descriptions, and a map of local
training providers--all of which are completely free and open to the
public. To promote additional efforts to grow the cybersecurity talent
pipeline, CyberSeek also includes links to other resources on the
cybersecurity workforce--including those from CISA and the National
Initiative for Cybersecurity Careers and Studies.\8\ CyberSeek data are
aligned with the NICE Workforce Framework for Cybersecurity \9\ and are
updated multiple times throughout the year.
---------------------------------------------------------------------------
\8\ https://niccs.cisa.gov/.
\9\ The NICE Cybersecurity Workforce Framework details 7 key
categories of cybersecurity work, as well as dozens of specialty areas
and specific work roles included within each of these categories. It
also includes information about the tasks performed within each work
role, as well as the knowledge, skills, and abilities required to
perform these tasks.
---------------------------------------------------------------------------
Since its release, CyberSeek has become widely used within the
cybersecurity community--from students and professors to policy makers
and hiring managers. Data from CyberSeek are routinely mentioned in
media outlets across the country, and CyberSeek has been publicly cited
by multiple Presidential administrations. Many educators now develop
assignments for their students to visit CyberSeek and learn more about
cybersecurity careers. Inspired by the success of CyberSeek, Lightcast
has helped develop two sister websites, AUCyberExplorer \10\ in
Australia and CyberSeek Indiana.\11\ The latter is a state-level
version of CyberSeek with even more localized information.
---------------------------------------------------------------------------
\10\ https://www.aucyberexplorer.com.au/.
\11\ https://www.cyberseekin.org/.
---------------------------------------------------------------------------
We are continuously soliciting feedback on CyberSeek, and we hope
to continue to improve the platform so we may arm stakeholders across
the country with the tools and data they need to build a world-class
cybersecurity workforce.
lightcast supports stakeholders across the cybersecurity community
In addition to CyberSeek, Lightcast works directly with employers,
educators, Government agencies, and other stakeholders across the
cybersecurity community. We provide best-in-class labor market data and
insights through software, APIs, and consulting services. To the best
of our knowledge, we are the only organization that has mapped external
worker supply and employer demand data to the NICE Framework at scale.
Educators use Lightcast tools and data to inform cybersecurity
program development and align their curricula with the skills that
employers demand. This helps educators keep their cybersecurity
programs current, and ensures their students graduate with the skills
they need to secure a job. Similarly, Lightcast works with many
cybersecurity certification providers to help them align their
credentials with employer needs. By linking credentials with in-demand
skills, we help these certifying organizations develop credentials that
hold value in the eyes of both workers and employers.
Lightcast also works with employers to inform their talent
decisions related to strategic workforce planning, talent acquisition,
employee training, and more. We help organizations implement a skills-
based approach to cybersecurity hiring, which can help expand the
talent pipeline, increase candidate diversity, and improve hiring
outcomes. For example, we have found that organizations taking a
skills-based approach to hiring entry-level cybersecurity workers,
rather than a degree-based approach, can save an average of over
$15,000 per hire and expand their skilled candidate pool by over 60
percent.\12\
---------------------------------------------------------------------------
\12\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
Last, Lightcast also works with government agencies--both at the
Federal level and the State, local, and Tribal level--to support
cybersecurity workforce development. At the Federal level, we have
worked with multiple departments and agencies beyond our work with NIST
and NICE. In particular, we have provided information and data to the
Office of the National Cyber Director and the Cybersecurity and
Infrastructure Security Agency. We have also shared research findings
and data on multiple interagency webinars, in meetings with Federally-
convened working groups, and in discussions with individuals across
Federal agencies.
the federal government can strengthen the cybersecurity talent pipeline
through three broad levers: information, incentives, and standards
Lightcast's work with stakeholders across the cybersecurity
ecosystem gives us a unique vantage point on opportunities for the
Federal Government to help strengthen the cybersecurity talent
pipeline. In our view, there are three broad levers that Congress,
CISA, and other Federal actors have at their disposal: information,
incentives, and standards.
Lever 1: Information
The Federal Government--and CISA in particular--are in a unique
position to provide actionable information for stakeholders across the
cybersecurity workforce ecosystem. There are multiple avenues through
which this can be accomplished, but key opportunities include the
following:
Become an exemplar for innovative, skills-based
cybersecurity hiring practices.--This means shifting to a
skills-based approach to hiring for cybersecurity roles and
cataloging and promoting best practices for the private sector
to emulate. Examples of skills-based best practices that CISA
and other Federal agencies can take include the following:
Reduce education, experience, and certification
requirements in job openings.--This can have dramatic
impact toward reducing hiring difficulty and expanding the
size and diversity of the Government's candidate pool. For
example, Lightcast data show that removing a bachelor's
degree from early career cybersecurity job postings can
reduce the average cost to hire by over $15,000 and
increase the candidate pool by over 60 percent.\13\
---------------------------------------------------------------------------
\13\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
Prioritize training for high-growth, high-value skills.--
Lightcast projects that demand for many emerging
cybersecurity skills will grow 50 percent or more in the
coming years, and many of these skills command salary
premiums of $10,000 or more.\14\ In most cases, these
skills cost considerably less to train. Focusing training
on these high-growth, high-value skills--such as cloud
security, DevSecOps, and others--can help the Federal
Government maximize the return on its training investments.
---------------------------------------------------------------------------
\14\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
Build career pathways to enhance career advancement
potential for cybersecurity workers.--CISA and other
Federal agencies may develop clear cybersecurity career
pathways that communicate the roles that individuals may
target at different stages in their careers, possible
transition opportunities between each role, and the skills
or other attributes workers can develop to progress between
roles within a career pathway.
Educate employers as well as practitioners.--In addition to
providing education materials for practitioners and managers,
CISA or other Federal actors may provide training resources for
employers that outline talent management best practices for
cybersecurity workers. Providing quality training resources
that are accessible and targeted to personas on both sides of
the hiring process can help address the dual talent and
expectation gaps plaguing the cybersecurity workforce.
Expand and enhance access to tools and resources that
support cybersecurity workforce development and hiring.--This
could include the development of new tools and resources or the
expansion of existing tools--such as CyberSeek, current
resources from CISA and NICE, or others. These may be
accomplished through either of two vehicles: increasing funding
or increasing awareness.
Increasing Funding.--First, additional Federal funding
directed internally toward CISA or other Federal agencies,
or externally through grants or other mechanisms, would
enable the development of new tools, functionality, and
resources. For example, this may include tools providing
more data on emerging cybersecurity skills, resources for
employers to easily adopt skills-based hiring best
practices, or even tools that directly connect individuals
to open jobs or relevant training opportunities.
Increasing Awareness.--Second, expanding knowledge and
promotion of existing resources can maximize their impact
and help reach a larger pool of users without requiring
much, if any, additional investment. For example, resources
could be developed by CISA or others that provide
additional ``how to'' guidance and case studies that
demonstrate how to use existing tools and implement best
practices--such as skills-based hiring. Various Federal
actors can also aid in the promotion of existing resources
through public announcements, webinars, speaking
engagements, op-eds, or other activities.
Lever 2: Incentives
The Federal Government is also in a singular position to influence
incentives for individuals, educators, employers, and other
stakeholders to help strengthen the cybersecurity talent pipeline.
For employers, this could take the form of incentivizing employer-
sponsored training to upskill and reskill existing employees. These
incentives may take the form of tax credits or stipends which can
partially or fully offset the costs of training employees. This could
improve the economics for employers to invest in training. This, in
turn, may help employers strengthen the skills of existing workers and
reduce the cost of hiring entry-level workers to upskill. Numerous
States have developed similar programs, and the State-level
experimentation and outcomes associated with these types of programs
may inform similar Federal programs.
The Federal Government may also incentivize private employers to
invest in hiring entry-level workers through public/private
partnerships, talent sharing, or related initiatives. This may take
multiple forms, but some examples include the following:
Expanding shared training resources between CISA or other
Federal agencies and private employers.--This could reduce the
cost to employers to train entry-level workers. Ideally these
resources would be focused on high-value, high-growth skills--
such as cloud security, DevSecOps, secure application
development, and others.
Providing funding to local communities to support grassroots
innovation.--Providing funding to State and local governments,
or directly to other local institutions or consortia, can
support local collaboration between employers, educators, and
other local workforce development stakeholders working to grow
the cybersecurity workforce. An existing example of this is the
RAMPS program from NICE.\15\
---------------------------------------------------------------------------
\5\ https://www.nist.gov/system/files/documents/2017/08/18/
ramps_one_pager_032017.- pdf8u_tpo.pdf.
---------------------------------------------------------------------------
Providing resources, tax credits, or other financial
incentives to employers to develop cybersecurity apprenticeship
programs.--These programs can help students build on-the-job
experience and develop diverse talent pipelines for employers.
Improving the economics of apprenticeships can help more
employers adopt them for entry-level cybersecurity roles.
Developing public/private talent-sharing programs.--Under
these programs, a worker can spend time working in both the
public and private sector, which helps them gain new skills and
on-the-job experience. CISA has already experimented with
similar programs on a limited scale. These talent-sharing
programs could support greater information and resource sharing
between the public and private sector and would help workers in
all sectors build new skills. It may also reduce hesitancy for
employers to hire entry-level workers if they are able to share
the training of those workers with Federal employers.
Lever 3: Standards
Last, the Federal Government can develop standards and frameworks
that support consistent application of best practices related to
workforce development, training, and hiring. Already, NIST and NICE are
providing valuable standards and frameworks related to cybersecurity.
This also extends to cybersecurity education and workforce development,
which is most prominently achieved through the NICE Framework.
The NICE Framework has become a valuable resource that is used
widely in the cybersecurity community. Educators use the NICE Framework
to inform their training content and align it to the needs of the
workforce, employers use it to assess gaps in their cybersecurity
workforce, and individuals use it to identify the types of work they
can prepare for within the cybersecurity field, among other
stakeholders.
Building off the success of the NICE Framework, the Federal
Government may take additional steps to provide standards and
frameworks that will strengthen the cybersecurity talent pipeline. Some
of these steps may include the following:
Provide frameworks and standards that outline best practices
for cybersecurity employers.--This may include standards
describing best practices for adopting skills-based hiring,
optimizing job descriptions, building career pathways,
maximizing the value of learning and development, developing
apprenticeships, engaging with educators or other stakeholders,
and related activities. This will help to address the
expectations gap that creates misalignment between the needs of
employers and the realities of the existing cybersecurity
talent pool.
Continue to update and refine the NICE Framework.--The rapid
evolution of cybersecurity skill requirements necessitates
frequent updates to the NICE Framework to ensure it remains
current. Moreover, additional data collection and industry
input can help NICE continue to further align the Framework
with the language and needs of employers.
Provide frameworks and standards for educators to build
training content that is up-to-date and aligned with employer
needs.--This may take the form of baseline standards for
curriculum development, suggested steps for data collection and
analysis on market job and skill demand, recommendations for
strengthening employer engagement, tools for embedding hands-on
learning opportunities into curricula, resources for developing
co-ops and internship opportunities with local employers, and
related activities.
conclusion
Expanding the cybersecurity talent pipeline is, undoubtedly, a
complex issue. It requires coordination across a constellation of
disconnected, yet interrelated, educational institutions, employers,
and individuals. Aligning this diverse ecosystem of stakeholders
requires a shared understanding of the problem, and clear, level-headed
guidance on how to solve it.
Thousands of stakeholders--both in the public and private sectors--
are already facing this challenge head on. Lightcast is committed to
working with these stakeholders, and we welcome collaboration with
anyone interested in creative, data-backed solutions to cybersecurity's
pipeline challenges.
Thank you again for the opportunity to participate in this hearing
an I look forward to further engagement with the committee.
Mr. Garbarino. Thank you, Mr. Markow.
Ms. Wisniewski, I now recognize you for 5 minutes to
summarize your opening statement.
STATEMENT OF TARA WISNIEWSKI, EXECUTIVE VICE PRESIDENT,
ADVOCACY, GLOBAL MARKETS, AND MEMBER ENGAGEMENT, ISC2
Ms. Wisniewski. Thank you, Chairman Garbarino, Ranking
Member Swalwell, and Members of the subcommittee, for the
invitation to testify on the national cybersecurity work force
pipeline. We at ISC2 appreciate the opportunity to share our
perspective on the current state of the cybersecurity work
force and our vision for its future.
ISC2 is an international nonprofit association with 425,000
members focused on advancing a safe and secure cyber world.
Best known for our acclaimed CISSP certification, ISC2 offers a
portfolio of credentials that are part of a holistic, pragmatic
approach to security, and built on strong, ethical foundations.
Organizations are increasingly aware of the vital
importance of resilient cyber systems leading to more demand
for cyber talent as threats expand. Our annual Cybersecurity
Workforce Study assesses the size of the current work force and
looks for ways to address the existing talent shortage. Our
2022 study found there is a worldwide gap of 3.4 million
cybersecurity workers. ISC2 is currently in the process of
collecting and analyzing data for our 2023 Cybersecurity
Workforce Study, which will be released in September.
In our early findings, we estimate there are 132,000 new
entrants into the U.S. cybersecurity work force, an 11 percent
increase from 2022. But at the same time, our data shows the
work force gap will be over 480,000, which is a 17 percent
increase from last year.
One of the most critical investments ISC2 has made to grow
the work force is development of a new entry-level
certification called the ISC2 Certified in Cybersecurity, or
CC. This certification allows those with little to no
cybersecurity experience to gain the foundational knowledge and
skills necessary for an entry-level cybersecurity role. It also
provides an entry point for aspiring cyber professionals to
begin their career and launch them into their first job.
Because we believe so deeply in the importance of providing
access to the profession, we have launched a campaign called
One Million Certified in Cybersecurity, where we are delivering
1 million CC courses and exams for free. Half of these course
enrollments and exams are reserved for students at Historically
Black Colleges and Universities, Minority-Serving Institutions,
members of Tribal organizations, veterans, women, and
neurodiverse individuals. We made this commitment during the
Cyber Workforce and Education Summit at the White House last
summer and are pleased to report that more than 200,000 future
cyber professionals are already enrolled.
We commend the Biden administration for its work on the
2023 National Cybersecurity Strategy, particularly the
Strategy's focus on enhancing the cybersecurity work force. We
are also excited about the forthcoming work force strategy from
the Office of the National Cyber Director, and appreciate the
focus the subcommittee is giving to this very important issue.
Yet we know that for these strategies to be implemented
effectively, it will take all Federal agencies, including CISA,
working together with the private sector to deliver impactful
change. Innovative strategies are necessary to professionalize
and build the cybersecurity sector. In that vein, we encourage
Congress to consider a few recommendations.
First, we must provide pathways for entry-level
practitioners to join the cybersecurity field. ISC2's Certified
in Cybersecurity certification responds to this problem, yet
there is so much more to be done. We know we cannot create the
talent pipeline to bridge our current gap until the
cybersecurity ecosystem of Government, industry, academia, and
organizations like ISC2 hire and invest in the professional
development of entry-level professionals.
Second, we must increase diversity. We know that diversity
within an organization adds to the overall confidence of an
organization's security posture because highly diverse teams
directly contribute to greater success and prosperity. We also
know from our research that organizations with DEI programs in
place have smaller work force gaps. Yet despite these findings,
meaningful progress to deliver more diversity, equity, and
inclusivity in the cybersecurity profession has been slow.
Additionally, there is a need to facilitate collaboration
with public and private-sector entities. CISA's sustained long-
term commitment to the sector provides us with a natural
partnership in this area. Working together, we can provide more
cyber-readiness resources across all levels and roles in the
public and private sector.
Finally, we must professionalize cybersecurity. A
digitally-skilled population and strong cyber work force leads
to more resilient organizations and infrastructure.
Certifications are a critical part of this work, including
ensuring cyber professionals hold certifications built on
strong, ethical foundations and accredited by international
standard bodies.
Thank you again for the opportunity to testify before the
subcommittee today. ISC2 looks forward to working with you on
this very important issue.
Thank you.
[The prepared statement of Ms. Wisniewski follows:]
Prepared Statement of Tara Wisniewski
June 22, 2023
ISC2 thanks Chairman Garbarino and Ranking Member Swalwell and the
Members of the House Homeland Security Subcommittee on Cybersecurity
and Infrastructure Protection for the invitation to testify at this
important hearing on the national cybersecurity talent pipeline. We
appreciate the opportunity to share our perspective on the current
state of the cybersecurity workforce and our vision for the future. The
Cybersecurity and Infrastructure Security Agency (CISA) has been a
critical partner in the work to close the cybersecurity workforce gap,
among the many other roles it plays in securing cyber space. In
particular, we greatly appreciate CISA's role in creating a safer and
more secure cyber ecosystem through the harmonization of standards and
regulations, encouraging collaboration between public and private
entities to defend critical systems and information, investing in a
cyber resilient future for public and private-sector stakeholders, and
defending against an ever-evolving threat landscape.
isc2 is a leader in developing the global cybersecurity workforce
ISC2 is an international nonprofit membership association focused
on building a safe and secure cyber world. Our organization is
dedicated to understanding and addressing the barriers facing the
cybersecurity workforce and serving as a leader in the implementation
of solutions that will build and support a well-qualified and diverse
workforce in the United States and globally.
Best known for our acclaimed Certified Information Systems Security
Professional, or CISSP�, certification, ISC2 offers a portfolio of
credentials that are part of a holistic, pragmatic approach to
security. Our association is made up of over 425,000 members,
associates, and candidates across the globe, including approximately
200,000 in the United States. Our members are a critical part of
delivering on our mission, given the tremendous work they engage in
daily to advance the industry and ensure we live in a more secure
world. Our membership includes a variety of certified cyber,
information, software, and infrastructure security professionals
responsible for securing our governments, economies, critical
infrastructure, and personal information every day.
Our charitable foundation, the Center for Cyber Safety and
Education, supports ISC2's vision for expanding the cyber workforce and
enhancing cybersecurity by educating the public about cyber risks,
removing barriers to accessing the cybersecurity profession, and
helping small organizations protect themselves from cyber risks.
the state of the cybersecurity workforce
With geopolitical and macroeconomic turbulence, a constant flood of
high-profile cyber attacks threatening critical infrastructure and
business resilience, and an evolving regulatory environment driving new
cyber governance and compliance requirements, the stakes have never
been higher. Mission-critical to all of these concerns is the need for
a well-rounded, skilled cybersecurity workforce.
Understanding the gravity of the demand for cyber talent as threats
expand and organizations become increasingly aware of the vital
importance of resilient cyber systems is essential for building
solutions. This need for accurate data drives ISC2 to conduct our
annual Cybersecurity Workforce Study to assess the size of the current
cybersecurity workforce, as well as the existing talent shortage. This
research has given us tremendous insight into the challenges and
opportunities cyber professionals face, including hiring and recruiting
trends, corporate culture and job satisfaction, career pathways,
certifications, professional development, how the workforce is adapting
to current events, and what the future of cybersecurity work looks
like. It also shows us what conditions are essential to shrinking the
talent gap.
Our 2022 Cybersecurity Workforce Study found there to be global
unfilled demand, or a workforce gap, of 3.4 million cybersecurity
workers, representing a 26.2 percent year-over-year increase. In the
United States specifically, our cybersecurity workforce grew by 5.5
percent, reaching a total of 1.2 million cyber professionals in 2022.
But at the same time, the estimated workforce gap grew 9 percent last
year as more organizations realized their need for cybersecurity
professionals and additional cyber roles opened up. In the United
States in 2022, we estimate the cyber workforce gap is around 410,695
unfilled roles.\1\
---------------------------------------------------------------------------
\1\ ISC2 2022 Cybersecurity Workforce Study. https://www.isc2.org//
-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-
Workforce-Study.ashx.
---------------------------------------------------------------------------
Given these numbers, the lack of a qualified cybersecurity
workforce continues to be a top concern for all sectors, particularly
critical infrastructure. Seventy-two percent of U.S. respondents
reported their organization does not have enough cybersecurity
employees, and 55 percent of those respondents said these staff
deficits put their organization at a ``moderate'' or ``extreme'' risk
of a cyber attack.\2\ As our world becomes more digitally reliant, the
potential for cyber attacks grows and businesses and data must be
protected. In fact, 95 percent of small businesses are unprotected,
highlighting the critical need to ensure organizations of all sizes are
able to find and retain qualified cybersecurity talent.\3\
---------------------------------------------------------------------------
\2\ Ibid.
\3\ Ibid.
---------------------------------------------------------------------------
ISC2 is currently in the process of analyzing data for our 2023
Cybersecurity Workforce Study, which will be released in September
2023. Early estimations show there are 132,000 new entrants in the U.S.
cybersecurity workforce, an 11 percent increase from last year's
numbers, while the workforce gap grew to 482,985 unfilled roles.
isc2 efforts to build a qualified and diverse workforce
Considering these staggering cybersecurity workforce statistics,
ISC2 is committed to finding solutions to address the cybersecurity
workforce gap in the United States and around the world. Since our
founding, ISC2 has been a leader in credentialing the global
cybersecurity workforce with standards-based approaches to skills
development. This is reflected in the Common Body of Knowledge for all
ISC2 certifications and training materials, as well as our commitment
to mapping all of our certifications to international standards.
Further, our ecosystem of education and certification is built on a
solid foundation of ethical best practices to which all members must
adhere. For a profession that is critical to every major sector,
expanding access to the cybersecurity profession, as well as setting
reasonable, concise, and effective standards that include certification
requirements, is pivotal.
Over the last several years, ISC2 has increased our focus on the
full life cycle of the cybersecurity workforce, and we continue to
serve as an advocate for the profession and the professionals we serve.
As part of this work, we are committed to creating a diverse talent
pipeline through education, upskilling, re-skilling, and professional
development. We have a particular focus on developing and supporting
entry-level and early career professionals to ensure we have more
entrants into the profession--where they are most desperately needed--
to help meet the ever-widening gap.
One of the most critical investments we made last year was the
development of an entry-level certification called the ISC2 Certified
in Cybersecurity (CC). This certification allows those with little to
no cybersecurity experience to gain the foundational knowledge, skills,
and abilities necessary for an entry-level cybersecurity role. The CC
certification is ideal for current IT professionals or other
professionals looking to transition into cybersecurity, as well as
college students or recent high school graduates interested in
exploring the cybersecurity field. We believe this certification fills
a critical gap in the cybersecurity workforce by providing an on-ramp
for potential cybersecurity professionals to begin their careers and
launch into their first jobs where they can continue to learn, grow,
and access other certifications along their career path.
In light of our pledge to implement meaningful solutions to the
global workforce cybersecurity workforce challenges, ISC2 not only
created the CC certification, but we also have pledged to deliver One
Million Certified in Cybersecurity courses and exams--for free.\4\ We
made this commitment during the Cyber Workforce and Education Summit at
the White House last summer and are pleased to report that over 23,000
professionals have earned the CC certification since that time, and
more than 200,000 have enrolled in the program. As part of this
commitment, we also pledged to direct half of these course enrollments
and exams to students of historically black colleges and universities
(HBCUs), minority-serving institutions (MSIs), Tribal organizations,
and women's organizations.
---------------------------------------------------------------------------
\4\ ISC2 Pledges One Million Free ISC2 Certified in Cybersecurity
Courses and Exams. https://blog.isc2.org/isc2_blog/2022/07/isc2-1-
million-certified-in-cybersecurity.html.
---------------------------------------------------------------------------
u.s. federal government solutions to address the workforce gap
Protecting the Nation's critical infrastructure has never been more
important as our forthcoming 2023 workforce study will show that more
than half of information security professionals currently in those
sectors believe their organizations are at a moderate to extreme risk
of experiencing a cybersecurity attack. When hiring for cybersecurity
positions, hiring managers put cybersecurity certifications at the top
of list of qualifications they find most important. According to our
data to be released in the coming months, among the skills hiring
managers are looking for, risk assessment, analysis and management were
at the top of the list (31 percent), while communications skills (29
percent); security engineering (28 percent); and governance, risk
management and compliance (27 percent) were also listed as important.
When considering the needs of securing our critical infrastructure,
ISC2 research suggests hiring managers in those sectors are open to
nontraditional methods of increasing the workforce including
prioritizing nontechnical skills and providing training and development
for employees once hired.
ISC2 is extremely proud of the work we have done to date to help
address the gaps in the cybersecurity talent pipeline, but we recognize
we cannot do this work alone. Governmental bodies around the world,
including the U.S. Federal Government, will play an important role in
creating policy and regulatory environments that allow cybersecurity
professionals to thrive and grow. Given its mandate from Congress, the
Department of Homeland Security and CISA specifically will be important
stakeholders in finding and implementing solutions to address the
current workforce gap we experience in the United States.
We commend the Biden administration for its work on the 2023
National Cybersecurity Strategy, particularly the strategy's focus on
enhancing the cybersecurity workforce, increasing coordination and
collaboration in public-private partnerships, responding to threats on
critical infrastructure, and clarifying the responsibility of various
entities in the cyber ecosystem for responding to cybersecurity
threats.
We believe efforts to create a strong and secure national and
global cyber ecosystem built on partnership, communication, responsible
action, and technological development are critical to addressing
vulnerabilities throughout the public and private sector. We look
forward to seeing the administration's forthcoming cyber workforce
strategy, which will provide even more specificity to the Federal
Government's plans to utilize its current authorities, structures, and
programs to continue to develop the cyber workforce throughout the
country.
To ensure the success of the National Cybersecurity Strategy, all
Federal agencies, including CISA, will play a critical role in its
implementation. CISA's strengths in the implementation will stem from
its role in raising awareness and increasing the visibility of
cybersecurity and the important role cyber defense plays in protecting
against the growing threats facing the Nation. The agency should
continue to play an instrumental role in promoting dialog and building
knowledge and awareness of information and systems security across the
digital landscape. It also is important for CISA to continue to serve
as a conduit between government agencies and the private sector to
encourage collaboration, increase diversity within the sector, and
explore and implement other measures related to cyber readiness to
effectively manage the increasing cybersecurity risks facing the United
States.
To be clear, none of the goals in the National Cybersecurity
Strategy can be accomplished without focusing on the need for more
cybersecurity professionals and professionalizing the cyber sector to
ensure cybersecurity professionals are equipped to respond to evolving
threats. To address these issues, the U.S. Government and industry need
innovative strategies for workforce development as the strategies of
the past have not been sufficient to address the prolific cybersecurity
workforce crisis. The answer to the cybersecurity workforce problem
will not be found in a single program but rather a multitude of
innovative solutions, including the recommendations outlined below.
Provide pathways for entry-level practitioners to join the
cybersecurity field.--ISC2 conducted a recent study of hiring
managers to learn more about the best practices for hiring and
developing entry-level cybersecurity practitioners. Our
research found that organizations focused on recruiting and
developing entry-level cybersecurity staff, including those
with little or no technical experience, are helping to
accelerate the invaluable hands-on training that the next
generation of professionals need.\5\ Yet, it is often difficult
for professionals to get their foot in the door into those
initial roles to gain access to this valuable experience.
---------------------------------------------------------------------------
\5\ ISC2 Cybersecurity Hiring Managers Guide. https://www.isc2.org/
/-/media/ISC2/Research/2022/ISC2-Cybersecurity-Hiring-Managers-
Guide.ashx.
---------------------------------------------------------------------------
Understanding that what employers need most to shore up their cyber
defenses is entry- and junior-level cybersecurity
professionals--degrees are not necessarily required for
valuable early career roles--ISC2 developed the CC
certification to address this problem. Yet, there is more to be
done to open the floodgates for these pathways into the
cybersecurity profession. Organizations and the Government must
be willing to step in to provide incentives and hire entry-
level professionals with entry-level qualifications, as well as
invest in the professional development of these professionals--
otherwise, we will never create the talent pipeline necessary
to bridge the workforce gap.
We are encouraged by several of CISA's education and career
development programs, including the Cybersecurity Education and
Training Assistance Program (CETAP) to inspire the next
generation of cybersecurity professionals through initiatives
to include cybersecurity education in K-12 schools. We also
appreciate CISA's work on the Cybersecurity Workforce
Development and Training for Underserved Communities program,
which is designed to increase diversity across the cyber
workforce, as well as the Cyber Career Pathways Tool to help
people gain a better understanding of cybersecurity and the
different roles available in the sector.
Increase diversity within the cybersecurity field.--Given
the wide range of threats we see in the cybersecurity realm, it
is imperative we consider how to diversify the cybersecurity
workforce to ensure we have a diversity of thought and
experience available leading our cyber defenses. One of our
recent market research studies found that incentivizing a more
diverse information and systems security profession encourages
increased innovation.\6\ For example, our study showed
organizations with diverse leadership teams benefit
organizations culturally as well as in their bottom-line
revenues.\7\ This diversity also adds to the overall confidence
of an organization's security posture given that highly diverse
teams can directly contribute to greater success and
prosperity. Yet, despite these findings, meaningful progress to
deliver greater and more equitable diversity and inclusivity
within the cybersecurity profession has been slow.
---------------------------------------------------------------------------
\6\ ISC2 ``In Their Own Words: Women and People of Color Detail
Experiences Working in Cybersecurity.'' https://www.isc2.org/-/media/
ISC2/DEI/DEI-Market-Research-2021.ashx.
\7\ Ibid.
---------------------------------------------------------------------------
CISA can help in these efforts to diversify the cybersecurity
profession by channeling education resources to redefine the
image of the cybersecurity professional and the profession to
accurately reflect and value the diversity of the world it
protects. We hope to work with CISA to find innovative ways to
continue to bring people into the sector and retain them
because we recognize that we must focus our efforts not only at
the entry- and mid-levels but at the C-suite and executive
levels as well. To create a diverse and inclusive workforce and
reap the resulting benefits, diversity must be prevalent at all
levels of the organization.
Facilitate collaboration with private-sector entities.--
Collaboration is key to addressing cybersecurity
vulnerabilities and the workforce gap. As a global organization
with strong connections to law-making bodies and government
entities across the world, ISC2 recognizes the importance of
continuing to build strong partnerships and strengthen
collaborative relationships to further the profession's needs.
CISA's commitment to sustain long-term dedication to the sector
provides us with a natural partnership in this area. Working
together, we can provide more cybersecurity readiness resources
across all levels and roles in the public and private sector
for the information and systems security profession.
We believe it is important to consider the Federal Government's
role in addressing the cyber workforce gap, while acknowledging
the private sector's existing efforts to find creative
solutions to this problem. Working together, we believe there
are many opportunities to increase education, incentivize
professional development, and develop programs that are
available to as many people from as many backgrounds and
demographics as possible.
Professionalize cybersecurity.--A digitally-skilled
population and strong cybersecurity workforce leads to more
resilient organizations and infrastructure. This is especially
important as the United States seeks to create more and better-
paying jobs, spur prosperity, increase diversity, and drive
economic growth across the Nation. Given the nascency of the
cybersecurity profession, it is critical to consider how we can
continue to professionalize cybersecurity to ensure there is a
clear and understandable career path for professionals
interested in joining the field.
The professionalization of other sectors such as finance and
accounting, which spans more than a century, is a model for the
cybersecurity field to follow as we look for ways to set
standards, establish ethical expectations, and increase public
trust in our cybersecurity professionals. Certifications are a
critical part of this work, including ensuring cybersecurity
professionals hold certifications accredited by international
standards bodies. Additionally, the profession will continue to
benefit from on-going professional education, immersive
courses, and other professional development opportunities,
including determining ways to upskill within an organization to
fill outstanding cybersecurity roles.
Thank you for the opportunity to testify before the subcommittee
and provide input on this important topic. ISC2 greatly appreciates
your interest in this issue and your willingness to explore ways the
Federal Government can work together with stakeholders in the
cybersecurity space to address the gaps we are seeing in the
cybersecurity workforce. We look forward to continuing to work with the
subcommittee to find solutions that will benefit cybersecurity
professionals, the organizations they serve, and the public overall.
Mr. Garbarino. Thank you, Ms. Wisniewski.
Colonel Starling, I now recognize you for 5 minutes to
summarize your opening statement.
STATEMENT OF COLONEL CHRIS STARLING, USMC (RET.), EXECUTIVE
DIRECTOR, CALIFORNIA, NPOWER
Mr. Starling. Chairman Garbarino, Ranking Member Swalwell,
distinguished Members of the committee, thank you for having me
here today.
Since 2019, I've had the privilege to lead NPower
California, and since last year, the NPower SkillBridge
program.
NPower is a nonprofit that provides veterans and young
adults from underrepresented communities with tech training,
social support, and full-time job placement assistance. NPower
operates in 9 States and is still growing. We serve over 1,300
unemployed and underemployed students per year Nation-wide. Our
program is free of charge to all who enroll, and they represent
75 percent ethnic minorities, and as of recent, 39 percent
women in our courses.
Tech is a main driver of the U.S. economy, and the tech
sector is still predicted to grow faster than all other
occupations. But people are not entering the field fast enough,
especially in cybersecurity. Cybersecurity demand is outpacing
supply.
Many companies still seek applicants that have college
degrees, but this is changing. Industry-recognized
certifications can qualify people to work in tech and in
cybersecurity. Access to high-growth tech careers is possible
for more people now than it has been in past years, and NPower
has a model that works. How is it done?
First, we recruit those that are hard to find. We seek
people in transition that are passionate about technology and
who are willing to commit themselves to 16 weeks or more of
training.
Second, we understand that some people need help, not just
in the classroom to learn the material, but with life. NPower's
team of social support managers provides wraparound services by
connecting students with local resources to help them solve
everyday problems--things like rent, subsistence,
transportation, interviewing attire, even child care--so that
students can focus on learning and earning certifications.
NPower creates the conditions that enable students to
leverage their own grit and determination. This boot camp model
drives change in both their personal and their professional
lives.
Upon completion of the course, job placement teams from
NPower engage each graduate personally, making introductions,
helping them schedule job interviews, and helping them actually
land a tech job.
Let me address some metrics quickly. Eighty-five percent of
NPower students complete training on time and graduate. Eighty-
eight percent of graduates secure at least one industry-
recognized credential. Eighty-one percent of graduates are
placed into quality employment or enrolled in continuing
education at the 6-month mark and 1-year mark after graduation.
The average wage increase for our tech fundamentals
students is from $9,000 a year pre-program to over $43,000 per
year post-program. That's a 420 percent increase in wages. For
cybersecurity graduates of our program, their post-program wage
average is $63,000 a year in a starting cybersecurity job.
In 2021, the cybersecurity infrastructure support agency,
CISA, awarded NPower a $1 million grant to develop cyber work
force training in order to address the shortage in the
cybersecurity work force. As you know, CISA supports
nontraditional job training and apprenticeship programs. They
recently started to hire people with certificates in lieu of
degrees. I would submit that if it's good enough for CISA, then
it can also work for Federal, State, local, and other
governments.
The NPower program that was funded by CISA is working. In
the current course, our spring 2023 cohort, it's in week 18
with a 92 percent retention rate. That's 18 weeks of pretty
rigorous cyber boot camp with 55 of 60 students set to
graduate.
Our written testimony contains six recommendations, but I'd
like to just touch on two.
First, copying the CISA model is worthwhile. We can train
and place nontraditional talent into open cyber jobs.
Second, capitalizing on the talent pool of military-
connected individuals and families, including transitioning
military service members, is easy. It's natural to retrain
people from defending the Nation to defending the network.
In summary, NPower has a model that's scalable for creating
a diverse cybersecurity work force. We are partnering with
Homeland Security, Department of Labor, and the Department of
Defense. My recommendation is to build on these successes and
continue to press the attack.
I look forward to your questions.
[The prepared statement of Mr. Starling follows:]
Prepared Statement of Chris Starling
June 22, 2023
Chairman Garbarino and Ranking Member Swalwell, distinguished
Members of the committee--thank you for the privilege to appear before
you today on behalf of NPower to discuss growing our national
cybersecurity workforce talent pipeline.
My name is Chris Starling, I am a retired colonel of the U.S.
Marine Corp, where I served for over 26 years. Since 2019, I joined
NPower to run our program in the Bay Area.
NPower is the premiere technology training organization providing
young adults, veterans, and women of color from underrepresented
communities with free tech training, social and emotional support, and
full-time job placement assistance with many of the Nation's leading
employers. Annually, we serve over 1,300 unemployed and underemployed
students across the country with high-quality tech workforce training
leading to industry certification, with social support, professional
development, and job placement services.
We work at the intersection of poverty alleviation, equity,
workforce diversity, and the tech industry. Our program is delivered
free of charge to men and women earning less than 200 percent of the
Federal poverty level, and they primarily come from racial and
socioeconomic backgrounds underrepresented in the tech industry.
Technology is one of the main drivers of the U.S. economy, and the
demand for talent constantly outpaces the supply of skilled workers.
Experts project tech-sector employment to grow at the fastest rate of
all occupations--and people simply aren't entering the field fast
enough to replace retiring workers. Various factors are driving the
increase, from innovations to natural disasters to the COVID pandemic,
which prompted the whole country to work and deliver services remotely.
In addition to the shortage of skilled talent, there's an enduring
lack of diversity in the IT workforce that has long been recognized as
a systemic national problem. Many tech job seekers today lack college
degrees and therefore are overlooked in the talent sourcing of many
companies. NPower meets learners where they are and offers them
industry-recognized certifications and certificates to demonstrate
their skill over pedigree.
At NPower, we believe access to high-growth careers is possible for
anyone, no matter where you start. We believe this is our key to
creating a world where equity is possible. We blend best-in-class and
trauma-informed tech training and personal support, to constantly
innovate new ways to foster talent. A specialized team of Social
Support Managers provide 360-degree support services by connecting our
students with city and social service agencies for all their social and
emotional needs.
With our approach, we're building a new kind of pipeline to tech
careers. Our students don't come from traditional backgrounds and many
of them come to us at a pivotal moment of transition in their lives. We
don't see that as a hindrance: we recognize their worth as powerful
assets in their local communities. With our comprehensive support, they
can leverage their own internal hunger, grit, and determination to
drive change in their personal and professional lives.
npower's key workforce performance metrics
NPower has trained 560 individuals from under-resourced communities
in cybersecurity since 2015.
NPower evaluates impact based on program completion, attainment of
industry credentials, and placement in quality jobs or continuing
education. Our Key Performance Metrics map directly to the Workforce
Innovation and Opportunity Act (WIOA) performance metrics used by most
workforce development programs. Below are our impact metrics for our
cybersecurity program:
85 percent of enrolled students complete training on time
and graduate
88 percent of graduates secure at least one industry-
recognized credential
81 percent of graduates are placed in quality employment or
enrolled in continuing education at 6 months and 1 year after
graduation.
We track Measurable Skills Gains through demonstrated mastery of
key competencies in hands-on labs and assignments, tracked through our
custom Learning Management System.
We also track income growth pre- and post-program. Consistently, at
their first job post-program, NPower graduates achieve an immediate and
dramatic salary increase that meets or exceeds the MIT Living Wage for
their region. On average NPower graduates saw an average increase of
roughly 420 percent, rising from an average pre-program income of
$9,374 to an average post-program salary of $43,260. For our
cybersecurity graduates their post-program wage average is $63,372!
Their wages continue to grow as they gain experience, and the positions
for which we train are designated by the U.S. Department of Labor as
``Launchpad Occupations'' with higher-than-average salary growth. Our
team continues to reach out to alumni periodically after the initial
job placement to support and track job retention, promotions, raises,
and overall career trajectory.
cybersecurity infrastructure and security agency (cisa) npower grant
In 2021, CISA awarded NPower a $1 million grant for the development
of cyber workforce training. The partnership focuses on the development
of a scalable and repeatable proof of concept to identify and train
talented individuals around the country and help address the staggering
cybersecurity workforce shortage facing our Nation, while also meeting
the dynamic needs of the cybersecurity workplace. CISA supports non-
traditional job training and apprenticeship programs like NPower and
acknowledges that more readied talent could lead Federal Government,
State, local, Tribal, and territorial entities, as well as private-
sector employers to address current and future cyber workforce needs.
The program has been successful thus far:
Fall 2021
91 percent job placement
Spring 2022
100 percent retention
100 percent certification
72 percent job placement
Fall 2022 (mixed TF & Cyber)
100 percent retention
82 percent certification
77 percent placement
Spring 2023: Week 16
100 percent retention
50 percent certification
Certification is in progress
policy recommendations
We would like to offer to the committee the following policy
recommendations as you seek to address the cybersecurity workforce
shortages:
1. Establish a permanent program that includes the core principles
of the pilot program on which CISA is currently collaborating
with NPower. Expanding the pool of cyber talent requires
sustainable and adequate funding.
Core Principles of the Program are:
Partner with nonprofits and Government agencies to upskill
men and women from underserved communities;
Invest in credential-focused short-duration cybersecurity
workforce training programs that enable them to earn while
learning;
Provide professional and soft skills development training
alongside technical skills training;
Provide wraparound social support to ensure basic needs
for housing, food, and child care, eliminating the barriers
to success;
Provide job placement support and ensure they gain crucial
paid work experience;
Engage and incentivize employers to shift hiring practices
to focus more on skills-based hiring, nontraditional
talent, and apprenticeships;
Create direct talent pipelines from training programs to
employers;
Support long-term career pathways with plenty of training
on-ramps and off-ramps, recognizing it may take individual
workers years of entry-level tech training, alternating
with work, and continuing education to attain a
journeyman's level of cybersecurity expertise.
2. Invest in Platforms for On-Demand Help Desk support for
individuals, nonprofits, and small businesses. NPower is
spearheading a national network of Community Help Desks that
provide free technical assistance and digital navigation to
local underserved communities, staffed by graduates of our tech
workforce training programs gaining vital work experience as
Registered Apprentices. NPower's programs are aligned to
national standards for U.S. Dept. of Labor Registered
Apprenticeship Programs.
Community Help Desks provide critical human support to
help people on the wrong side of the Digital Divide take
advantage of on-line job, health, and education resources,
while offering trainees the opportunity to build their
resume through a paid apprenticeship.
The Community Help Desk will serve as an especially vital
resource to local underserved seniors, public school
families, adult learners, and job seekers. The model
capitalizes on partnerships with community-based
organizations, and can provide a central hub for affordable
connectivity and device distribution.
3. Modernize and reform Federal workforce hiring practices to adopt
skill-based hiring practices and the Registered Apprenticeship
model for technical roles. This allows the Federal Government
to compete for a talented and diverse workforce pool that
prioritizes skills and a candidate's ability to do the job, and
leads by example in equity-focused workforce development
4. Establish a grant program within the Department of Labor to
support the creation, implementation, and the expansion of
registered apprenticeships in Cybersecurity and Information
Technology, modelled on high-growth State apprenticeship
programs such as California, Texas, and Michigan. Specifically,
the Secretary of Labor should provide grants, on a competitive
basis, to support the establishment, implementation, and
expansion of registered apprenticeship programs in
cybersecurity and technology.
5. Integrate relevant State and Federal policy issues into
cybersecurity workforce training programs. A growing contingent
of cybersecurity job openings require both technical and legal
knowledge to guide companies on issues of privacy and security.
6. Capitalize on the promising talent pool of military-connected
individuals and families, including transitioning Military
Service members, Veterans, Reservists, National Guard, and
their often-overlooked spouses. Department of Defense
statistics show 80 percent of military leave service without
another job in place. The protective nature of military service
leaves them well-suited for a cybersecurity career, and many
already carry higher-level security clearances from their
military years. They are a diverse group, with a majority who
come from racially and socioeconomically marginalized
populations. Military-connected individuals offer an especially
promising talent pool from which to grow a strong, diverse
cybersecurity workforce.
conclusion
To address our cybersecurity workforce, we must find innovative
ways to grow our workforce talent pool. For us, a key component has
been embedding cybersecurity skills, concepts, and competencies
throughout our expanded learning pathways. In addition, we seek to
provide security awareness support services and troubleshooting to
underrepresented communities as part of our national community help
desk.
We believe the key to unpacking this unlimited potential and talent
comes from building training and support programs to command a shift by
partnering with Government, industry, and employer partners in
recruiting, hiring, assessing skills and competencies, and supporting
people into cyber tech careers from various learning pathway.
Thank you for the opportunity to appear before you today and I look
forward to taking your questions.
Mr. Garbarino. Thank you, Colonel.
Members will be recognized by order of seniority for their
5 minutes of questioning. An additional round of questioning
may be called after all Members have been recognized.
I now recognize the Chairman of the Subcommittee on
Transportation and Maritime Security, my friend from Florida,
Carlos Gimenez.
Mr. Gimenez. Thank you, Mr. Chairman. I appreciate it.
I'm intrigued by what you said, Colonel, about not needing
a college degree. So I believe that--somehow in this country,
if you don't have a college degree, you are somehow
stigmatized; that somehow you may not be as smart as somebody
who has a college degree.
As someone who didn't get a college degree until I was
about 46 years old, I guess I must have been pretty dumb until
then, OK. But somehow it didn't hold me back. You know, I'm
here in Congress for some reason. I must be lucky.
You said--how long does it take, let's say, for a--you said
16 weeks of training. In 16 weeks of training, you can get
somebody up and running to be--to get into the cybersecurity
space. Is that correct?
Mr. Starling. We have two courses. The first is tech
fundamentals. That's 16 weeks. Our advanced course in cyber is
18 weeks after that. We like to take people that have zero
experience to get them into a help desk or a junior systems
admin role first. You can't take a soldier from boot camp and
make him a Special Forces----
Mr. Gimenez. So 16 and 18----
Mr. Starling. So 16 for tech fundamentals and 18 weeks
for----
Mr. Gimenez. Even for noncollege graduates, 34? 34 weeks?
Mr. Starling. That's right.
Mr. Gimenez. Thirty-four weeks versus 4 years.
What's the starting pay?
Mr. Starling. We are starting people from cybersecurity at
about $63,000. For the tech fundamentals role, national average
is about $43-. Out in California, I get them about $50- to $55-
starting salary.
Mr. Gimenez. What's their career path? How much could
they--what's their earning potential?
Mr. Starling. I've got people making over $100,000 a year
after 3 years. You've got to go in and do the work.
Mr. Gimenez. How much does it cost for the course?
Mr. Starling. It costs about $7,000, $7,500 per person to
get a person through the course.
Mr. Gimenez. Sixteen or 34--the whole 34?
Mr. Starling. That's the--that's either course. The 16
weeks or the 18-week course. We're mainly paying for
instructors and we're paying for certifications.
Mr. Gimenez. You said it was 16 and 18, or is it 16 or 18?
Mr. Starling. Sixteen for tech fundamentals, 18 for the
cybersecurity----
Mr. Gimenez. That's on top of the 16?
Mr. Starling. That's on top of the 16 weeks. Right.
Mr. Gimenez. OK. So 7 and 7, $14,000?
Mr. Starling. Yes.
Mr. Gimenez. Versus $500,000 to go to college, and then
paying back, you know, $500,000 for the rest of your career,
and you end up probably getting the same job. Would that be
accurate or not?
Mr. Starling. That's definitely true.
Mr. Gimenez. OK. Sounds like a good deal to me. I think we
need to start, you know, letting people know about this.
The other thing that I'm thinking about is artificial
intelligence. It seems to me that artificial intelligence could
go a long way in providing cybersecurity. I don't know who can
answer this. Am I right or am I wrong on that?
Ms. Wisniewski. I'm happy to take that question.
Mr. Gimenez. Sure.
Ms. Wisniewski. We believe that it's going to change the
cyber work force. It's not going to eliminate the cyber work
force. If anything, it probably will create even more
opportunities.
I know that there's been quite a bit of media coverage,
especially lately, ChatGPT. Our position is that it is another
emerging technology, and one that needs to be managed but also
embraced, and that it actually is not a threat to the cyber
work force. If anything, it's just going to--the problem is
going to get worse, not better.
Mr. Gimenez. I can see that, because you can use IA to
defend yourself and you can use IA to attack somebody. So it's
going to be a battle of IAs, and people are going to have to, I
guess, monitor the battle?
Ms. Wisniewski. Yes. Absolutely. Monitor and manage.
Mr. Gimenez. Monitor and manage the battle. Then whoever
has the brightest IA is going to win at the end?
Ms. Wisniewski. Potentially. I think that there's still a
lot of unknowns about the technology, and that's, I think,
driving quite a bit of the media storm right now. But it is
still a really important technology. Then, of course, there's
quantum coming right behind it.
Mr. Gimenez. Yes. Look, we had discussions with some people
that--some folks that were working in that space, and I asked
them the question of where AI was. You know, where is
artificial intelligence? If you're 21 years old, and that means
that you're a really bright person--I mean, you're now mature
and all that--where is AI?
They refused to answer the question as far as what the age
was. They did tell me, though, that it was in the third inning.
So it's one-third of the way there. It's pretty amazing what it
can do right now. So when it finally gets fully developed, it's
going to be something.
So thank you for the testimony. Now, I think we need to see
if we can push, you know, high school kids, our veterans, et
cetera, to go into this field without having to go deeply in
debt and make a really good career. So thank you, and I
appreciate the testimony.
I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize Mr. Menendez from New Jersey for 5 minutes
of questioning.
Mr. Menendez. Thank you, Mr. Chairman, Mr. Ranking Member,
for convening today's meeting.
To all our witnesses, thank you for coming.
Colonel Starling, as you explained in your testimony,
NPower received a $1 million grant from CISA as part of a pilot
program to support nontraditional cybersecurity training to
reach underrepresented groups. From the statistics you shared
today, it appears you have achieved significant success in
retaining students, helping them achieve cybersecurity
certifications, and placing them in cybersecurity jobs.
This is a pilot program. How do you think this program can
be scaled up to reach a larger number of individuals?
Mr. Starling. We're actually scaling it already. Just to
clarify, our program----
Mr. Menendez. How so?
Mr. Starling. So, first of all, we've got our advanced
program--it's a Nation-wide program. So we're in 9 States right
now. But the best students of those rise up and take either a
cloud or a cyber course.
I recently launched, last year, NPower SkillBridge. What
I'm able to do--I'm a DOD partner. I'm allowed to go on
military bases, recruit people within their last 6 months of
active-duty service. With command approval, they come to my
cybersecurity class, and I can ramp them up in 10 weeks' time
during their last 3 to 6 months on active duty. Full-time
class, I can ramp them up to get CompTIA, Security Plus, with
the option of getting also Linux Plus. Those are your two key
certifications for cyber. From then on, you can--you know, you
can add to that.
But we're already growing this program, and we're going to
have more instructors and more cyber courses available. We are
a nonprofit, so the training is free to all those who come to
our class. But I got to go out and raise the money as a
nonprofiteer. That's my hard job. I get some grants from the
State of California. I get some grants from different
corporations. So it really is a private--public-private venture
to solve this problem.
Mr. Menendez. Sure. So scalability would be a matter of
resources?
Mr. Starling. That's right.
Mr. Menendez. The program itself is working, right?
Mr. Starling. That's correct.
Mr. Menendez. OK. I appreciate that.
Ms. Dortch, a report last year estimated that over 30
percent of the Federal Government's cyber work force is over
the age of 55. In your testimony, you explained how SAP has
managed to have 60 percent of its cybersecurity work force be
millennials or Gen Z.
From your perspective, what are the keys to recruiting a
younger work force? How can the Federal Government learn from
the private sector to bring in young cyber workers so we're
prepared with the cyber work force of the future?
Ms. Dortch. Thank you for the question. I think this is--
there's two elements to this. For SAP, DEI or diversity,
equity, and inclusion, is a part of our DNA. So we have to be
intentional about the goals we're setting, being public about
it, setting them, holding ourselves accountable, and being
transparent about where we are. So we do that, and definitely
publicize where we're going in terms of our talent globally and
committing to making sure that everybody has an equal
opportunity to develop, engage, and grow in the cyber space.
We do believe our Early Talent Program really helps in
terms of engaging young talent. It's a very quick program. We
actually have a cohort starting in July. Literally probably
within 90 days, these kids will have access to our Newtown
Square facility in Pennsylvania. They'll do rotational
programs.
I think one thing I will add--and you'll hear me use the
word ``flexibility.'' These kids need flexibility. You can't
sit them and say, you're just going to be a cyber defense
analyst, and that's it. This rotational program is key to
allowing them to see the different areas, specialties, roles
that they can look at.
Not only in America, but we also allow them to go abroad to
our global headquarters in Waldorf, Germany, to look at what
the opportunities are there, but also look at how we can work
internationally. Cyber is an international--it's a global
problem, and we have to work with our allies to address these
issues.
So for us, it's a global partnership with our allies and
making sure that we're doing this on a global scale to educate
folks that this is not just a U.S. issue; this is a global
issue. Again, making sure that young talent has the flexibility
to figure out what their interests are and what skill sets
align, so then when they get the full-time role that we offer
them, they know where they will fit best and can engage there.
Mr. Menendez. Yes. I appreciate that from SAP. We want to
keep the talent here. But it seems the flexibility within
this--not just acknowledging the cybersecurity as this growing
industry, but within it, it provides a variety of
opportunities.
Building the next generation of cyber talent will require
us to educate about cybersecurity at a young age. With the
CETAP program, CISA is taking important steps in helping to
develop curriculum and provide training to K-12 teachers.
Ms. Wisniewski, as you have deployed your new entry-level
CC certification, to what extent have you seen recent high
school graduates demonstrate an interest in the program, and to
what extent do they have the existing skills to obtain the
certification?
Ms. Wisniewski. Thank you for the question. We believe that
actually for the entry-level--so similar to Colonel Starling--
that there is not a need for a 4-year degree, right. So these
students can go right into--you know, they've got the early
credential, and they're ready. However, that does not mean that
the private sector doesn't have to continue to invest in them.
That's, I think, a really important point.
There's a lot of work to be done around--for hiring
managers to understand what actually are the right credentials
for the right job. So we often see our CISSP, which is a
globally de facto standard, we--it requires 5 years experience,
endorsement, et cetera. We often see that on an entry-level job
description. That doesn't match. So we have a lot of work to
do.
So it's not only about getting more people in, but there's
a lot of work to bring the private sector to the table as well.
Mr. Menendez. For sure. I appreciate that answer.
I yield back. Thank you.
Mr. Garbarino. The gentleman yields back.
I now recognize Mr. Ezell from Mississippi for 5 minutes of
questioning.
Mr. Ezell. Thank you, Mr. Chairman.
Colonel, I was very interested in what you were telling us.
I think that's something that we need to work hard, because
everybody understands the threat that is coming at us right now
on a daily basis. We had a roundtable this morning discussing
some of these things. So I want to thank each and every one of
you for your hard work.
I too was 37 years old before I got my degree. When I got
out of high school, I went straight to work. As I progressed in
my career, I realized the importance of getting a college
degree and what it meant to me and to where we are today.
But, you know, one of the things that I would like to ask
you a little bit about is on your recruiting. Is this a Nation-
wide recruiting? You know, tell me about your recruiting and
who you're reaching out to and how you're reaching out to them.
Mr. Starling. Yes, sir. So right now, we are located in 9
different States, and our recruiting is focused toward those
communities that we're in, such as Baltimore; San Jose,
California; Detroit, Michigan. We're recruiting there.
Now, we can--when we go to the next level--that's tech
fundamentals. When we go to the next level, we recruit Nation-
wide. The training is instructor-led and on-line. So they're
accountable. We try to actually get people together physically
from time to time for either the professional development or
something that requires hands-on training.
So the SkillBridge program that I run for Department of
Defense--with the Department of Defense is Nation-wide. I've
got people in Korea, in Germany. They're signed up for the
class, they log in, it's instructor-led, and they've got to
keep pace with the curriculum. So right now, this has the
ability to scale Nation-wide very easily.
Mr. Ezell. What about rural Mississippi? As if you can
tell----
Mr. Starling. Sir, we can definitely discuss that. We'd
love to be down--I'd like to be in all 50 States.
Mr. Ezell. OK. Well, I would like to help you get there. We
have a diverse work force in Mississippi. We have some of the
largest industry out there.
One of the things that I was thinking about was, in my
State of Mississippi, we have--if you look across the Nation,
you know, our work force is retiring. Our police officers are
retiring. In the State of Mississippi, you can work 25 years as
a police officer or a teacher or somebody that works for the
State and who is very still capable of entering this work force
and would be an asset.
You know, I know we want to get our young kids out there
but, you know, old guys can--you know, we can still work too.
So, you know, I would really like to see the focus to target
some of these people who are retiring from State jobs who are
still in their 40's that could give you 20 years of work who
are educated in the world of getting up and going to work every
day.
So I would really like to work with you--and each of you--
to help get this going, because we know the threat is out
there. We know that we've all talked about the shortage of the
work force, the challenges that you have. I really think that
we could come together on this, as everybody could, to get this
done.
So would any of you like to just add a few words to some of
the things we're talking about?
Ms. Dortch. Thank you, Congressman. I will add, I think,
you know, we talked about our commitment to creating an early
talent pipeline. But we also, with our Government Security and
Secrecy team, it's very clear that we need professional--
seasoned professionals, especially in the national security
space.
As my opening statement mentioned, I mean, we have folks
that have been in that sector for 30 years that we attract to
SAP and find value. I think part of this is making sure that
they stay connected to the missions that they previously were
in. But there is the challenge of making sure that we--when we
on-board folks, that we also make sure that they continue to
develop and grow within our ecosystem, and that's something
we're committed to at SAP. I would be happy to follow up with
you on other ways we can look at upscaling and rescaling folks
into cybersecurity roles.
Mr. Ezell. Thank you very much.
Colonel, or anybody else would like to say anything?
Mr. Markow. If I may, I'd love to add to what you were
saying about the need to reskill existing workers and find new
opportunities to bring seasoned workers into the field.
Mathematically, it's an absolute necessity for us to do
that if we're going to close the talent gap. Even if we
magically assumed that every single computer and information
science graduate at any degree level went into cybersecurity,
we would still need at least 200,000 additional people. So
we're going to have to find ways to redeploy and reskill
existing workers if we're going to close that talent gap within
any human time scale.
So being able to give clear guidance, both to individuals,
but also to their employers about how to reskill those people
and how to find the right pools of workers who can most readily
and rapidly be redeployed into cybersecurity is one of the most
important things we can do to help grow the cyber work force,
leveraging existing workers. Lightcast is also more than happy
to work with you to try to make that a reality.
Mr. Ezell. Thank you very much.
Mr. Chairman, I yield back.
Mr. Garbarino. The gentleman yields back.
I now recognize the Ranking Member, Mr. Swalwell, for 5
minutes for any questions.
Mr. Swalwell. Great. Thank you.
Colonel Starling, first, I just want to thank you for your
three combat tours that you did for our country in the Marines.
If that's all you did to serve our country, that would be
enough. But here you are working to get veterans placed into
jobs. I really appreciate that.
With respect to NPower--and you went through with my
colleague, Mr. Gimenez, what the cost structure is. Are those
students--are they eligible for financial aid?
Mr. Starling. Yes. Most of them are. We look for young--so
we have veterans and young adults. Veterans and veteran spouses
can be any age, any place. The young adults, we're looking for
18- to 26-year-olds and 200 percent of the poverty line or
lower, right. So that's mainly the socioeconomic group. Now, we
might make an exception here or there if somebody's close, but
that's what we're really looking for, to pull them out of a
situation of poverty.
Mixing veterans with young adults--about 50/50 in the
class--is a great thing. The veterans are about 8 to 10 years
older. They have some life experience. I tell them, I need your
post-traumatic strength. You might have worked in a combat
zone. These young people still live in one in some cases. So
veterans and young adults is an amazing thing, and that's what
makes me happy to get up and work every morning.
Mr. Swalwell. Is that financial aid through FAFSA, like
public financial aid, or is it private aid that they have to--
--
Mr. Starling. Some of them would be eligible for that, but
we don't take any money. Our program is 100 percent free.
Especially for veterans, I tell them, your GI Bill is gold. You
save that for college when you're ready to go. But some of them
need a job now to feed their family. So getting through a 16-
week boot camp and then working at a place--we've got people at
the San Francisco Giants, at Lawrence Berkeley Lab, some good
jobs.
Mr. Swalwell. Hey, they're in second place right now, by
the way, and climbing.
According to the survey last year--it's true. It is true.
It's true.
According to a survey last year by ISACA, 60 percent of
cybersecurity professionals reported difficulties retaining
cyber talent, and this is at a time that we have a tremendous
shortage in the cybersecurity work force. Keeping existing
workers in the field must be a part of that equation, of
course.
Mr. Markow, to what extent does your data show a problem
with employee retention in the cyber work force, and are there
challenges limited to employees moving between jobs, or is
there a problem with workers leaving the cyber work force
entirely?
Mr. Markow. Thank you for the question. Our data definitely
do show that there are retention problems within the
cybersecurity work force. Consistently, cybersecurity workers
leave more frequently than many other roles, even within
information technology, which is already rife with many hiring
challenges, due talent shortages. I think that there are also
some unique challenges that are arising from the way that
employers are hiring for cybersecurity workers in the first
place.
I think we've already talked about it some today, but many
employers are effectively cutting out the entry-level rung into
cybersecurity and saying you must have a bachelor's or master's
degree. They're saying you must have at least 3 to 5 years of
prior work experience. I usually liken that to hiring
mercenaries. You're looking for somebody who already has the
skills you're looking for--that you think you need to perform
the job. But in many cases, those are the people who everybody
else is looking for. It just becomes a game of poaching from
one employer and poaching from another for a very small pool of
workers that have this mythical set of unicorn skills.
The companies that we actually see with the best retention
rates are the ones that are taking more of a skills-based
approach to hiring as opposed to a credential-based approach to
hiring. So if we look at companies that are hiring workers with
less than a bachelor's degree, they have better retention
rates. If we look at companies that are hiring a more diverse
work force, they have better retention rates.
So one of the things that we try to educate employers on is
to not cut out that entry-level rung of opportunity and to make
sure that your talent pipeline has as wide an aperture as
possible so that you're bringing in more diverse candidates, so
that you're bringing in the workers who don't have a bachelor's
degree. As a matter of fact, you're actually seeing better
outcomes as a result.
So I think that being able to communicate that to employers
and speaking in their language, saying, you will see the return
on your investment by making some of these changes and taking a
skilled-based approach to hiring, can go a long way toward
solving some of those retention challenges.
Mr. Swalwell. Ms. Dortch, briefly, what are you doing to
increase retention?
Ms. Dortch. Just to add on, I think part of this is, again,
flexibility. We're also looking at making sure fair pay and
compensation--making sure we're competitive there.
Mental health is something we talk about, burnout, and
making sure that that's prioritized. We're always pulsing our
employees every quarter to see how they are feeling and what we
need to do to make adjustments with our work conditions.
Then also a big piece for us is cyber professionals at SAP
can take part in our global technology fellowship. So if they
want to explore other options, they certainly can. We encourage
them to do so.
Mr. Swalwell. Thank you.
I yield back.
Mr. Garbarino. Thank you. The gentleman yields back.
I now recognize Ms. Lee from Florida for 5 minutes of
questions.
Ms. Lee. Thank you, Mr. Chairman.
Thank you all for being here today. This has been such an
illuminating and important conversation for us to have.
So I represent Florida's 15th Congressional District, and
it is home to the University of South Florida, which has been
working hard to ensure that we have the cyber talent, that
we're developing young people to come in and work in these
industries.
The Florida Center for Cybersecurity at USF serves as a
resource for us to enhance our cybersecurity education,
facilitate research, conduct outreach initiatives in the
community, and there are two particular education initiatives
there that I want to mention.
One is designed to address the work force shortage and
build our pipeline. CyberWorks, which provides a 19-week
curriculum to first responders, veterans, and other qualified
participants to prepare for industry-recognized certifications
and career opportunities.
The second, Operation K-12, offers cybersecurity career
prep and certification courses for high school students,
professional development for teachers, lesson plans, and summer
camps for elementary, middle, and high school students. They're
both designed to expand the talent pipeline so that we can meet
the roughly 34,000 cybersecurity job vacancies that we have in
Florida right now.
So, you know, I've been so interested to hear the
innovative ways that each of you are describing developing that
work force above and beyond the 4-year college degree.
I want to start with you, Mr. Markow. Would you talk about
the--go back to the value and utility of certifications,
specialized certifications, and training. Obviously, we love
our university graduates as well, but how those certifications
and training can help build our work force. Are there certain
types of certifications that stand out to you as being the most
useful or constructive in addressing our current work force
shortage?
Mr. Markow. Thank you for the question. When it comes to
certifications, I think that they are most effective when they
are an effective proxy for proficiency in the skills that
employers most value.
So we see that the certifications that really communicate
that to employers are the ones that are aligned with the--both
foundational skills that are most needed within a field, but
also some of the high-growth, high-value skills that employers
value the most as well, or they at least communicate to
employers that this worker has built the foundational knowledge
to rapidly learn those new skills.
We also see that there are different roles that
certifications can play at different levels of somebody's
career. So there are some entry-level certifications, such as
Security Plus and a number of others, that are very effective
at helping to open the door for many workers to enter into
cybersecurity. But we also see that there are many more
advanced-level certifications, such as CISSP, that are very
good at communicating to employers that somebody is an expert
in the field.
Now, the challenge that we also see, though, is we need to
educate employers to be responsible recruiters of these
certifications.
Ms. Lee. That's perfect. You actually just anticipated my
next question, which is, do you feel like this message is
getting to employers? Do you feel like they are recognizing the
value of these certifications? What are you doing--or what can
we do to try to help ensure that employers too are recruiting
effectively to find this talent?
Mr. Markow. It's a great question. I think that what we
really need to do is to communicate to employers the role that
each of these certifications plays and the skills that each of
these certifications actually serve as an effective proxy for.
This was mentioned earlier that often CISSP is requested in
entry-level openings. That's actually not just a rare anecdote.
We've actually seen about 20 percent of job openings calling
for a CISSP. They also ask for fewer than 2 years of work
experience.
So I think that to really educate employers on the skills
and the level that each of these certifications are effective
proxies for is one of the most important things we can do to
make sure that employers are responsible recruiters of
cybersecurity certifications.
Ms. Lee. Is there anything more that you perceive that we
as Congress could be doing to help either foster the
development of this talent pool or help get qualified people
into the right placements?
Mr. Markow. So I think that one of the most important
things that Congress or the Federal Government more generally
could do is to really help to educate employers through clear
standards around skills-based hiring and around the types of
practices--the hiring best practices--that they should be
taking.
I know we've talked a lot about what the supply-side,
educators can do, and I think that there are many fantastic
initiatives already under way on that side that can be built
upon. But I also think that less has been done to educate
employers on how to be responsible recruiters and how to take a
skills-based approach to growing their cyber talent pipeline
and to give them the tools that they need and the standards
that they need to know how to do that within their
organizations.
Ms. Lee. OK. Thank you very much.
Mr. Chairman, I yield back.
Mr. Garbarino. The gentlelady yields back.
I now recognize myself for 5 minutes of questioning.
Ms. Dortch, we've heard about the many things that SAP is
doing, and I've heard from other industry leaders of all the
great things that the private sector is doing to address cyber
work force challenges. Do you think these efforts should be
coordinated?
Ms. Dortch. We absolutely feel that these should be
coordinated.
If you look at what the European Union is doing right now
with the establishment of their cybersecurity academy, they are
really centralizing a lot of their efforts across the E.U.
member states to build it on a platform, but also making sure
that there's funding available. So finding the credentials,
providing training for folks who are raising their hands to get
trained, but also the jobs. They want to make sure that people
know where the job opportunities are.
So it's really about making sure that we have a centralized
place for training. If I really just type in a search engine,
how do I get into cybersecurity, it should take me to a search
engine to find something that's affordable that I can get into.
Then once I'm done, I should be able to find a centralized job
database, whether it's USAJobs or another place, to find the
job that matches my skill sets based off the certification
program.
But I do think the United States has the opportunity to do
that. We're starting to see that with CyberSeek. I think we can
do a lot more. But I do think the Europeans are getting a
little bit ahead and playing a more strategic game, and I think
the United States can definitely get there if we can put more
concerted effort around centralizing these resources, making it
easier for Americans to get upskilled or reskilled into
cybersecurity roles.
Mr. Garbarino. My next question was going to be, should the
Federal Government be doing anything, because sometimes we
shouldn't. We should let you all do your thing. But it sounds
like, you know, funding, training, platforms similar to what
the European Union's doing might be the best way to handle,
from just what--from what you just said.
Ms. Dortch. Definitely that. Then we would urge Congress to
support the JOBS Act, which provides short-term Pell grants for
programs, boot camps that are cybersecurity-focused that,
again, if there's 8- to 12-week programs for, you know,
critically-needed roles, we do think that that might be an
option. Understanding we need to make sure that, you know,
there's accountability, that there are actual matriculation
into jobs is really important with that. We do think that that
might be a tactic that Congress should look into, the JOBS Act.
Mr. Garbarino. Thank you. It's very big, that JOBS Act. So
I'd like to focus on the Pell grant section.
Mr. Markow, workforce shortages are persistent across all
16 critical infrastructure sectors. CyberSeek is able to
procure job opening data across all those sectors, allowing
potential job seekers to get an industry-specific preview of
what their market looks like.
In your view, what industries in the private sectors have
taken effective steps and proactively addressed their cyber
work force shortage?
Mr. Markow. It's a good question, and I think that I will
say there are employers across all sectors that have taken some
very proactive steps.
If I were to try and generalize across different sectors, I
would say that the financial services sector has been a leader
in many cases. I think that out of necessity, due to the
sensitivity of the data and the information that they have,
many organizations in financial services have been very
proactive in trying to build their cybersecurity work forces
and to really work collaboratively with educators, policy
makers, and others.
We've also seen some very effective examples across even
retail, information, and some energy companies as well, who are
very focused on building a pipeline of talent that they can
manage in the same way that they would manage any of their
supply chains. They're taking ownership over developing their
own cybersecurity talent, working collaboratively with, again,
educators, policy makers, nonprofits, and other stakeholders in
their communities.
So, again, there are very good examples across a number of
different sectors, but I think that's--those are some of the
industries that we've seen some of the more proactive
approaches.
Mr. Garbarino. I appreciate that. In your testimony you
mentioned public-private partnerships as potential incentives
to push individuals, educators, employers, and other
stakeholders to help strengthen the cybersecurity talent
pipeline. Many States have experimented with programs to
improve these outcomes as well.
Are there any potential programs that have proven to be
significantly effective at recruiting and retaining cyber work
force, and what programs at the State level could serve as a
bellwether for future programs?
Mr. Markow. It's a great question. I think transparently a
lot of these programs are still relatively new. So there--they
might also still be in the third inning. So we're still looking
for more outcomes data.
That said, there have been some initial promising results
from things like TechCred in Ohio. Not sure if you're familiar
with that, but it is a program that--in which Ohio employers
are able to receive some funding and tax credits to support
training their existing workers in industry-recognized
credentials.
So this enables them to more readily upskill and reskill
their existing work force and to solve that problem of how do
we bring in fresh blood as rapidly as possible. It's by
investing in your existing work force. So that's one program
that has shown some promise.
This is actually not a State program. It's actually
something DHS has done as well is to pilot some talent-sharing
programs with employers, private employers. I think that can be
potentially an effective way to solve the chicken-and-egg
problem of how do you build more experienced workers when
employers primarily only want to hire somebody who already has
experience?
So if CISA can help to reduce some of the friction for
training the entry-level workers and giving them on-the-job
opportunities either in DHS or in the private sector, then that
can both help to solve that chicken-and-egg problem of how do
you bring fresh blood into the industry and how do you make
employers more incentivized to hire entry-level workers.
But it also helps to facilitate sharing of skills and
cross-pollination between both the public and private sector,
which can have benefits to the actual productivity of your
workers and the security of our digital infrastructure, both in
the public and private sector.
Mr. Garbarino. Thank you. My time has expired.
I now recognize the gentlelady from New York, the former
Chairwoman of this committee, Ms. Clarke.
Ms. Clarke. Good morning. Let me start by first thanking
Chairman Garbarino and Ranking Member Swalwell for allowing me
to waive onto the subcommittee for this important hearing on
growing our Nation's cybersecurity talent pipeline.
Thank you to our panel of esteemed witnesses for joining us
today.
One of my most persistent chall--one of the most persistent
challenges we face today in strengthening our Nation's
cybersecurity posture has been the on-going shortage of trained
cybersecurity professionals. Addressing this shortfall has been
a priority of mine as Chairwoman of the Cybersecurity
subcommittee last Congress, and I'm heartened to see that it
remains a priority for this committee in the 118th.
I'm also proud to say that, while we still have a ways to
go, over the past 2.5 years, Congress and the Biden
administration have taken important steps to increase
investment in our cyber work force and do so in an inclusive
way. For instance, the National Cyber Director is currently
working to develop a cybersecurity work force strategy so that
we can ensure agencies across the Federal Government are
coordinating their efforts to address this challenge.
I've been pleased by the administration's engagement with
industry and academia in developing this strategy. I look
forward to seeing how Congress and my--and this subcommittee
can help further support these efforts in the coming months.
While this new strategy will be essential to ensuring our
cyber work force efforts have clear goals without inefficient
redundancies, Congress and the administration are already
working to implement important programs that will make sure
there's a difference in building a larger and more diverse
cyber work force.
I am pleased to see that NPower, a national nonprofit based
in Brooklyn, New York, that is dedicated to supporting the
digital careers of veterans and young people from underserved
communities, is represented on the panel today. I look forward
to seeing the long-term fruits of this program and learning how
we can further scale up to train more women and people of color
for cybersecurity careers.
In the CHIPS and Science Act enacted last year, Congress
established the Dr. David Satcher Cybersecurity Education Grant
Program, based on legislation that I cosponsored. This program
authorizes NIST to provide grants to support cybersecurity
training in Historically Black Colleges and Universities and
other Minority-Serving Institutions.
If we're going to meaningfully address the lack of
diversity in the cyber work force, we must ensure that HBCUs
and MSIs have the capacity to provide high-quality
cybersecurity training to their students and ensuring this
grant program has the funding to be effective and must be
prioritized.
So my first question is for Ms. Dortch and Ms. Wisniewski.
In your organizations' partnerships with HBCUs and MSIs, what
are the benefits you've seen from developing the next
generation of cyber professionals at these institutions, and
how important do you see building cybersecurity education
capacity at HBCUs and MSIs?
Ms. Wisniewski. Thank you, Ms. Clarke, for the question. We
actually have had an incredible reception at HBCUs in terms of
really embracing this topic, and we're pleased. Actually, we
were just invited by the board of the United Negro College Fund
to actually attend a conference in Atlanta this summer to kind-
of really dig in, right.
I think that it's really important that the HBCUs in
particular take a leadership role here because the reality is,
on the academic front, cyber is actually a very young academic
discipline. So there's an opportunity for leadership, and I
think it's totally appropriate at HBCUs.
One of the things we've also learned recently and--is that
security in general at HBCUs is an important thing for people
to think about. So cyber--having a robust cyber profile in an
HBCU is not only important for the students, that they're
pushing through a certain program, but also just for the
university as well.
So we think that there's incredible opportunity. We also
think that with that--we can't do this without HBCUs and MSIs.
I mean, it's just absolutely critical.
Ms. Dortch. I'll just quickly add, for SAP, our University
Alliances program, which is 25 years old, we really value our
partnerships with MSIs and historically Black universities.
We established what's called SAP Project Propel at certain
HBCUs to make sure that kids have exposure to organizations
like SAP. We can get them micro-credentials that may not be
cyber-specific but get them exposure and ready to see
opportunities in the cybersecurity space.
I also want to commend the National Science Foundation for
taking the opportunity to study the success rates that are
happening for African Americans in the STEM pipeline. It's
really important that we understand what tactics they're using
to encourage kids to get into STEM, especially cybersecurity.
SAP has encouraged the Office of the National Cyber
Director to potentially work with NSF to explore this
specifically for cybersecurity. How can we matriculate more
African-American students out of historically Black
universities into cybersecurity graduate programs?
Ms. Clarke. Mr. Chairman, I yield back. Thank you.
Mr. Garbarino. The gentlelady yields back.
We're now going to start our second round of questions, so
I recognize Mr. Gimenez from Florida for 5 minutes for his
second round.
Mr. Gimenez. Thank you, Mr. Chairman.
Question for Mr. Markow. You stated that some companies
look for college graduates and are looking for the same--same
people and then they're mercenaries. They basically are there,
looking for a great job. But then as soon as they get there,
they're probably looking for the next job, seeing if they can
go higher and higher and higher because there's a small pool of
them.
Do you find that--that some of those companies or most of
those companies that have--that are looking for these college
graduates, et cetera, et cetera, they're college graduates
themselves?
Mr. Markow. That definitely is more common. I would
hesitate to pigeonhole and say that it's always going to be
companies that have a large proportion of existing bachelor's-
level graduates. That said, we do see that heightened degree
requirements are most common in regions and industries that
have the highest proportion of people with a college degree.
So we do see evidence in the data that people with a
college degree are more likely to also look for somebody with a
college degree, although it's not going to be across the board
in the case.
Mr. Gimenez. A different kind of discrimination then, huh?
Mr. Markow. Well, I'll hesitate to opine on the reason for
it. But I do think that people are more likely to hire for
people who have a similar background to themselves, and I think
that that's one of the types of cognitive biases that we do try
to help employers break out of by giving them hard data to
understand what the impact of that cognitive bias might be and
how they can find a better way to recruit and retain workers
who come from a more diverse background.
Mr. Gimenez. Yes, we need to do something about that, that
we seem to have as a--as a Nation maybe this bias that somehow
if you don't have that piece of paper, you may not be--be as
good. As somebody who beat the pants out of two Harvard guys
when he first ran for college, I find, you know--I was really
happy doing that. I didn't have the Harvard degree.
So as a firefighter, because that's what I am, a
firefighter, the United States has a U.S. Fire Academy, which
is--which has been used to really elevate, you know, the
profession.
Do you believe that maybe we should have--we should sponsor
a U.S. cyber academy for the same thing?
Ms. Dortch? Sorry. Yes.
Ms. Dortch. I think, you know, this is something that was
also brought up by the CISA Cybersecurity Advisory Committee.
They made the recommendation that CISA should have a cyber
academy. I think it's something that we should consider. We do
need to make sure that we are taking a multifaceted approach to
getting people into cybersecurity. I don't think it's the sole
silver bullet that will solve this challenge, but it is
something I think we should explore as a Nation to see if we
can get folks, multiple pathways, multiple entry points into
cybersecurity and trained.
You know, the biggest part to this also is just on-
boarding. Once we get them trained, let's get them into the
roles, the jobs that are open, whether it's in the Government
or in the private sector.
Mr. Gimenez. Yes. The fire academy actually did a lot to
and has done a lot to elevate, I guess, the professionalism of
the craft. I believe that a cyber academy could do--could do
the same thing, teaching best practices. Because really the
academy, the fire academy, is really about training the
trainers. The same could be done for a cyber academy. So it's
something that probably we should be looking into to establish
that.
You said that the European Union had some kind of a similar
academy. What is it that they do?
Ms. Dortch. So this--notionally, it's not a formal academy.
It's more of a platform to bring all of the resources that are
already there, so private employers who have micro-credentials
already or governments in other countries that have already set
up similar reskilling boot camps.
So it's really building a platform to centralize that
information so candidates have the opportunity to kind-of pick
and choose where they see their current skill sets and their
interests, align those, and pick where they would like to go,
which, I think--again, I keep using the word ``flexibility.''
You have to give professionals flexibility to figure out where
their interests and current skill sets match up best. But also,
if they are not a good fit, they have the ability to move
around in the cybersecurity field.
Mr. Gimenez. Do you know if the Chinese have something
similar to that?
Ms. Dortch. I am not aware of that.
Mr. Gimenez. OK. Thank you very much.
I yield my time back.
Mr. Garbarino. The gentleman yields back.
I now recognize Mr. Menendez from New Jersey for 5 minutes
of questioning.
Mr. Menendez. Thank you, Mr. Chairman.
So we've heard about being less rigid in hiring practices
for employers, being more flexible, and we understand our
mission there.
I'm curious. During this hearing, I was writing down the
names of high schools and community colleges and Stevens
Institute of Technology, which are in the Eighth Congressional
District in New Jersey. Where should we be going to amplify the
opportunities in the cybersecurity space? What should our pitch
be? If we're not the right messenger, who is?
That's for anyone on the panel.
Ms. Wisniewski. So I'll take that one.
I think that there's a lot--and, actually, the--with Mr.
Gimenez, really important about the professionalization of the
sector.
So, you know, the idea that a cyber professional is, you
know, the face of the cyber professional is in a black hoodie
and in a closet, you know, that--that still exists and we
really need to do a lot of work to actually change that.
So I would argue that if--if Congress can do more to
actually up the game in terms of the professionalization of the
sector--and this is something that we also, like Mr. Markow,
believe standards are really important here. There is an
opportunity for us to, in the way that, say, the accounting
profession or the engineering profession has a certain level of
profile within the public, that that actually is really
critical for the future of cybersecurity.
There's actually a proliferation of activities that are
happening at a Nation level. Not only we're familiar with the
E.U. school's academy as well, in the United Kingdom there's
the U.K. Cyber Security Council that's really driving a new
licensing scheme for people to become chartered professionals.
So I think if we can do more to actually raise that
profile, that would be incredibly helpful.
Mr. Menendez. Sure. Hopefully today's hearing is a good way
of doing that because, you know, it's one of the joys of being
here is to work on this issue in a bipartisan way.
But in terms of reaching folks, right, and, you know, I
think about this on the apprenticeship side across all
different industries, right, and how do we access people, reach
them, and let them know about different opportunities across
different industries. Specifically with cybersecurity, where do
you think we should be going to market these opportunities and
letting know--and letting folks know they can avail themselves?
Because it seems a pretty--from the testimony, it's a wide
swath of folks, right, from retraining people already in their
careers, retraining veterans, finding people on a
nontraditional academic path, to people in a traditional
academic path.
So it seems a wide variety, and basically we need to pull
from everywhere, and I get that. But where do you find the most
efficiency or the places that are most ripe for wanting to be
informed about opportunities and professions in the
cybersecurity space?
Again, to anyone who wants to take that question.
Mr. Starling. You know, from my perspective, I work with a
lot of young people and veterans. Most of us know more about
cybersecurity than we think we do. I mean, it's--it's pervasive
in our lives. I think getting young people excited about it,
getting them motivated about it, it starts with parents. It
goes into the school system.
You know, we're inundated with all these video games and
all these other things. If you can play these games for as long
as you do, you can take that knowledge and apply it to
something like cybersecurity, which is, you know, it's a lot of
the same concepts. But now it's something that is, you know,
defending your home, your company, defending the Nation.
So I think with parents and with schools, and whether you
do it in college or whether you take a nontraditional pathway,
it doesn't matter, both of those exist.
Mr. Menendez. Great. I appreciate that.
Just, you know, in terms of the pipeline, you know, we've
talked about sort-of the different folks that we can try to
recruit into the cybersecurity.
But I am curious. For folks that have sort-of the more
traditional pathway of computer and information science
backgrounds, who are we competing with? Or who are
cybersecurity firms or companies competing with for access to
that talent? Sort-of what sort-of potentially competitive
disadvantage are cybersecurity professionals, the Government
firms at compared to those other career paths that those folks
could take?
Mr. Markow. Happy to answer that question.
I think that cybersecurity for a long time was not a field
that had a very clear brand within many organizations, and I
think that resulted in many people ending up in the field by
happenstance. They had started working in networking. They had
started as a developer. They had started anywhere else but
cyber, and somebody said you're the cyber person now. So I
think that there's a lot of branding work that needs to be done
to overcome that.
I think that some of the fields that do have a more
effective brand within the IT community are fields like
software developers and engineers, even networking roles, and
now increasingly data scientists and others focused on
developing AI and other emerging technologies. Cloud computing,
for example, is a big one.
I think that being able to communicate why cybersecurity is
a compelling career path, even within the context of those
other compelling career paths, is important. We do see that
there are very compelling reasons to move into cybersecurity.
On average, they pay salaries that are about 10 percent higher
than other IT jobs. They offer fantastic job security. They can
lead to just a sense of reward and accomplishment by knowing
that you are protecting some of our most valuable digital
assets.
But I think that we need to communicate that story. We need
to build the brand of cybersecurity jobs so that they can be as
effective and they can essentially serve as a magnet to more
people who are interested in a career in CS who for the longest
time thought the best path to a good career in CS was to go
work as a software developer at the next Facebook.
Mr. Menendez. That's really helpful.
I yield back. Thank you.
Ms. Lee [presiding.] The gentleman yields back.
I now recognize myself for a second round of questioning.
My question for each of you is this: You've provided us
such useful information already during this hearing, but I want
to know, is there anything that you were hoping to share with
us today that you think is important information for us to have
that you haven't already had an opportunity to share?
Ms. Dortch, I'll start with you.
Ms. Dortch. I think the big thing right here is that, you
know, in the United States we're seeing a transformation
happening when it comes to the regulation within cybersecurity.
We have CIRCIA, the Cybersecurity Incident Reporting for
Critical Infrastructure Act. We have the Cybersecurity Maturity
Model Certification. We have a proposed rule from the
Securities and Exchange Commission for incident reporting of
material cybersecurity incidents. The list goes on and on.
With the increase in regulation, that drives the need for
us to have cyber professionals who can help us meet the
requirements, put in the security controls, maintain the
network, and keep--make sure that we're responding, and working
with the sector-specific agencies or CISA in that matter to
respond to these things.
But in order to really execute this, we do need time. I
think it's really important that when the Government is looking
at rolling out these regulations and these policies, that
industry and the Government is giving itself more time.
So really the ask of Congress is to urge certain agencies
like the Office of Management and Budget, which has a memoranda
right now on secure software development practices, we are
really trying to make sure that we are in alignment with those
and making sure we're compliant. But we need a little more time
to make sure that, not only our contracting officers at Federal
agencies are ready for the attestation statements that we have
to submit, but that our software developers are meeting and
complying with the frameworks that are in place and set by
NIST.
Ms. Lee. Thank you, Ms. Dortch.
Mr. Markow.
Mr. Markow. So I think that one--one thing we haven't
really touched upon is the speed of change within
cybersecurity. Building our cybersecurity work force is not a
destination. It is a continuous journey. Skills are constantly
evolving. New technologies are constantly being utilized both
by bad actors, as well as cybersecurity professionals. We need
to be constantly reskilling our people.
In just the past 2 years, we found that about a quarter of
the skills required for cybersecurity professionals have
changed. So even if we were to graduate many folks with degrees
at a Bachelor's level, a graduate level, what have you, their
skills are going to be outmoded within just a few years.
So being able to provide the resources, the information,
and the tools to employers, educators, and individuals that
they need to keep up with such a rapid pace of change in the
industry, I think, is one of the things that the Federal
Government can help to build the foundation for, so that we do
have that information access for everybody who needs to keep up
with such a rapid pace of change in the industry.
Ms. Lee. All right. Thank you.
Ms. Wisniewski.
Ms. Wisniewski. Thank you. I agree with Ms. Dortch that
actually the regulatory environment is incredibly active right
now and is going to actually bring more requirements to cyber--
the cyber community, and so the problem's going to get worse,
not better. So there is a real need for innovative strategies
around work force development and new strategies around work
force development. So old approaches don't apply.
Fully agree with Mr. Markow that the profession is going to
change dramatically so quickly. The combination of that change
with the--a very active regulatory environment that is, I
think, intentionally in a--trying to do the right thing, but
the two are going to miss each other. So unless we do something
drastic soon, it's just going to compound.
Ms. Lee. Excellent.
All right. Colonel Starling, anything you would add?
Mr. Starling. So it's not just about the training of
people. One of the things, we overlook a lot of talent because
we're not--we don't access them. So having the training, plus
some wraparound services that--that knock down the barriers
that people have, whether that is getting child care, whether
that is being able to make their rent payments, and then
opening up apprenticeships and internships, paid
apprenticeships and internships for those people.
If we want to have a truly diverse work force, we got to go
find them. It's not just the training. It's the other pieces
that allow them to use their own grit and determination to
succeed.
Ms. Lee. Thank you very much.
At this time I recognize Ms. Clarke from New York for 5
minutes of questioning.
Ms. Clarke. Thank you very much, Madam Chair.
Equipping institutions of higher education with the
resources they need to provide high-quality, high-level
cybersecurity education as a discipline is so important. But it
is only one piece of the puzzle when we think about long-term
solutions to growing the cyber work force.
We also need to consider early education opportunities so
that school-aged children have the skills and understanding to
consider careers in cybersecurity down the road.
I know CISA has funded the nonprofit cyber.org to develop a
nationally-focused K-12 cybersecurity education and training
program for teachers to provide students with the cybersecurity
education foundation across all 50 States.
Mr. Markow, what can employers do to better engage with K-
12 sector--the K-12 sector to use these available resources to
further develop effective career pathways into cybersecurity
jobs, opportunities, and careers that are sustainable in the
long run?
Other panelists are free to respond as well.
Mr. Markow. Thank you for the question. I think that
employers can proactively go out and engage with schools in
their communities to find opportunities to communicate the
opportunities within cybersecurity.
So going back to what we talked about around branding the
field, you could have your CISO go into local elementary
schools or high schools to talk about the great career
opportunities that you have available within your organization.
You also mentioned career pathways, which is critical. You
actually need to be able to then communicate to students what
that career pathway looks like so that they know that there is
a future and a sustainable career opportunity for them, and you
need to communicate what are the specific steps that students
can start taking wherever they are in their educational journey
to build the skill sets or other experiences that are going to
be necessary in order to enter into the field.
That could be even sponsoring cyber competitions in your
local community or engaging in other relevant activities that
your community is sponsoring to help grow the cybersecurity
talent pipeline.
Mr. Starling. One of the things that we do at NPower is we
hold regular sessions that identify different pathways to
different cybersecurity jobs, and that's to get people into our
tech fundamentals class. So you can't just jump into the cyber
world. You've got to have that basis of fundamentals, but
definitely being out in the community and having live and
virtual events that people can attend to learn more about those
pathways.
Congresswoman, I'd just like to thank you for your support
of NPower. You've been a vocal supporter, and we appreciate
that.
Ms. Wisniewski. I would just add that I think that, you
know, we know--we have 200,000 members in the United States.
Our members are very active in their community because they are
very passionate. Cyber professionals are very passionate about
cyber. They've had that Kool-Aid, and they are handing it out,
right.
So I think even more opportunities--this is where I think
there's an important role for public-private partnerships--more
opportunities to get people out into the community talking
about cyber. It's actually two-fold. This is not just about
work force, but it's also just building cyber awareness and,
therefore, more resilience within the general population.
Ms. Clarke. Absolutely. I--I'm a fond--I fondly
reminiscence about the science fair when I was in school. I
think that certainly there's room for that type of creativity
in our public school--in our elementary school settings.
There's a program called Project REACH, which stands for
Realizing Equitable Access to Cybersecurity in High School,
which links K-12 school systems to higher education
institutions, specifically HBCUs and MSIs. The goal of the
program is to ease the transition into higher education
cybersecurity degree programs.
I wanted to ask the question to Colonel Starling. As
Project REACH does for K-12, what can we do as a Nation to
create a seamless transition for higher education to work
force?
Mr. Starling. Yes, I think it's--it's offering those
training opportunities, but it's not just--again, it's not just
the tech training. You need some professional development.
Young kids coming out of high school don't necessarily have the
savvy to go into an interview or to, you know, compete for some
of these jobs. Same thing with veterans who are transitioning.
They have a whole different language. The transition period is
one of those volatile times in a person's life.
So seamless transitions means my SkillBridge program is
like a boot camp as you leave the military to go into the
civilian sector, specifically cybersecurity.
Same thing as we look at our young adult programs in places
like New York and in St. Louis, we are preparing them
holistically. We're helping them with their life. We're also
training them professionally to have the right clothes, the
right approach, and practice those things. It's--you know,
repetition is the key to retention in those things. So it's a
holistic approach to filling this work force for cybersecurity.
Ms. Clarke. Very well.
My time has expired. Thank you, Madam Chair. I yield back.
Ms. Lee. The gentlewoman yields back.
I now recognize Mr. Swalwell for an additional 5 minutes of
questions.
Mr. Swalwell. Great. Thank you, Madam Chairwoman.
I would just first ask unanimous consent to insert into the
record written testimony from the Information Technology
Industry Council, their publication, ``Growing the National
Cybersecurity Talent Pipeline.''
Ms. Lee. Seeing no objection, it is so ordered. The
testimony will be admitted into the record.
[The information follows:]
Statement of The Information Technology Industry Council
June 22, 2023
The Information Technology Industry Council (ITI) appreciates the
opportunity to provide written testimony to the subcommittee on growing
the national cybersecurity talent pipeline. ITI is the premier advocate
for the technology sector, representing the world's most innovative
companies. We promote public policies and industry standards that
advance competition and innovation world-wide. Our diverse membership
and expert staff provide policy makers with the broadest perspective
and thought leadership from technology, hardware, software, services,
and related industries.
Recruiting, training, and educating a diverse cybersecurity
workforce is a top priority for ITI and its member companies. The on-
going shortage of cybersecurity professionals profoundly impacts ITI's
membership. We welcome the committee's attention to this pressing
national issue for both the Government and private sector. While ITI
member companies take a range of actions to invest in and develop their
cybersecurity professionals, we would like to focus our attention on
the role that Artificial Intelligence (AI) must play in reducing the
security workload and empowering cybersecurity professionals.
ITI recently launched our AI Futures Initiative, which crafts
action-oriented AI policy recommendations to address emerging AI
questions in the United States and globally. Led by a task force of
technical and policy experts and serving as a convener for a diverse
set of stakeholders ranging from industry to academia to civil society,
the AI Futures Initiative will explore topics relevant to AI policy
discussions, from transparency and accountability to AI's societal
impacts. The AI Futures Initiative will feature a robust exploration of
the foundational models that underpin Large Language Models (LLM--such
as OpenAI's ChatGPT or Google's Bard) and how generative AI more
broadly will impact cybersecurity.
It is important to note that the cybersecurity industry benefits
from a workforce that reflects a variety of backgrounds, perspectives,
and experiences. As part of the tech sector's efforts to engage with
educational institutions to prepare a diverse and ready workforce, ITI
established the National Initiative to Increase Diversity in Tech, in
partnership with Morehouse College, one of the most pre-eminent
Historically Black Colleges and Universities (HBCU) in the United
States. This initiative connects ITI's member companies with Morehouse
leadership and educators to develop innovative programs that provide
both the private sector and other professional fields--including the
Federal Government--with a skilled workforce that understands the
technology sector's cybersecurity needs.
the cybersecurity challenge
The U.S. Government (USG) or other large organizations have three
primary challenges when developing and maintaining effective
cybersecurity--finding the true signal in the noise of logged data, a
constantly evolving threat landscape, and an insufficiently skilled
workforce. Each of these areas requires dedicated attention and policy
solutions to address and improve the resilience and security of the IT
ecosystem. As illustrated by these three challenges, the modern
cybersecurity reality is that even the most skilled security operators
are aways playing catch-up with security risks.
The volume of data being created and shared continues to grow
exponentially minute-by-minute; the threat landscape continues to
evolve with the pace of technology; and at best we are providing only
small-scale increases in the IT security workforce. The USG and their
private-sector partners need to change the game to improve the calculus
for cyber operators. Advances in technology, especially AI, can be
leveraged to empower a skilled workforce to focus on the most complex
problems and keep pace with the most sophisticated threats.
AI, when used properly, can find the few actual threat events among
the billions of logged activities any large system deals with on a
daily basis. According to a recent threat intelligence survey, 84
percent of global business and IT leaders, are concerned that their
organization is missing threats or incidents due to the high volume of
alerts and data that they need to analyze.\1\ AI-powered analytical
tools can help identify the new and novel tactics, techniques, and
behaviors of sophisticated and well-resourced adversaries. This is an
especially important security use case as we must assume that malicious
cyber actors will train their own AI systems to look for and exploit
vulnerabilities in our defenses.
---------------------------------------------------------------------------
\1\ Google Cloud Blog, ``Why AI: Can new tech help security solve
toil, threat overload, and the talent gap,'' posted on Apr. 26, 2023
available at https://cloud.google.com/blog/transform/why-ai-can-new-
tech-help-security-solve-toil-threat-overload-and-talent-gap. (last
viewed on Jun 20, 2023)
---------------------------------------------------------------------------
Finally, properly applying AI systems, services, and capabilities
can help solve one of the biggest challenges facing the security
operations workforce--the amount of time and energy that must be put
into simply collecting and organizing data. The continued use of legacy
systems across the USG, and other large organizations, means that the
workforce in a security operations center (SOC) spends much of their
time simply trying to integrate data from different, often outdated,
and outmoded, systems. The repeatable and time-intensive activities of
aggregating and enriching data from multiple sources adds no direct
cybersecurity value, yet are essential for the operations of the SOC,
and consume much of the work force's time.\2\
---------------------------------------------------------------------------
\2\ See e.g. blog post ``Expanding our Security AI ecosystem at
Security Summit 2023, posted on June 12, 2023 available at https://
cloud.google.com/blog/products/identity-security/expanding-our-
security-ai-ecosystem-at-security-summit-
2023?utm_source=newsletter&utm_medium=-
email&utm_campaign=newsletter_axioscodebook&stream=top. (last viewed on
Jun 19, 2023)
---------------------------------------------------------------------------
ai and the cybersecurity workforce
Due to these three challenges, cybersecurity is no longer a human-
scale problem. Advances in AI, machine learning, and other automated
processes are revolutionizing how cybersecurity practitioners identify
and resolve vulnerabilities and manage increasingly sophisticated
threat actors.
AI-powered tools, capabilities, and services enable the analysis of
massive quantities of risk data to speed response times and focus
skilled security operators on the highest-risk activities; thereby
improving outcomes and reducing strain on the workforce. A recent Wall
Street Journal article found that 75 percent of chief information
security officers in the United States are experiencing burnout.\3\
There is also a global cybersecurity workforce shortage of nearly 3.4
million--an all-time high.\4\ Cyber attacks are being launched faster
than companies can recruit and train the skilled security professionals
necessary to combat these increasingly sophisticated threats.
---------------------------------------------------------------------------
\3\ Catherine Stupp, Cybersecurity Leaders Suffer Burnout as
Pressures of the Job Intensify, WSJ (May 17, 2023) available at https:/
/wsj.com/articles/cybersecurity-leaders-suffer-burnout-as-pressures-of-
the-job-intensify-b0609ef1#:?:text=Seventy-
three%20percent%20of%20CISOs,- burnout%20in%20the%20past%20year.
\4\ https://securityintelligence.com/articles/bridging-workforce-
gap-cybersecurity/.
---------------------------------------------------------------------------
AI technologies do not offer a silver bullet solution to
cybersecurity challenges and cannot replace the value of human analysis
and decision making when it comes to security operations. Rather AI
technologies augment the abilities of the security workforce whose time
and resources are limited. ITI member companies have identified, and
currently employ, a range of AI-enabled tools to address key challenges
and improve overall effectiveness of cyber solutions:
1. Detection & Prevention.--Cybersecurity systems that leverage AI
can better provide real-time analysis and prevention compared
to cybersecurity systems that do not incorporate the latest
technologies. Leveraging AI means detecting anomalous activity
becomes faster and more accurate, improving the proactive steps
that network defenders can take to identify and mitigate
threats. One ITI member company takes in 36 billion security
events per day and requires only 8 of those to be manually
analyzed.\5\ In those security events, an organization could
face millions of potential Indicators of Compromise (IOC) per
day, which requires security teams to have contextual awareness
and visibility from across their entire environments to put
their time and resources where it will have the greatest
impact.
---------------------------------------------------------------------------
\5\ Palo Alto Networks, Quarter 3 Fiscal Year 2023 Earnings Call
(May 23, 2023) available at https://investors.paloaltonetworks.com/
static-files/70379c02-346b-493b-81c0-69ef1498b730.
---------------------------------------------------------------------------
2. Advanced Threat Response.--AI-powered capabilities allow for the
automation of security recommendations and responses,
streamlining security operations and allowing for human
expertise to focus on the highest-risk threats. Sophisticated
cyber attackers require specific responses to their unique
behaviors and tactics, and AI-enabled technologies can help
defenders adapt by identifying new patterns that correlate to
known malicious activity.
3. Scaling Productivity of Security Specialists.--When combined
with cloud services, AI-delivered security capabilities can
also help scale security efforts through continuous learning,
make best-in-class security tools available to small and
medium-size organizations, and keep on top of the latest
vulnerability mitigations. These efficiency gains broaden the
impact of security experts and operations to identify
intrusions more quickly and empower network defenders to act to
mitigate potential harm, without specialized domain knowledge
or deep tool expertise.\6\
---------------------------------------------------------------------------
\6\ Google blog, Jun 13.
---------------------------------------------------------------------------
4. Cost Effectiveness.--ITI member companies have identified a
strong correlation between deploying AI in cybersecurity with
reduced costs. One ITI member found that fully-deployed
security AI and automation was associated with average breach
costs that were $3.05 million lower than with no security AI
and automation deployed, a difference of 65.2 percent, the
largest cost savings in the study.''\7\ These are cost savings
that can be used to address the workforce capacity issues
facing both the Government and large organizations.
---------------------------------------------------------------------------
\7\ Cost of a Data Breach Report 2022, conducted by Ponemon
Institute, sponsored, and analyzed by IBM (2022) available at https://
www.ibm.com/security/artificial-
intelligence?mhsrc=ibmsearch_a&mhq=cybersecurity%20ai%20for%20dummies.
---------------------------------------------------------------------------
recommendations on ai adoption and the cyber workforce
Given the beneficial impact of AI tools, capabilities, and services
on an already-strained cyber workforce, the following recommendations
provided to the committee will help accelerate the use and
implementation of AI to improve cybersecurity outcomes.
Consider how to leverage technology like generative AI to
supplement and improve security practitioners' skills,
including data analysis, in cases where automation is not
helpful or appropriate.
CISA and other Federal cybersecurity policy makers should
support the use of AI for cybersecurity purposes and
incorporate AI systems into threat modeling and security risk
management. To the extent practicable, we urge the committee to
leverage existing U.S. frameworks for assessing and mitigating
AI-related risks, such as NIST's AI Risk Management and
Cybersecurity Frameworks, rather than tasking the Office of
Management and Budget (OMB) or other Federal agencies with
creating new and potentially duplicative or conflicting risk
models.
CISA should increase access to Government sources of
publicly available data, as appropriate, in machine-readable
formats to enable access by AI tools and services. Data is
fundamental to innovation in AI, and cybersecurity is no
different. As network security becomes more automated, and AI
manages repeatable tasks, AI will be more able to assist the
human network defenders.
Prioritize Federal procurement of AI-based technologies and
applications. In particular, it will be increasingly important
to invest in security solutions that are aimed at countering
adversarial AI attacks.
CISA and other Federal agencies should also explore funding
research and development of AI systems that are resilient to
manipulation by adversaries. Malicious actors use machine-
learning models to misinterpret inputs into the system and
behave in a way that is favorable to the attacker. To produce
the unexpected behavior, attackers create adversarial examples
that often resemble normal inputs, but instead are meticulously
optimized to break the model's performance.
ITI member companies encourage the committee to consider
``The National Community College Cybersecurity Challenge Act,''
which creates a funding stream for eligible State applicants to
grow and develop cybersecurity programs at community colleges,
as well as to assist States in promoting educational
advancement for the in-demand jobs of the cybersecurity
workforce.
conclusion
We commend the committee's focus on addressing the cybersecurity
workforce and skills gap. In the constantly-evolving and fast-moving
technology ecosystem, the expanded use of AI will benefit both
attackers and defenders. Last year, Rob Strayer, ITI's executive vice
president of policy, testified before this subcommittee that, ``As
innovation in Artificial Intelligence (AI) continues and the technology
itself evolves, it is important for policy makers to consider how to
harness the benefits of AI while simultaneously addressing societal or
other challenges that may emerge.''\8\ It is incumbent on governments
and the private sector to realize and invest in AI-enabled
cybersecurity services and tools to raise the cost of conducting cyber
attacks and ease the workload on security professionals.
---------------------------------------------------------------------------
\8\ Rob Strayer, Executive Vice President of Policy Information
Technology Industry Council (ITI), before the U.S. House Committee on
Homeland Security Subcommittee on Cyber, Infrastructure Protection, and
Innovation on June 22, 2022 on a hearing entitled, ``Securing the
Future: Harnessing the Potential of Emerging Technologies while
Mitigating Security Risks.'' Available at https://www.itic.org/
documents/cybersecurity/20220622ITIHouseHomelandCmte-
TestimonyonEmergingTechandCyber.pdf.
Mr. Swalwell. Great. Thank you.
Also, Mr. Markow, in your testimony, you mentioned that
demand for certain emerging cybersecurity skills like cloud
security, automation, and secure application development has
been growing at a rapid rate and can result in a salary premium
because of a shortage of trained professionals.
To what extent do you believe current cybersecurity
education and training programs have curricula that meet the
skills that employers demand? Are there aspects of
cybersecurity where we should be focusing more acutely?
Mr. Markow. I do think that, in general, most cybersecurity
curricula are very focused on the skills that employers demand,
but I think that it is a game of cat and mouse. The skills are
constantly changing. Even if you build a curriculum that
addresses the skill needs of today, it could be outdated within
1 to 3 years.
When you think about the typical program development cycle
and curriculum development cycle at many universities, which
can take 5 years or more, that makes it very difficult to
rapidly adapt the curricula to some of the emerging tools and
technologies that cybersecurity workers need to utilize.
So that said, we have seen that many colleges and
universities and other trained providers are very laser-focused
on trying to rapidly adapt their curriculum. We also see some
very innovative approaches coming from boot camps or other
shorter-term training programs that are hyper-focused on some
of these emerging fields such as cloud security or others that
you just mentioned.
So I think, in general, there are some structural
challenges to many programs that are trying to adapt their
curriculum as rapidly as possible. But I also feel that, in
general, our education system is doing a good job of trying to
respond to those challenges as quickly as they can through a
variety of innovative approaches.
Mr. Swalwell. Thank you for that.
I also want to go into an issue where--immigration in
Congress, obviously, it is a charged issue. But I think there's
actually broad consensus among both parties about the need for,
you know, skill--high-skilled immigration in areas where we
just don't have enough American workers.
My priority on cyber is, look, if we can train an American,
I want to do that and make that the priority, you know, to
exhaust the effort to do that before we ever say, you know, we
need to import, you know, that work force through an
immigration system.
But can you just all let--just educate me and the
committee. Do we have enough folks right now that we can train
to meet our needs or, you know, would a skilled immigration--an
expansion of the skilled immigration process help us meet that
need?
I'll just leave that open to anyone.
Ms. Wisniewski. So I think that it could help. But the
reality is, is that there's basically zero percent unemployment
in cyber globally. So you're--you know, sure, but at the same
time, you know, other--other nations around the world have the
same problem that--that we do in the United States. There are
simply just not enough professionals.
So while I think that there's always value for effective
policy in the realm of immigration, I think for cyber, it's
just another lever that we can pull. But it doesn't--I think
the most important thing is not to lose sight of the really big
picture, which is zero percent unemployment, right.
So even at some point during the panel even this morning,
you know, the poaching that happens within the industry is so
significant----
Mr. Swalwell. Yes.
Ms. Wisniewski [continuing]. And people are staying in jobs
less than a year because they're getting poached onto the next
thing. So there needs to be a lot of--again, I think industry
has a really important role to play. I guess I'll leave it at
that.
Mr. Swalwell. Well, I just want to thank all of you for
participating and educating us on this hearing today.
Again, I want to thank the Chairman, before I yield back,
for doing this. I mean, this--this is something that we just
hear all over, not just the United States but world-wide, and
not just in the public sector but also in the private sector.
So we've got our work cut out for us. As I said, the good
news here is there's no partisan excuse. There's a lot of good
partisan excuses for why we can't take on other intractable
issues. On this one, we're aligned. So that's the good news of
this piece, but we can only do it, you know, with private
sector buy-in and collaboration.
So with that, I yield back.
Mr. Garbarino [presiding.] Absolutely. Thank you, Ranking
Member Swalwell.
I recognize myself for 5 minutes for my second round of
questioning.
As you heard in my opening statement, addressing the
national cyber work force challenge is one of my biggest
priorities as Chairman of this subcommittee.
Part of that difficulty is addressing--in addressing it is
figuring out where to start. I think we've had some great
testimony here today. But it's not, you know, it's not just--we
can't solve it here alone on the Federal level. It can't be
done alone on the private-sector level. It can't be done alone
on the education level. It's the all-of-the-above approach I
think there has to be.
But what this subcommittee does oversee certain agencies in
the Federal Government and specifically CISA.
So I'll start with Ms. Wisniewski. In your view, how should
the Federal Government specifically--how should the Federal
Government prioritize its efforts to address this issue?
Specifically, what is--what should CISA's role be in the
equation?
Ms. Wisniewski. So I think that we have to continue--
actually, I think we need more resources, right, more focus,
more investment in actually solving the challenge, so, again,
innovative work force strategies.
Particularly for CISA, CISA has an opportunity to really
serve as a convener and serve as, you know, the ringleader, if
you will, in terms of really being able to drive all of the
things that we've talked about today.
I think that there are--there are just many--I think CISA
has done a good job of being an example of--of not only the
good, bad, and the ugly in terms of they have their own work
force challenges, right, of recruiting people in. So I mean,
you know, it's there, right.
But I think CISA has a real leadership role here, and we
look forward to deeper partnership with CISA and more
opportunities, and also with the Office of the National Cyber
Director. We have a deep partnership with them. We think the
combination of those two units to serve as a leader is really
important.
Then actually, you know, this is also a global game, right.
So we as--as the United States really need to take serious if
we want to be a leader here, because we should be.
Mr. Garbarino. Thank you.
Does anybody else want to comment on that?
Sure, Ms. Dortch.
Ms. Dortch. I'll just quickly add, agree with her comments.
I think, you know, big thing for CISA is to make sure they have
the right expertise in the room to really help look at how we
can transform the cyber work force in America.
I think a great example of this, as we've seen, again, the
CISA Cybersecurity Advisory Committee has the Subcommittee on
Transforming the Cyber Workforce. But we need to make sure that
we have H.R. professionals at the table, that we have folks
from academia to really take a look at things that are working
in the Federal Government and industry and really figure out
how we can tactically address this issue.
Mr. Garbarino. Either of you?
Mr. Starling. Yes, I would just add that, you know, we've
had a great relationship with CISA. Their grant really
propelled us into some new territory, and we proved that we
could do it. We're looking forward to continue to work with
CISA and other Government agencies to continue to find
nontraditional talent and to help solve this problem.
Mr. Markow. I would wholeheartedly agree with everything
that everyone else has already said.
The only thing that I would add is that I think CISA is in
a unique position to help make all of the great information
that is already out there as accessible as possible.
I think that there's no shortage of resources and
information that lots of people have already provided in the
Federal Government to support cybersecurity work force
development, but I think that at times it can also be
information overload. So I think that CISA could serve as that
convener of both stakeholders but also information to make it
as easy as possible to access the tools and resources that are
most valuable.
The other comment I would make on this is that I think CISA
is also in a unique position to provide information to
employers. I think we have overindexed on providing information
for other stakeholders and underindexed on providing
information, tools, and standards for employers so that they
know how to be responsible recruiters and developers of
cybersecurity talent.
Mr. Garbarino. Thank you all.
One final question, because I have about a minute left. But
in our first hearing of this committee, we heard from someone
from the Bank Policy Institute that cyber professionals in
their field are spending 40 percent or more of their time on
compliance.
Ms. Wisniewski, earlier in this--in your response, you
mentioned additional cyber regulations will likely worsen the
work force problem. Right now we're seeing, you know, the
National Cyber Strategy coming out of the White House has--
focuses a lot on regulation. The Energy and Commerce Committee
just recently passed a bill out of committee, adding a new
regulation on reporting.
How can Congress help reduce this additional burden on a
work force that is already stretched so thin?
Ms. Wisniewski. So I do think that there's an opportunity
for Congress to actually partner with the regulatory
environment to really, I think, appreciate what is really
important here, because unless we can do more--so what often
happens, right, is the regulatory environment kind of works in
its own little world. Then you've got, you know, policy makers
working in a different world.
In this case, there needs to be a lot more synergy so that
there can actually--if there is going to be more regulations
coming, that those regulations actually can be fulfilled.
Because if there's no one to meet the regulation, then, you
know, how is that going to solve?
The other challenge, I think, is that we really, because of
the environment in cyber, we really need to make sure that
we're not building a checklist environment where it's just a
checklist for compliance, because then you're just not--you're
not--you're missing the point. You're actually not protecting
the world.
So I think more synergy there and, again, just more
investment on the work force development.
Mr. Garbarino. Thank you.
I'm out of time, but I'm the Chairman. So you can go ahead,
Ms. Dortch.
Ms. Dortch. Thank you. I appreciate that.
It's really a call for harmonization of these regulations
and removing duplication. I think that's key.
I agree. I think a big part of this, NIST has done a lot of
work around building the Cybersecurity Framework, the National
Initiative for Cybersecurity Education, the AI Risk Management
Framework. We need to continue to fund that.
But also to her earlier point, frameworks are not meant to
be compliance documents, so making sure that these are best
practices that we can incorporate into our businesses and make
sure we're fostering good cyber hygiene practices.
Mr. Garbarino. Thank you very much.
So I want to say I thank the valuable testimony and the
Members for their questions today. Again, this is I think the
second time we've done a second round of questions because it
was such a great hearing.
The Members of the subcommittee may have additional
questions for the witnesses, and we would ask the witnesses to
respond in these writings pursuant to committee rule VII(D).
The hearing record will be held open for 10 days.
Without objection, this subcommittee stands adjourned.
[Whereupon, at 11:52 a.m., the subcommittee was adjourned.]
[all]