[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]


                        GROWING THE NATIONAL CYBERSECURITY
                                  TALENT PIPELINE

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                    CYBERSECURITY AND INFRASTRUCTURE
                               PROTECTION

                                OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 22, 2023

                               __________

                           Serial No. 118-19

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                               
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
54-126 PDF                  WASHINGTON : 2023                    
          
-----------------------------------------------------------------------------------     

                     COMMITTEE ON HOMELAND SECURITY

                 Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas             Bennie G. Thompson, Mississippi, 
Clay Higgins, Louisiana                  Ranking Member
Michael Guest, Mississippi           Sheila Jackson Lee, Texas
Dan Bishop, North Carolina           Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida           Eric Swalwell, California
August Pfluger, Texas                J. Luis Correa, California
Andrew R. Garbarino, New York        Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia      Shri Thanedar, Michigan
Tony Gonzales, Texas                 Seth Magaziner, Rhode Island
Nick LaLota, New York                Glenn Ivey, Maryland
Mike Ezell, Mississippi              Daniel S. Goldman, New York
Anthony D'Esposito, New York         Robert Garcia, California
Laurel M. Lee, Florida               Delia C. Ramirez, Illinois
Morgan Luttrell, Texas               Robert Menendez, New Jersey
Dale W. Strong, Alabama              Yvette D. Clarke, New York
Josh Brecheen, Oklahoma              Dina Titus, Nevada
Elijah Crane, Arizona
                      Stephen Siao, Staff Director
                  Hope Goins, Minority Staff Director
                       Natalie Nixon, Chief Clerk
                     Sean Jones, Deputy Chief Clerk
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida           Eric Swalwell, California, Ranking 
Mike Ezell, Mississippi                  Member
Laurel M. Lee, Florida               Sheila Jackson Lee, Texas
Morgan Luttrell, Texas               Troy A. Carter, Louisiana
Mark E. Green, MD, Tennessee (ex     Robert Menendez,  New Jersey
    officio)                         Bennie G. Thompson, Mississippi 
                                         (ex officio)
               Cara Mumford, Subcommittee Staff Director
           Moira Bergin, Minority Subcommittee Staff Director
                    Alice Hayes, Subcommittee Clerk
                           
                           
                           C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Chairman, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Eric M. Swalwell, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     3
  Prepared Statement.............................................     5
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     6

                               Witnesses

Ms. Anjelica Dortch, Senior Director, U.S. Government Affairs, 
  SAP America, Inc.:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Mr. Will Markow, Vice President of Applied Research, Advocacy, 
  Global Markets, and Member Engagement, Lightcast:
  Oral Statement.................................................    13
  Prepared Statement.............................................    14
Ms. Tara Wisniewski, Executive Vice President, Advocacy, Global 
  Markets, and Member Engagement, ISC2:
  Oral Statement.................................................    20
  Prepared Statement.............................................    22
Colonel Chris Starling, USMC (Ret.), Executive Director, 
  California, Npower:
  Oral Statement.................................................    26
  Prepared Statement.............................................    27

                             For the Record

The Honorable Eric M. Swalwell, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Statement of The Information Technology Industry Council.......    50

 
           GROWING THE NATIONAL CYBERSECURITY TALENT PIPELINE

                              ----------                              


                        Thursday, June 22, 2023

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:07 a.m., in 
room 310, Cannon House Office Building, Hon. Andrew R. 
Garbarino (Chairman of the subcommittee) presiding.
    Present: Representatives Garbarino, Gimenez, Ezell, Lee, 
Swalwell, and Menendez.
    Also present: Representative Clarke.
    Mr. Garbarino. The Committee on Homeland Security, 
Subcommittee on Cybersecurity and Infrastructure Protection 
will come to order.
    Without objection, the Chair may declare the subcommittee 
in recess at any point.
    The purpose of this hearing is to receive testimony from 
industry experts on the national cybersecurity work force.
    I now recognize Ranking Member Swalwell for the purposes of 
seeking unanimous consent.
    Mr. Swalwell. Chair, I would seek unanimous consent that my 
colleague, Yvette Clarke, be allowed to waive on for the 
purpose of this hearing.
    Mr. Garbarino. Without objection, so ordered.
    I now recognize myself for an opening statement.
    Thank you all for joining us today for a discussion of my 
biggest priority as Chairman of the subcommittee, addressing 
the cybersecurity work force shortage.
    Over the last several months, this subcommittee has taken a 
broad look at the Cybersecurity and Infrastructure Security 
Agency, or CISA's, development since 2018 and its increasingly 
important role in mitigating risk across Federal networks and 
critical infrastructure. But in order for CISA and any public 
or private entity, for that matter, to be successful in 
executing important mission, it must have a robust 
cybersecurity work force.
    Some estimates say that the United States currently has 
more than 660,000 cyber job openings nationally. I've heard it 
almost as high as 750,000. So that's a lot. In addition to the 
overall shortage of cyber professionals, 61 percent of those 
who are employed say they are burned out after triaging years 
of major cyber incidents.
    Research from ISACA, a notable nonprofit organization that 
conducts an annual study of the state of cyber work force, 
shows that 54 percent of government and military stakeholders 
believe a lack of skills and training are the top obstacle for 
obtaining digital trust in an organization.
    I've said it before and I will reemphasize my belief that 
we not only--we need not only enough people but the right 
people with the right skills in the right jobs to meet the 
growing cyber threat.
    In April, the FBI director testified to Congress that even 
if all FBI cyber agents and intel analysts focused on the China 
threat, Chinese hackers would still outnumber our FBI cyber 
personnel at least 50 to 1. That is extremely concerning.
    It is clear that the shortage of talent and burnout are 
issues that both the public and private sector face. Therefore, 
it is an issue we must tackle together. Our Nation's cyber work 
force challenges are widespread and must be addressed through a 
strategic and crosscutting approach that avoids duplication. 
It's important for Congress to evaluate the appropriate roles 
and responsibilities for Federal agencies and the private 
sector to develop the cyber work force.
    I am pleased to welcome four expert witnesses who can shed 
light on private-sector efforts to move the needle forward. I 
hope to hear about what cyber work force initiatives are 
successfully developing private-sector talent and where 
improvements could be made. I'm specifically interested in 
hearing about creative models of education and training, like 
apprenticeships and community college programs, and also about 
some of the efforts to quantify challenges we face and provide 
scalable solutions.
    These creative models from our witnesses and other leaders 
in the field will be key as we see increased demand for skill 
sets in emerging technologies such as AI. I encourage CISA to 
leverage the innovative initiatives of the private sector to 
grow the national cyber work force at all levels via both 
traditional and nontraditional pathways.
    This hearing will be a starting point for our subcommittee 
to evaluate the current state of the national cybersecurity 
work force and discuss solutions. As we anticipate the Office 
of National Cyber Director's National Cyber Workforce and 
Education Strategy, I hope to tease out specific areas where 
Congress can complement and build upon existing lines of effort 
across the Federal Government.
    I look forward to addressing this challenge in a bipartisan 
manner with my colleagues across the aisle. Thank you all again 
for being here today, and thank you for being great partners to 
the Government in this endeavor.
    [The statement of Chairman Garbarino follows:]
               Statement of Chairman Andrew R. Garbarino
                             June 22, 2023
    Thank you all for joining us today for a discussion on my biggest 
priority as Chairman of this subcommittee--addressing the cybersecurity 
workforce shortage.
    Over the last several months, this subcommittee has taken a broad 
look at the Cybersecurity and Infrastructure Security Agency, or 
CISA's, development since 2018 and its increasingly important role in 
mitigating risk across Federal networks and critical infrastructure. 
But in order for CISA, and any public or private entity for that 
matter, to be successful in executing its important mission, it must 
have a robust cybersecurity workforce.
    Some estimates say that the United States currently has more than 
660,000 cyber job openings nationally. In addition to the overall 
shortage of cyber professionals, 61 percent of those who are employed 
say they are burned out after triaging years of major cyber incidents. 
Research from ISACA, a notable nonprofit organization that conducts an 
annual study of the state of the cyber workforce, shows that 54 percent 
of Government and military stakeholders believe a lack of skills and 
training are the top obstacle for attaining digital trust in an 
organization.
    I have said it before and I will reemphasize my belief that we need 
not only enough people but the right people with the right skills, in 
the right jobs to meet the growing cyber threat.
    In April, the FBI director testified to Congress that even if all 
FBI cyber agents and intel analysts focused on the China threat, 
Chinese hackers would still outnumber our FBI cyber personnel at least 
50 to 1. That is extremely concerning.
    It is clear that the shortage of talent and burnout are issues that 
both the public and private sector face, therefore, it is an issue we 
must tackle together. Our Nation's cyber workforce challenges are wide-
spread and must be addressed through a strategic and cross-cutting 
approach that avoids duplication. It is important for Congress to 
evaluate the appropriate roles and responsibilities for Federal 
agencies and the private sector to develop the cyber workforce.
    I'm pleased to welcome four expert witnesses who can shed light on 
private-sector efforts to move the needle forward. I hope to hear about 
what cyber workforce initiatives are successfully developing private-
sector talent, and where improvements could be made. I'm specifically 
interested in hearing about creative models of education and training, 
like apprenticeships and community college programs, and also about 
some of the efforts to quantify the challenges we face and provide 
scalable solutions.
    These creative models, from our witnesses and other leaders in the 
field, will be key as we see increased demand for skillsets in emerging 
technology such as AI. I encourage CISA to leverage the innovative 
initiatives of the private sector to grow the national cyber workforce 
at all levels via both traditional and non-traditional pathways.
    This hearing will be a starting point for our subcommittee to 
evaluate the current state of the national cybersecurity workforce and 
discuss solutions. As we anticipate the Office of the National Cyber 
Director's National Cyber Workforce and Education Strategy, I hope to 
tease out specific areas where Congress can complement and build upon 
existing lines of effort across the Federal Government.
    I look forward to addressing this challenge in a bipartisan manner 
with my colleagues across the aisle. Thank you all again for being here 
today and thank you for being great partners to the Government in this 
endeavor.

    Mr. Garbarino. I now recognize the Ranking Member, the 
gentleman from California, Mr. Swalwell, for his opening 
statement.
    Mr. Swalwell. Great. I thank the Chairman for his 
leadership and focus on this area, and also want to welcome our 
witnesses.
    You know, you sit at a table that many witnesses have 
beared witness to some of the most divisive, gridlocked, muddy 
issues that our country faces. But you are not among those 
witnesses because you are here for an issue where I don't think 
there's much daylight between my Republican colleagues and my 
Democratic colleagues. I think we understand this issue and 
want to know from you all what we can do together--together 
inside the Congress and together outside with stakeholders.
    So it's incredibly important topic, as the Chairman said, 
and we're focused on addressing the shortage of trained 
cybersecurity professionals, which you all know is not a new 
problem; it's actually a growing problem.
    I represent two national laboratories, Lawrence Livermore 
and Sandia in Livermore, California, where I live. We have 
heard from them and tech and cybersecurity firms about the 
tremendous challenge that they're facing every day in meeting 
their cyber needs.
    After engaging with a range of stakeholders in both the OT 
and IT spaces, I and my team have learned a lot about the 
complexity of the workforce challenge and the range of skill 
sets needed to ensure that we secure the network technologies 
we rely upon every day.
    Last Congress, I introduced and passed the Industrial 
Control Systems Cybersecurity Training Act, which authorized 
CISA's ICS training program, which was enacted into law as part 
of the National Defense Authorization Act. Through that 
program, CISA trains over 25,000 students every year, either in 
person or virtually, to secure the hardware and software used 
in water treatment facilities, power transmission and 
distribution, and other high-value critical infrastructure.
    As we look to build on and build out on previous work like 
the ICS bill, we must continue to expand the Federal 
Government's support for cybersecurity training while also 
tailoring efforts to align with the skills needed by private-
sector employers.
    This hearing today will help our subcommittee gain a better 
understanding of the specific causes contributing to the 
cybersecurity work force shortage and help us develop solutions 
going forward.
    As the White House works to finalize its National Cyber 
Workforce Education Strategy, it's critical that Congress can 
be an active partner in implementing policies and providing 
resources to expand the cyber talent pipeline and ensure we 
have the work force necessary to maintain, as the Chairman 
said, our advantage against adversaries who are outnumbering 
us, like China and Russia.
    Addressing this problem requires a coordinated approach 
that brings together multiple Federal agencies, our Nation's 
universities, community colleges, and too often as we've seen, 
K-12 schools, as well as the private sector.
    With CISA's extensive experience in public-private 
partnerships, I know it will have an important role as a part 
of this broader strategy, and the subcommittee stands ready to 
make sure it has authorities and resources necessary to play a 
role in the work force shortage.
    Finally, the National Cybersecurity Strategy released 
earlier this year makes clear that addressing the lack of 
diversity in the work force is, ``both a moral necessity and a 
strategic importance.'' We simply will not be able to close the 
gap between employer demand and the available talent pool if we 
do not do more to bring women, people of color, immigrants, and 
other underrepresented groups into the cyber talent pipeline.
    Building a robust cyber work force also provides an 
opportunity to train and leverage the talent of our veterans, 
who bring with them the experience, skill, and discipline that 
makes them an irreplaceable asset to any cybersecurity team.
    Look forward to hearing from the panel of witness. Again, I 
thank the Chairman for what I think is going to be a very 
productive hearing.
    I yield back.
    [The statement of Ranking Member Swalwell follows:]
              Statement of Ranking Member Eric M. Swalwell
                             June 22, 2023
    Good morning. I want to thank my friend, Chairman Garbarino, for 
holding today's hearing on growing the national cybersecurity talent 
pipeline.
    It is an incredibly important topic, and one that both of us share 
as a top priority for this Congress.
    The shortage of trained cybersecurity professionals is not a new 
problem.
    For years, I have heard from the national labs and the tech and 
cybersecurity companies in my district about the tremendous challenges 
they face filling cybersecurity positions.
    After engaging with a range of stakeholders in both the OT and IT 
spaces, I learned more about the complexity of the workforce challenge 
and the range of skill sets needed to secure the networked technologies 
we rely on every day.
    For that reason, last Congress, I introduced the Industrial Control 
Systems Cybersecurity Training Act, authorizing CISA's ICS training 
program, which was enacted into law as part of last year's National 
Defense Authorization Act.
    Through that program, CISA trains over 25,000 students annually--
either in-person or virtually--to secure the hardware and software used 
in water treatment facilities, power transmission and distribution, and 
other high-value critical infrastructure our adversaries target.
    As we look to build on previous work like that legislation, we must 
continue to expand the Federal Government's support for cybersecurity 
training, while tailoring efforts to align with the skills needed by 
employers and the demands of emerging technologies.
    In doing so, we must ensure our cybersecurity curriculum and 
training programs are not static and instead evolve as we deploy new 
technologies like Artificial Technology and Machine Learning that can 
both improve network security and introduce new risks.
    This hearing today will help the subcommittee gain a better 
understanding of the specific causes contributing to the cybersecurity 
workforce shortage and help us develop solutions going forward.
    As the White House works to finalize its National Cyber Workforce 
and Education Strategy, it is critical that Congress be an active 
partner in implementing policies and providing resources to expand the 
cyber talent pipeline and ensure we have the workforce necessary to 
maintain our advantage against adversaries like Russia and China.
    Addressing this problem will require a coordinated approach that 
brings together multiple Federal agencies, our Nation's universities, 
community colleges, and K-12 schools, and our private sector, which 
includes many of the world's leading technology and cybersecurity 
firms.
    With CISA's extensive experience in public-private partnerships and 
its cybersecurity expertise, I know that it will have an important role 
as part of this broader strategy, and this subcommittee stands ready to 
ensure it has the authorities and resources necessary to contribute.
    Finally, the National Cybersecurity Strategy released earlier this 
year makes clear, addressing the lack of diversity in the cybersecurity 
workforce ``is both a moral necessity and a strategic imperative.''
    We simply will not be able to close the gap between employer demand 
for skilled cybersecurity professionals and the available talent pool 
if we do not do more to bring women, people of color, and other 
underrepresented groups into the cyber talent pipeline.
    Building a robust cyber workforce also presents an opportunity to 
train and leverage the talent of our veterans, who bring with them the 
experience, skill, and discipline that would make them an asset to any 
security team.
    I know our panel of witnesses today shares this priority, and I 
look forward to hearing their ideas for how we can address this 
challenge.
    As we look to implement cyber workforce policies, I am committed to 
ensuring they reflect the need for our cyber workforce to include the 
full diversity of our Nation.
    I thank the witnesses for joining us today and look forward to 
their testimony.
    I yield back.

    Mr. Garbarino. Thank you, Ranking Member Swalwell.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                             June 22, 2023
    Good morning. I want to thank Chairman Garbarino and Ranking Member 
Swalwell for holding this important hearing.
    Growing the national cybersecurity talent pipeline has been a long-
standing priority for the Homeland Security Committee.
    While we have done important work in recent years in enacting 
legislation for CISA to provide critical assistance for industrial 
control systems cybersecurity training and for K-12 cybersecurity 
education, the cybersecurity workforce shortage has proven to be a 
stubborn challenge.
    It is apparent that much more needs to be done to develop the next 
generation of cyber talent, re-skill our current workforce to fill 
cybersecurity vacancies that exist today, and build a more inclusive 
workforce that makes full use of the diversity that makes our Nation so 
great.
    To help cultivate the next generation of diverse cybersecurity 
leaders, I worked with then-Intelligence Committee Chairman Adam Schiff 
to establish the DHS Intelligence and Cybersecurity Fellowship Program, 
providing a diverse set of college students the opportunity to work for 
a summer at DHS on intelligence and cybersecurity matters.
    Earlier this month, I had the opportunity to meet the inaugural 
class of fellows and was impressed by their knowledge and commitment to 
public service.
    Unfortunately, just this week, Republicans on the Appropriations 
Committee have advanced a fiscal year 2024 appropriations bill that 
would eliminate funding for this important program.
    This is the exact opposite of what we need to do if we are going to 
address our shortage of cyber talent.
    The young people I met this month are precisely the kind of bright 
and talented individuals we need working in cybersecurity, especially 
in the Federal Government where the challenge of recruiting qualified 
cyber professionals has been particularly acute.
    As we move through the appropriations process, I will fight to 
restore funding for this important program, and I hope the bipartisan 
membership of this committee will support me in this effort.
    Instead of following the lead of the Appropriations Committee in 
cutting back support for the development of the cyber workforce, we 
must continue to look for innovative ways to bring more people into the 
talent pipeline.
    The panel of witnesses we have before us today have extensive 
expertise on both the causes of our existing shortage and the solutions 
that we must implement if we are to grow our cyber workforce.
    We know that there is no single program that will solve this 
problem overnight, but if we build cybersecurity education into our K-
12 curriculum, expand opportunities for cybersecurity training--whether 
in the form of certifications, apprenticeships, or degrees--and 
increase outreach to women and people of color, we should be able to 
make real progress.
    With partners in the Executive branch like Acting National Cyber 
Director Kemba Walden, DHS Secretary Alejandro Mayorkas, and CISA 
Director Jen Easterly, who all share our interest in tackling this on-
going problem, I am confident that we will have a National Cyber 
Workforce and Education Strategy that reflects this multi-pronged 
approach.
    I look forward to working with the Members of this committee to 
ensure we have the legislation and resources necessary to implement it.
    I thank our witnesses for sharing their perspectives with us.
    I yield back.

    Mr. Garbarino. I am pleased to have four witnesses before 
us today to discuss this very important topic. I ask that our 
witnesses please raise--rise and raise their right hand.
    [Witnesses sworn.]
    Mr. Garbarino. Let the record reflect that the witnesses 
have answered in the affirmative.
    Thank you. Please be seated.
    I would now like to formally introduce our witnesses.
    Anjelica Dortch is the senior director for the U.S. 
Government Affairs at SAP America. She manages the company's 
cybersecurity, artificial intelligence, and work force policy 
portfolio. Ms. Dortch also spent 10 years working in the 
Federal Government, including in the Executive Office of the 
President as a senior technology advisor, where she led the 
coordination of several Government-wide cyber work force 
initiatives.
    Will Markow is the vice president of applied research at 
Lightcast. He oversees Lightcast's consulting and research team 
focused on strategic work force planning and the impact of 
emerging trends and technologies on the work force. Mr. Markow 
leads the development of cyberseek.org, a cybersecurity work 
force, analytics, and career platform to provide data on the 
cybersecurity work forces across the United States.
    Tara Wisniewski is the executive vice president for 
advocacy, global markets, and member engagement at ISC2. She is 
responsible for leading growth of the ISC2 global advocacy 
program and oversees the association's Center for Cyber Safety 
and Education.
    Finally, Colonel Chris Starling is the executive director 
of NPower California. In this role, he recruits and trains 
veterans, veteran spouses, and young adults in IT fundamentals 
and places them in IT jobs across California. Colonel Starling 
is a United States Marine Corps veteran with 26 years of 
active-duty service. Thank you for your service, sir.
    Thank you all for being here today.
    Ms. Dortch, I now recognize you for 5 minutes to summarize 
your opening statement.

STATEMENT OF ANJELICA DORTCH, SENIOR DIRECTOR, U.S. GOVERNMENT 
                   AFFAIRS, SAP AMERICA, INC.

    Ms. Dortch. Thank you.
    Chairman Garbarino, Ranking Member Swalwell, and Members of 
the Subcommittee on Cybersecurity and Infrastructure 
Protection, thank you for the opportunity to appear before you 
today to discuss the importance of growing our Nation's 
cybersecurity talent pipeline.
    My name is Anjelica Dortch, and I am the senior director of 
U.S. Government affairs and head of cybersecurity policy at--
for SAP, the world's largest enterprise software application 
provider.
    On behalf of SAP, I commend the subcommittee for working 
together to highlight innovative approaches that address the 
long-standing challenges we face as a Nation in developing, 
attracting, and retaining cybersecurity professionals.
    My testimony will address the role SAP plays in creating 
opportunities for current and future cybersecurity 
professionals and our commitment to help close the 
cybersecurity skills gap. Let me share some of our most recent 
achievements in this area.
    For over 50 years, SAP has worked to foster trust through 
responsible actions. As of 2023, the SAP Global Security team 
has surpassed the national average of women working in 
cybersecurity, and it has more than doubled the number of women 
in cybersecurity management roles.
    Additionally, the generational diversity of the SAP Global 
Security team is drastically different than that of the U.S. 
Federal Government. Over 60 percent of the organization is 
comprised of millennial and Gen Z cybersecurity professionals. 
Meanwhile, only 4 percent of technology professionals in the 
U.S. Federal Government are under the age of 30.
    Our Government Security and Secrecy team, or GS2, is 
comprised of former national security professionals who spent 
upwards of 30 years working for the Government. In the past 12 
months alone, the GS2 team has grown 34 percent by attracting 
cleared national security professionals to SAP. Close to 40 
percent of the team is made up of women, and they are only 7 
percent away from reaching 50/50 gender parity of women in 
management roles.
    But how are we growing a diverse cybersecurity talent 
pipeline at SAP? I'll briefly highlight three programs.
    SAP established the Global Security Early Talent Program. 
This is a 2-year program that is designed for high-performing 
early career individuals with little to no professional 
experience. All participants conduct rotations in the United 
States and abroad, and after completing the program, 
participants move into a new full-time role that best matches 
their skill sets and their interests. This model has expanded 
and diversified our pool of cybersecurity candidates, along 
with achieving higher rates of retention. Additionally, these 
types of rotational programs provide greater exposure and 
flexibility for young professionals to explore different 
specialties within this field rather than locking them into 
distinct roles or occupational series.
    Now, at SAP, we view neurodiversity as a competitive 
advantage. That's why in 2013 we launched a groundbreaking 
Autism at Work Program which leverages the unique abilities and 
perspectives of colleagues on the spectrum to foster inclusion 
at SAP. We have the longest-running Autism at Work Program 
among major companies. We support neurodiverse professionals 
during the hiring process, and offer a variety of resources to 
facilitate the success of employees once they are onboarded. 
But to help neurodiverse professionals realize their potential, 
most organizations must adjust their recruitment selection and 
career development policies to reflect a broader definition of 
talent.
    Last, SAP National Security Services, or NS2, an 
independent U.S. subsidiary of SAP, established a nonprofit 
called NS2 Serves. This program was founded to support and 
empower veterans in their transition into critically-needed 
national security roles. NS2 Serves is committed to train and 
place 600 veterans in national security careers by 2025. To 
date, we have trained over 400 veterans and achieved more than 
90 percent graduation rate. As a result, all graduates of NS2 
Serves have gained job offers, and SAP NS2 will continue to 
make the necessary investments to provide veterans with a 
pathway into national security careers.
    In closing, it has been an honor to appear before this 
subcommittee today on behalf of SAP. It is my hope that my 
testimony supports the advancement of positive change that 
leads to a more secure Nation.
    Thank you, Chairman Garbarino, Ranking Member Swalwell, and 
Members of the subcommittee, for your dedication to growing our 
Nation's cybersecurity talent pipeline. I'd be happy to answer 
any of your questions.
    Thank you.
    [The prepared statement of Ms. Dortch follows:]
                 Prepared Statement of Anjelica Dortch
                             June 22, 2023
    Chairman Garbarino, Ranking Member Swalwell, and Members of the 
Subcommittee on Cybersecurity and Infrastructure Protection, thank you 
for the opportunity to appear before you today to discuss the 
importance of growing our Nation's cybersecurity talent pipeline. My 
name is Anjelica Dortch, and I am the senior director of U.S. 
Government Affairs and Head of Global Cybersecurity Policy for SAP--the 
world's largest enterprise software application provider.
    On behalf of SAP, I commend this subcommittee for working together 
to highlight innovative approaches that address the long-standing 
challenges we face as a Nation in developing, attracting, and retaining 
cybersecurity professionals. My testimony will address the role SAP 
plays in creating opportunities for current and future cybersecurity 
professionals and our commitment to help close the cybersecurity skills 
gap.
    I would first like to provide the subcommittee with a brief 
overview of my professional background. Prior to joining SAP, I led 
scale-up of tech policy positions at IBM within the Government and 
Regulatory Affairs team with a focus on artificial intelligence, hybrid 
cloud, and intellectual property. I spent 10 years working for a 
variety of U.S. Federal agencies including the Executive Office of the 
President as a senior technology advisor where I led coordination of 
several cybersecurity workforce initiatives to include leading the 
first-ever Government-wide tech and cyber hiring event and the Federal 
cybersecurity reskilling academy. Additionally, I contributed to the 
development of U.S. policies and strategies including the 2018 National 
Cybersecurity Strategy, the Presidential Executive Order on America's 
Cybersecurity Workforce, the U.S. Federal Cloud Computing Strategy (or 
Cloud Smart), and the Administration's Report on Artificial 
Intelligence. Last, I'm passionate about getting individuals who look 
like me into the cybersecurity field.
                               about sap
    SAP is a globally-recognized technology leader helping 
organizations of all sizes and in all sectors run at their best. Our 
customers generate 87 percent of total global commerce ($46 trillion). 
Additionally, 99 out of the 100 largest companies in the world are SAP 
customers. We operate in over 150 countries and have over 100,000 team 
members world-wide. From manufacturing and distribution of vaccines to 
modernizing the U.S. Department of Defense travel management system, 
SAP's core purpose is to help the world run better and improve people's 
lives. I believe SAP is uniquely suited to provide the subcommittee 
with insights today into the opportunities and challenges we face in 
addressing critical shortages in America's cybersecurity talent 
pipeline.
                            our achievements
    For over 50 years, SAP has worked to foster trust through 
responsible actions in the context of security, privacy, compliance, 
and transparency. To achieve this, we rely on talented cyber and 
national security professionals from around the world. I'd like to 
highlight two organizations at SAP that play a critical role in (1) 
strengthening the security of SAP and our customers and (2) ensuring we 
fulfill national security requirements and comply with critical 
infrastructure regulations.
    Our SAP Global Security team (or SGS) is responsible for product 
and application security, cyber defense and design, security risk and 
compliance, physical security, and most of all trust. Through the 
leadership of our SAP chief security officer, Mr. Timothy McKnight, we 
have made significant inroads in attracting, retaining, and growing a 
diverse and high-performing global security team. As of 2023, the SAP 
Global Security team has surpassed the national average of women 
working in cybersecurity, and it has more than doubled the number of 
women in cybersecurity management roles. The office of the chief trust 
officer within our security organization has reached 50/50 gender 
parity. Furthermore, the generational diversity of the SAP Global 
Security team is drastically different than that of the U.S. Federal 
Government. Over 60 percent of the organization is comprised of 
Millennial and Gen Z cybersecurity professionals. Meanwhile, only 4 
percent of technology professionals in the U.S. Federal Government are 
under the age of 30. As you can see, the SAP Global Security Team is 
committed to providing equal opportunities and ensuring that everyone 
has a chance to develop and grow in the cybersecurity space.
    For SAP to serve government customers world-wide, we must also work 
collaboratively with the national security community. Our Government 
Security and Secrecy team (or GS2) led by Mr. Martin Merz, ensures the 
fulfilment of national security requirements, and manages cooperation 
and coordination with all relevant Government security authorities. 
Most of this team is comprised of former national security 
professionals who spent upwards of 30 years working for the Government. 
In the past 12 months alone, the Government Security and Secrecy team 
has grown 34 percent by attracting cleared national security 
professionals to SAP. Close to 40 percent of this team is made up of 
women, and they are only 7 percent away from reaching 50/50 gender 
parity for women in management roles.
   how are we growing a diverse cybersecurity talent pipeline at sap?
Early Talent Program
    To attract and recruit young or early career cybersecurity 
professionals, SAP established the Global Security Early Talent 
Program.\1\ This 2-year program is designed for high-performing early 
career professionals, with little to no professional experience, and 
have a basic understanding of information technology and security 
topics. All participants start the program with their first rotation at 
our SAP America headquarters in Newtown Square, Pennsylvania, and spend 
at least one rotation abroad at our SAP global headquarters in Waldorf, 
Germany. The 6 months abroad is fully covered by the Global Security 
Early Talent Program. After completing the Security Rotational Program, 
participants move into a new full-time role within the SAP Global 
Security team that best matches their skills and interests. This model 
has expanded and diversified our pool of cybersecurity candidates, 
along with higher retention rates once program participants shift to 
full-time roles. Additionally, these types of rotational programs 
provide greater exposure and flexibility for early career cybersecurity 
professionals to explore different roles or specialties within this 
field rather than immediately locking them into a distinct role or 
occupational series.
---------------------------------------------------------------------------
    \1\ Global Security Early Talent Program at SAP--https://
www.sap.com/documents/2022/01/de2934fb-127e-0010-bca6-
c68f7e60039b.html.
---------------------------------------------------------------------------
Autism at Work Program
    At SAP, we view neurodiversity as a competitive advantage. That's 
why in 2013 we launched a groundbreaking Autism at Work program which 
leverages the unique abilities and perspectives of colleagues on the 
spectrum to foster inclusion at SAP.\2\ We have the longest-running 
Autism at Work program among major companies. The SAP Autism at Work 
program provides a pathway and support for neurodiverse cybersecurity 
professionals. We support neurodiverse candidates during the hiring 
process and offer a variety of resources to facilitate the success of 
the employee once they are onboarded. Neurodiverse individuals 
frequently need workplace accommodations, such as headphones to prevent 
auditory overstimulation in order to activate or maximally leverage 
their abilities. In many cases the accommodations are manageable, and 
the returns are great for both the employee and employer. But to 
realize the benefits, most organizations must adjust their recruitment, 
selection, and career development policies to reflect a broader 
definition of talent.
---------------------------------------------------------------------------
    \2\ SAP Autism at Work Program--https://www.sap.com/about/careers/
your-career/autism-at-work-program.
---------------------------------------------------------------------------
SAP NS2 Serves
    The U.S. Department of Veteran Affairs estimates there are over 19 
million living veterans in America. To address the growing need to 
support veterans and their transition into critically needed national 
security roles, SAP National Security Services (or NS2)--an independent 
U.S. subsidiary of SAP--established NS2 Serves.\3\ The program was 
founded to empower veterans and ease their integration into civilian 
life by providing free, skills-based training for today's high-demand, 
high-tech careers. NS2 Serves provides free training and employment 
assistance to veterans. The program is available to impending or 
honorably discharged post-9/11 U.S. military service veterans, who have 
left service in the last 10 years and reservists (including disabled 
veterans), service members with orders to leave active duty, and Gold 
Star spouses who meet eligibility requirements. The 8-12-week intensive 
program provides students at all technical levels with world-class 
software solutions training and certifications for a variety of well-
paying careers within U.S. national security and commercial 
enterprises. NS2 Serves is committed to train and place 600 veterans in 
new national security careers by 2025. To date, we have trained over 
400 veterans and achieved more than a 90 percent graduation rate. As a 
result, all graduates of NS2 Serves have gained job offers. This 
program gives veterans valuable skill sets and a high degree of 
employability. They can achieve a strong sense of purpose that often 
averts some of the impacts of Post-Traumatic Stress Disorder (PTSD), 
homelessness, and other mental health challenges. Many of our veterans 
want to continue to contribute to their country, and they can do so 
across our Government where SAP technologies are widely used. SAP NS2 
is making the investment to provide veterans with that pathway. The 
next cohort will launch Fall 2023.
---------------------------------------------------------------------------
    \3\ NS2 Serves Training & Employing Veteran Program--https://
ns2serves.org/.
---------------------------------------------------------------------------
Apprenticeships
    As a multi-national organization operating in more than 150 
countries, SAP views apprenticeships as an integral part of the 
development, recruitment, and retention of our workforce. At the SAP 
global headquarters in Waldorf, Germany approximately 25 percent of our 
team members joined through an apprenticeship. Last year, the 
administration announced the 120-day Cybersecurity Apprenticeship 
Sprint to increase awareness of current cybersecurity-related 
registered apprenticeship programs while recruiting employers and 
industry associates to expand and promote apprenticeships. However, the 
pathway to establish a U.S.-based apprentice program comes with 
obstacles and challenges that this committee should explore.
An Ambitious Diversity, Equity, and Inclusion (DEI) Strategy
    The data is clear, a diverse and inclusive workplace leads to more 
innovation and allows us to better serve and represent our customers 
around the globe. At SAP, DEI is part of our DNA. We are intentional 
about addressing representation gaps within the technology sector to 
include cybersecurity roles. In 2017, we set a goal of 35 percent women 
in our workforce by 2030, and in December 2022, we achieved that goal. 
Our next goal is to reach 50/50 gender parity globally. We hold 
ourselves accountable by publishing our progress and specific goals, 
including increasing the number of women in technical roles to 40 
percent and doubling the number of women and underrepresented 
minorities in senior roles by 2030. We intentionally work to attract, 
hire, retain, and develop talented people of diverse backgrounds, 
points of view, and experiences. Our strong commitment to allyship 
drives a more open, accepting, and inclusive culture, so people can 
bring their whole selves to work and perform at their best.
SAP University Alliances
    For more than 25 years, SAP has worked to establish relationships 
with academic institutions across the world through our University 
Alliances Program. In the United States, we engage between 125,000 to 
150,000 students per year through roughly 400 established partnerships 
with universities and community colleges. The program includes Minority 
Serving Institutions (MSIs) to include Morehouse, Spellman, and 
Fayetteville University. We continue to expand these alliances across 
the world to create new awareness and enthusiasm for SAP and career 
opportunities in the cybersecurity field.
An Education-Focused Corporate Social Responsibility Strategy
    SAP believes that investing in education is investing in the skills 
and talents of the next generation--the foundation for the future 
growth and prosperity of our Nation. We invest in innovative education 
models and foster our engagement with multistakeholder partnerships to 
enable pathways to employment and entrepreneurship in the digital, 
social, and green economy for youth in need (under-represented, under-
served, and under-privileged youth between the age of 16 to 24). Last 
year, SAP began supporting the Last Mile Education Fund \4\--a program 
focused on increasing diversity in tech by addressing critical gaps in 
financial support for low-income underrepresented students. For 
example, Sadie, a first-generation college student and a member of the 
Tohono O'odham Tribe, triumphed over the challenges of growing up on a 
rural reservation where she faced unique challenges due to the limited 
resources and opportunities. Despite the scarcity of Native Americans 
in tech, Sadie became one of the first in her village (Pisinmo'o) to 
earn a cybersecurity degree. Now, she is on her way to becoming a 
product manager at a leading cybersecurity company, blazing a trail for 
others in her community. Sadie's journey embodies resilience, 
determination, and the power to redefine what is possible in the 
cybersecurity space. More partnerships and investments into innovative 
programs like the Last Mile Education Fund are needed to help 
individuals overcome socioeconomic barriers to starting a career in 
cybersecurity.
---------------------------------------------------------------------------
    \4\ SAP Partners with Last Mile Education Fund--https://
news.sap.com/2022/06/last-mile-close-technology-gender-gap/.
---------------------------------------------------------------------------
                 international observations and trends
Immigration Reforms Outside the United States
    With a global footprint spanning over 150 countries, SAP can share 
international observations and growing trends in workforce development. 
The global cybersecurity talent shortage has forced some of our allies 
to explore reforms to their immigration policies for the purposes of 
removing migration hurdles for high-skilled workers in technology and 
cybersecurity roles. Canada, Australia, and Germany are currently 
instituting reforms that amend education, employment, language, and 
compensation requirements. In some instances, the path to achieving 
dual citizenship has been lowered to ensure retention of migrants who 
make significant contributions to the economic prosperity of the 
country. Some of these reforms include launching a streamlined process 
powered by user-friendly web-based applications that provide 
immigration decisions within 30 to 60 days. Overall, the competition 
for American cybersecurity professionals will continue to increase as 
allied nations enact ``cyber visas'' to attract top talent to their 
regions.
European Union Cybersecurity Skills Academy
    In April, the European Union launched the Cyber Skills Academy \5\ 
which is a European initiative aimed at bringing together existing 
cybersecurity education programs and improving their coordination, to 
close the cybersecurity talent gap and boost European Unions's 
competitiveness, growth, and resilience. The Cyber Skills Academy is 
built on four pillars. The first pillar addresses education and 
training to foster E.U. cybersecurity knowledge. The second pillar will 
provide information on certification capacity and visibility into 
funding opportunities. The third pillar includes stakeholder 
involvement, and the fourth pillar will monitor progress of the 
initiative. E.U. member states and industry have been urged to support 
the development and recognition of micro-credentials, and the E.U. 
Commission is tasked with creating a centralized repository for all 
E.U. cybersecurity programs, trainings, and certifications via the 
``Digital Skills and Jobs Platform'' by the end of 2023. The success of 
the European Union's efforts to bolster its cybersecurity pipeline will 
depend on a strong collaboration with industry and E.U. member-states. 
We encourage the subcommittee to continue monitoring the progress of 
this national initiative.
---------------------------------------------------------------------------
    \5\ European Union Cybersecurity Skills Academy--https://digital-
skills-jobs.europa.eu/en/cybersecurity-skills-academy.
---------------------------------------------------------------------------
                            recommendations
    With growing demands for cybersecurity talent, Congress has an 
opportunity to drive impactful reforms that can give Americans multiple 
pathways into cybersecurity careers. The United States has a tremendous 
opportunity to engage, employ, and develop a more inclusive and diverse 
workforce into high-demand, high-paying cybersecurity jobs that can 
strengthen our national security and economic prosperity. SAP submits 
the following recommendations and actions for consideration by 
Congress:
    1. Pass the Jumpstart Our Businesses by Supporting Students Act of 
        2023 (or the JOBS Act), cosponsored by Representatives Bill 
        Johnson, Lisa Blunt Rochester, Michael Turner, and Miki 
        Sherrill. The bill would extend Pell grant eligibility to 
        short-term job training programs for high-demand occupations 
        like cybersecurity.
    2. Scale and centralize successful job training and employment 
        programs that transition veterans more easily into cyber and 
        national security roles.
    3. Identify and highlight best practices for providing neurodiverse 
        Americans a pathway to join the cybersecurity workforce.
    4. Shift the U.S. Federal Government away from ``home-grown'' human 
        capital management solutions and toward trusted and robust 
        commercial solutions that can reduce the time-to-hire and 
        improve the user experience for cybersecurity professionals 
        seeking to join the civil service.
    In closing, it has been an honor to appear before this subcommittee 
today on behalf of SAP. It is my hope that these recommendations, 
observations, and best practices support the advancement of positive 
change that leads to a more secure Nation. Thank you, Chairman 
Garbarino, Ranking Member Swalwell, and Members of the subcommittee for 
your dedication to growing our Nation's cybersecurity talent pipeline. 
I'll be happy to answer any of your questions.

    Mr. Garbarino. Thank you, Ms. Dortch.
    Mr. Markow, I now recognize you for 5 minutes to summarize 
your opening statement.

 STATEMENT OF WILL MARKOW, VICE PRESIDENT OF APPLIED RESEARCH, 
   ADVOCACY, GLOBAL MARKETS, AND MEMBER ENGAGEMENT, LIGHTCAST

    Mr. Markow. Chairman Garbarino, Ranking Member Swalwell, 
and Members of the subcommittee, thank you for the opportunity 
to speak with you today.
    As the lines between our physical and digital lives 
continue to blur, protecting our digital security has emerged 
as a defining challenge of our time. Although this challenge 
must be met by stakeholders across our Nation, the ultimate 
responsibility for our digital security rests firmly on the 
shoulders of our cybersecurity work force. However, this work 
force faces persistent talent challenges that choke our cyber 
talent pipeline and hobble efforts to build the work force we 
need to secure our digital infrastructure.
    It is against this backdrop that Lightcast has researched 
the cybersecurity work force for over a decade. Lightcast is 
the leading global authority on the labor market, with over 20 
years of experience providing best-in-class data and insights 
to thousands of educators, employers, government agencies, and 
other institutions.
    Throughout this time, our research has consistently pointed 
to a sobering conclusion: The cybersecurity talent pipeline is 
severely broken. In the past 12 months, there were over 660,000 
cybersecurity job openings in the United States, but we only 
had 69 skilled cybersecurity workers for every 100 that 
employers demand. This means we are stepping onto the digital 
battlefield missing nearly a third of our army, and the 
consequences of this talent shortage echo across our country.
    We find that this talent shortage stems from two critical 
gaps: A talent gap resulting from rapid growth and skill 
evolution in the field, and an expectations gap resulting from 
the belief among many employers that they must hire workers 
with inflated credentials or many years of work experience. 
These gaps have formed a perfect storm of market failures. As a 
result, fixing the cyber talent pipeline has become a problem 
of remarkable complexity, and solving this problem is 
impossible without shared visibility for all stakeholders into 
the needs of our cyber work force.
    It was this need for shared visibility that catalyzed our 
development of cyberseek.org, a cybersecurity work force 
exploration platform. CyberSeek includes a supply-and-demand 
heat map, cyber career pathways, and a map of local training 
providers, all of which are completely free to the public. 
CyberSeek also includes links to other resources and maps 
market data to the NICE Workforce Framework for Cybersecurity.
    Since its release, CyberSeek has become widely used within 
the cyber community, from students and professors to policy 
makers and hiring managers. Lightcast is proud to develop 
CyberSeek in partnership with NICE and CompTIA, thanks to 
funding through a grant from NIST.
    In addition to CyberSeek, Lightcast also supports cyber 
talent development by providing data, software, and consulting 
services directly to employers, educators, and other 
stakeholders working to grow our Nation's pool of cybersecurity 
professionals.
    Our work across the cyber ecosystem gives us a unique 
vantage point on how the Federal Government may help strengthen 
the cybersecurity talent pipeline. In our view, there are three 
main levers that Federal actors have at their disposal: 
information, incentives, and standards. In practice, this means 
that Federal agencies such as CISA and NIST can share 
information about cyber training and hiring best practices, and 
Federal employers can even become exemplars for innovative 
skills-based hiring, such as lowering job requirements, 
training for high growth and high-value skills, and building 
career pathways to support internal advancement and mobility.
    The Federal Government can also offer incentives that 
improve the economics of growing the cyber work force, such as 
joint training or talent-sharing programs with private 
employers or expanded access to tools, funding, tax incentives, 
or other resources.
    Last, the Federal Government can develop standards that 
detail best practices related to cyber work force development, 
training, and hiring, as well as promote existing best-in-class 
standards such as the NICE Framework.
    In conclusion, expanding the cybersecurity talent pipeline 
is undoubtedly a complex issue. It requires coordination across 
a constellation of educators, employers, and individuals. 
Aligning this diverse ecosystem of stakeholders requires a 
shared understanding of the problem and clear, level-headed 
guidance on how to solve it.
    Thankfully, thousands of stakeholders across the country 
are already facing this challenge head-on. Lightcast is 
committed to working with these stakeholders, and we welcome 
collaboration with anyone interested in creative, data-backed 
solutions to cybersecurity's talent pipeline challenges.
    Thank you, again, for the opportunity to participate in 
this hearing, and I look forward to answering your questions.
    [The prepared statement of Mr. Markow follows:]
                   Prepared Statement of Will Markow
                             June 22, 2023
                              introduction
    Chairman Garbarino, Ranking Member Swalwell, and Members of the 
committee, on behalf of Lightcast, thank you for the opportunity to 
appear before you today.
    As the lines between our physical and digital lives continue to 
blur, protecting our digital security has emerged as a defining 
challenge of our time. Although this challenge must be met by a mix of 
people, process, policy, and technology, the ultimate responsibility 
for our digital security rests firmly on the shoulders of our 
cybersecurity workforce. However, this workforce faces persistent 
talent challenges that choke our cyber talent pipeline and hobble 
efforts to build the workforce we need to secure our digital 
infrastructure.
    It is against this backdrop that Lightcast researches and 
quantifies the cybersecurity workforce. We work with institutions 
across the public and private sectors to arm them with the data and 
insights they need to expand the cybersecurity talent pipeline and 
build a world-class cybersecurity workforce.
   lightcast is the leading global authority on the labor market--in 
                        cybersecurity and beyond
    Lightcast is the leading global authority on the labor market. We 
connect people with jobs by providing businesses, communities, and 
education institutions with the best labor market data and insights 
possible. Our data-driven insight enables better, faster decisions. To 
that end, we provide software products, APIs, and consulting services 
to employers, educators, governments, nonprofit organizations, and 
other institutions. We collect data from government agencies, on-line 
job postings, worker histories, and other sources from over 130 
countries across the globe. Lightcast has worked with two-thirds of the 
Fortune 100, 30 States, numerous Federal agencies, hundreds of 
educational institutions, and dozens of nonprofits, among other 
clients.
    Lightcast provides data and insights on all jobs and all 
industries, but we have been researching the cybersecurity workforce in 
further depth for over a decade. In 2013, we found that data about 
cybersecurity jobs were limited, if not missing entirely. This lack of 
data created an information gap that was exacerbating the cybersecurity 
talent gap.
    Since then, we have released multiple reports on the state of the 
cybersecurity workforce in an effort to close this information gap. Our 
research has examined topics such as growth in cybersecurity hiring 
demand, key drivers of cybersecurity talent shortages, emerging 
cybersecurity skill requirements, and unique cybersecurity hiring 
challenges faced by the Federal Government, among other areas of 
relevant research.
 the cybersecurity workforce faces two critical gaps: a talent gap and 
                          an expectations gap
    Lightcast's research over the past 10 years has consistently 
pointed to a sobering conclusion: the cybersecurity talent pipeline is 
broken. From May 2022 through April 2023, there were over 660,000 
cybersecurity job openings in the United States, but we estimate that 
the United States only has 69 skilled cybersecurity workers for every 
100 that employers demand. This means we are stepping onto the digital 
battlefield missing nearly a third of our cyber army.\1\ In practical 
terms, this means we need over 460,000 new skilled cybersecurity 
workers to meet employer demand.\2\
---------------------------------------------------------------------------
    \1\ Reflects the latest data from https://www.cyberseek.org/.
    \2\ https://lightcast.io/resources/blog/cyberseek-06-06-2023.
---------------------------------------------------------------------------
    The consequences of the cybersecurity talent shortage echo across 
the economy. The scale and impact of cyber attacks is well-known, but 
the consequences for companies do not end with digital breaches. Hiring 
costs for cybersecurity workers have skyrocketed, and cybersecurity 
salaries are now 10 percent higher than for other IT workers--despite 
IT already ranking among the highest-paid career fields. Cybersecurity 
jobs also take 21 percent longer to fill than other IT roles,\3\ 
meaning many cybersecurity positions remain empty as our digital 
threats continue to mount.
---------------------------------------------------------------------------
    \3\ Lightcast analysis referenced on https://www.cyberseek.org/.
---------------------------------------------------------------------------
    The root causes of our broken cybersecurity talent pipeline are 
varied, but they can be simplified into two critical gaps: a talent gap 
between supply and demand of cybersecurity workers, and an expectations 
gap between employer demands and the realities of the cybersecurity 
talent pool.
The Cybersecurity Talent Gap
    The talent gap between supply and demand of cybersecurity workers 
stem from the rapid growth and evolution in the field. Historically, 
cybersecurity was not a clearly-delineated field and there was limited, 
if any, training infrastructure in place to prepare cyber workers. As a 
result, many workers found themselves in cybersecurity by happenstance, 
rather than intention. As our world became increasingly digital, 
however, cyber crime flourished. As a result, annual demand for 
cybersecurity workers has grown 200 percent in the past 10 years. Such 
rapid growth is difficult for our education system to catch up with in 
any field, let alone one as technically demanding and dynamic as 
cybersecurity.
    Compounding this problem is the rapid evolution of skill 
requirements in cybersecurity. Cyber threats evolve daily, and the 
skills needed to defend against these threats must evolve as well. In 
just the past 2 years, 24 percent of the top skills for cybersecurity 
professionals have changed. Moreover, demand for emerging cybersecurity 
skills--especially those related to cloud security, automation, and 
secure application development--have grown faster than virtually any 
other skills that Lightcast tracks. These skills cost employers even 
more to fill. Just one emerging skill related to cloud security, for 
example, can command an annual salary premium of $15,000 or more.
    In the face of such rapid skill change and inflated hiring costs, 
most employers struggle to keep the skills of their cybersecurity teams 
up to date. This struggle is even more severe for the Federal 
Government, and many Federal employers lag their private-sector 
counterparts when it comes to adopting emerging skills. Our research 
finds that cybersecurity teams in the private sector are 87 percent 
more likely to request emerging skills than Federal employers. If the 
skills on our Federal cybersecurity teams don't remain current, neither 
can our cyber defenses.
    Last, the cybersecurity talent gap extends to cybersecurity 
leadership as well. Our research found that only 22 percent of 
cybersecurity managers have prior managerial experience. This means 
that nearly 8 in 10 cybersecurity teams are led by someone with no 
prior leadership experience. We also found that, on average, managers 
have been out of school for 11 years--more than enough time for their 
skills to grow stale in such a fast-moving field. This adds another 
dimension to cybersecurity training challenges and requires employers 
to invest in training for business acumen and leadership skills 
alongside technical mastery.\4\
---------------------------------------------------------------------------
    \4\ All data in the preceding section, ``The Cybersecurity Talent 
Gap'', reflect Lightcast analysis of proprietary Lightcast data. The 
data related to Federal cybersecurity hiring is from Lightcast's report 
on the Federal cybersecurity workforce, titled ``Securing a Nation.''
---------------------------------------------------------------------------
The Cybersecurity Expectations Gap
    The second broad cause of the broken cybersecurity talent pipeline 
is an expectations gap between the requirements employers demand and 
the realities of the cybersecurity talent pool.
    In particular, many employers request inflated education and 
experience requirements that limit entry-level cyber opportunities. 
Employers request at least a bachelor's degree in 84 percent of 
cybersecurity job openings. Employers also request at least 3 or more 
years of prior work experience in, again, 84 percent of cybersecurity 
job openings.\5\ Such elevated requirements are not aligned with the 
existing cybersecurity workforce and are rarely needed to perform the 
duties of a cybersecurity job. As a result, they unnecessarily 
constrain the pipeline of entry-level workers and limit opportunities 
to reach a more diverse set of candidates. They also negatively impact 
employee retention: in 2022, the turnover rate for cyber analysts with 
at least a bachelor's degree was 64 percent higher than the turnover 
rate for cyber analysts with an associate degree.\6\
---------------------------------------------------------------------------
    \5\ Reflects Lightcast analysis of proprietary Lightcast data.
    \6\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
    Inflated certification requirements are also rampant. While 
certifications can be valuable signals to employers that a candidate 
has a certain level of knowledge, many employers have overloaded their 
job requirements with certifications that are unnecessary for the job 
for which they are hiring. This can artificially filter out otherwise 
qualified candidates who have the right skills, just not the right 
credentials.
    We also have found a misalignment between the degree levels 
students pursue and the degree levels employers request in entry-level 
job opportunities. Every year in the United States, we graduate around 
3,000 fewer students from bachelor's programs in cybersecurity-related 
fields than there are entry-level cybersecurity jobs requesting a 
bachelor's degree. At the same time, we graduate over 2,900 more 
students from associate and master's degree programs in cybersecurity 
than there are entry-level openings demanding these degrees.\7\ If 
employers reduced their degree requirements in roughly one-third of 
entry-level cybersecurity openings, this would nearly erase the degree-
level misalignment between graduates and entry-level job opportunities.
---------------------------------------------------------------------------
    \7\ Reflects Lightcast analysis of 2021 IPEDS data from the 
Department of Education plus proprietary Lightcast data.
---------------------------------------------------------------------------
    This mix of talent challenges, across both the talent gap and 
expectations gap, has formed a perfect storm of market failures. As a 
result, fixing the cybersecurity talent pipeline has become a problem 
of remarkable complexity.
        cyberseek.org: deciphering the cybersecurity job market
    Fixing the cybersecurity talent pipeline requires solutions for 
both the underlying talent gap and the expectations gap. To solve the 
talent gap, we must motivate more workers to enter the field and build 
the training infrastructure to support them. To solve the expectations 
gap, we must provide employers with the resources they need to make 
informed hiring decisions.
    These solutions require tight coordination across employers, 
educators, Government, students, and many other groups throughout the 
country. Aligning this patchwork of stakeholders is impossible without 
shared visibility into cybersecurity workforce needs within communities 
across the country.
    It was this need for shared visibility that catalyzed the 
development of CyberSeek.org, a cybersecurity workforce analytics and 
career pathway platform that is freely available to the public. 
CyberSeek was developed in 2016 through a partnership between 
Lightcast, NICE, and the technology industry association CompTIA. It is 
funded by a grant from the National Institute for Standards and 
Technology. The platform provides actionable, accessible, and up-to-
date information about the cybersecurity workforce in communities 
across the country.
    CyberSeek is a unique tool that provides best-in-class data and 
interactive visualizations to connect the dots between employer needs 
and career opportunity. It includes a supply-and-demand heatmap, cyber 
career pathways, skill-based job descriptions, and a map of local 
training providers--all of which are completely free and open to the 
public. To promote additional efforts to grow the cybersecurity talent 
pipeline, CyberSeek also includes links to other resources on the 
cybersecurity workforce--including those from CISA and the National 
Initiative for Cybersecurity Careers and Studies.\8\ CyberSeek data are 
aligned with the NICE Workforce Framework for Cybersecurity \9\ and are 
updated multiple times throughout the year.
---------------------------------------------------------------------------
    \8\ https://niccs.cisa.gov/.
    \9\ The NICE Cybersecurity Workforce Framework details 7 key 
categories of cybersecurity work, as well as dozens of specialty areas 
and specific work roles included within each of these categories. It 
also includes information about the tasks performed within each work 
role, as well as the knowledge, skills, and abilities required to 
perform these tasks.
---------------------------------------------------------------------------
    Since its release, CyberSeek has become widely used within the 
cybersecurity community--from students and professors to policy makers 
and hiring managers. Data from CyberSeek are routinely mentioned in 
media outlets across the country, and CyberSeek has been publicly cited 
by multiple Presidential administrations. Many educators now develop 
assignments for their students to visit CyberSeek and learn more about 
cybersecurity careers. Inspired by the success of CyberSeek, Lightcast 
has helped develop two sister websites, AUCyberExplorer \10\ in 
Australia and CyberSeek Indiana.\11\ The latter is a state-level 
version of CyberSeek with even more localized information.
---------------------------------------------------------------------------
    \10\ https://www.aucyberexplorer.com.au/.
    \11\ https://www.cyberseekin.org/.
---------------------------------------------------------------------------
    We are continuously soliciting feedback on CyberSeek, and we hope 
to continue to improve the platform so we may arm stakeholders across 
the country with the tools and data they need to build a world-class 
cybersecurity workforce.
   lightcast supports stakeholders across the cybersecurity community
    In addition to CyberSeek, Lightcast works directly with employers, 
educators, Government agencies, and other stakeholders across the 
cybersecurity community. We provide best-in-class labor market data and 
insights through software, APIs, and consulting services. To the best 
of our knowledge, we are the only organization that has mapped external 
worker supply and employer demand data to the NICE Framework at scale.
    Educators use Lightcast tools and data to inform cybersecurity 
program development and align their curricula with the skills that 
employers demand. This helps educators keep their cybersecurity 
programs current, and ensures their students graduate with the skills 
they need to secure a job. Similarly, Lightcast works with many 
cybersecurity certification providers to help them align their 
credentials with employer needs. By linking credentials with in-demand 
skills, we help these certifying organizations develop credentials that 
hold value in the eyes of both workers and employers.
    Lightcast also works with employers to inform their talent 
decisions related to strategic workforce planning, talent acquisition, 
employee training, and more. We help organizations implement a skills-
based approach to cybersecurity hiring, which can help expand the 
talent pipeline, increase candidate diversity, and improve hiring 
outcomes. For example, we have found that organizations taking a 
skills-based approach to hiring entry-level cybersecurity workers, 
rather than a degree-based approach, can save an average of over 
$15,000 per hire and expand their skilled candidate pool by over 60 
percent.\12\
---------------------------------------------------------------------------
    \12\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
    Last, Lightcast also works with government agencies--both at the 
Federal level and the State, local, and Tribal level--to support 
cybersecurity workforce development. At the Federal level, we have 
worked with multiple departments and agencies beyond our work with NIST 
and NICE. In particular, we have provided information and data to the 
Office of the National Cyber Director and the Cybersecurity and 
Infrastructure Security Agency. We have also shared research findings 
and data on multiple interagency webinars, in meetings with Federally-
convened working groups, and in discussions with individuals across 
Federal agencies.
the federal government can strengthen the cybersecurity talent pipeline 
   through three broad levers: information, incentives, and standards
    Lightcast's work with stakeholders across the cybersecurity 
ecosystem gives us a unique vantage point on opportunities for the 
Federal Government to help strengthen the cybersecurity talent 
pipeline. In our view, there are three broad levers that Congress, 
CISA, and other Federal actors have at their disposal: information, 
incentives, and standards.
Lever 1: Information
    The Federal Government--and CISA in particular--are in a unique 
position to provide actionable information for stakeholders across the 
cybersecurity workforce ecosystem. There are multiple avenues through 
which this can be accomplished, but key opportunities include the 
following:
   Become an exemplar for innovative, skills-based 
        cybersecurity hiring practices.--This means shifting to a 
        skills-based approach to hiring for cybersecurity roles and 
        cataloging and promoting best practices for the private sector 
        to emulate. Examples of skills-based best practices that CISA 
        and other Federal agencies can take include the following:
     Reduce education, experience, and certification 
            requirements in job openings.--This can have dramatic 
            impact toward reducing hiring difficulty and expanding the 
            size and diversity of the Government's candidate pool. For 
            example, Lightcast data show that removing a bachelor's 
            degree from early career cybersecurity job postings can 
            reduce the average cost to hire by over $15,000 and 
            increase the candidate pool by over 60 percent.\13\
---------------------------------------------------------------------------
    \13\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
     Prioritize training for high-growth, high-value skills.--
            Lightcast projects that demand for many emerging 
            cybersecurity skills will grow 50 percent or more in the 
            coming years, and many of these skills command salary 
            premiums of $10,000 or more.\14\ In most cases, these 
            skills cost considerably less to train. Focusing training 
            on these high-growth, high-value skills--such as cloud 
            security, DevSecOps, and others--can help the Federal 
            Government maximize the return on its training investments.
---------------------------------------------------------------------------
    \14\ Reflects Lightcast analysis of proprietary Lightcast data.
---------------------------------------------------------------------------
     Build career pathways to enhance career advancement 
            potential for cybersecurity workers.--CISA and other 
            Federal agencies may develop clear cybersecurity career 
            pathways that communicate the roles that individuals may 
            target at different stages in their careers, possible 
            transition opportunities between each role, and the skills 
            or other attributes workers can develop to progress between 
            roles within a career pathway.
   Educate employers as well as practitioners.--In addition to 
        providing education materials for practitioners and managers, 
        CISA or other Federal actors may provide training resources for 
        employers that outline talent management best practices for 
        cybersecurity workers. Providing quality training resources 
        that are accessible and targeted to personas on both sides of 
        the hiring process can help address the dual talent and 
        expectation gaps plaguing the cybersecurity workforce.
   Expand and enhance access to tools and resources that 
        support cybersecurity workforce development and hiring.--This 
        could include the development of new tools and resources or the 
        expansion of existing tools--such as CyberSeek, current 
        resources from CISA and NICE, or others. These may be 
        accomplished through either of two vehicles: increasing funding 
        or increasing awareness.
     Increasing Funding.--First, additional Federal funding 
            directed internally toward CISA or other Federal agencies, 
            or externally through grants or other mechanisms, would 
            enable the development of new tools, functionality, and 
            resources. For example, this may include tools providing 
            more data on emerging cybersecurity skills, resources for 
            employers to easily adopt skills-based hiring best 
            practices, or even tools that directly connect individuals 
            to open jobs or relevant training opportunities.
     Increasing Awareness.--Second, expanding knowledge and 
            promotion of existing resources can maximize their impact 
            and help reach a larger pool of users without requiring 
            much, if any, additional investment. For example, resources 
            could be developed by CISA or others that provide 
            additional ``how to'' guidance and case studies that 
            demonstrate how to use existing tools and implement best 
            practices--such as skills-based hiring. Various Federal 
            actors can also aid in the promotion of existing resources 
            through public announcements, webinars, speaking 
            engagements, op-eds, or other activities.
Lever 2: Incentives
    The Federal Government is also in a singular position to influence 
incentives for individuals, educators, employers, and other 
stakeholders to help strengthen the cybersecurity talent pipeline.
    For employers, this could take the form of incentivizing employer-
sponsored training to upskill and reskill existing employees. These 
incentives may take the form of tax credits or stipends which can 
partially or fully offset the costs of training employees. This could 
improve the economics for employers to invest in training. This, in 
turn, may help employers strengthen the skills of existing workers and 
reduce the cost of hiring entry-level workers to upskill. Numerous 
States have developed similar programs, and the State-level 
experimentation and outcomes associated with these types of programs 
may inform similar Federal programs.
    The Federal Government may also incentivize private employers to 
invest in hiring entry-level workers through public/private 
partnerships, talent sharing, or related initiatives. This may take 
multiple forms, but some examples include the following:
   Expanding shared training resources between CISA or other 
        Federal agencies and private employers.--This could reduce the 
        cost to employers to train entry-level workers. Ideally these 
        resources would be focused on high-value, high-growth skills--
        such as cloud security, DevSecOps, secure application 
        development, and others.
   Providing funding to local communities to support grassroots 
        innovation.--Providing funding to State and local governments, 
        or directly to other local institutions or consortia, can 
        support local collaboration between employers, educators, and 
        other local workforce development stakeholders working to grow 
        the cybersecurity workforce. An existing example of this is the 
        RAMPS program from NICE.\15\
---------------------------------------------------------------------------
    \5\ https://www.nist.gov/system/files/documents/2017/08/18/
ramps_one_pager_032017.- pdf8u_tpo.pdf.
---------------------------------------------------------------------------
   Providing resources, tax credits, or other financial 
        incentives to employers to develop cybersecurity apprenticeship 
        programs.--These programs can help students build on-the-job 
        experience and develop diverse talent pipelines for employers. 
        Improving the economics of apprenticeships can help more 
        employers adopt them for entry-level cybersecurity roles.
   Developing public/private talent-sharing programs.--Under 
        these programs, a worker can spend time working in both the 
        public and private sector, which helps them gain new skills and 
        on-the-job experience. CISA has already experimented with 
        similar programs on a limited scale. These talent-sharing 
        programs could support greater information and resource sharing 
        between the public and private sector and would help workers in 
        all sectors build new skills. It may also reduce hesitancy for 
        employers to hire entry-level workers if they are able to share 
        the training of those workers with Federal employers.
Lever 3: Standards
    Last, the Federal Government can develop standards and frameworks 
that support consistent application of best practices related to 
workforce development, training, and hiring. Already, NIST and NICE are 
providing valuable standards and frameworks related to cybersecurity. 
This also extends to cybersecurity education and workforce development, 
which is most prominently achieved through the NICE Framework.
    The NICE Framework has become a valuable resource that is used 
widely in the cybersecurity community. Educators use the NICE Framework 
to inform their training content and align it to the needs of the 
workforce, employers use it to assess gaps in their cybersecurity 
workforce, and individuals use it to identify the types of work they 
can prepare for within the cybersecurity field, among other 
stakeholders.
    Building off the success of the NICE Framework, the Federal 
Government may take additional steps to provide standards and 
frameworks that will strengthen the cybersecurity talent pipeline. Some 
of these steps may include the following:
   Provide frameworks and standards that outline best practices 
        for cybersecurity employers.--This may include standards 
        describing best practices for adopting skills-based hiring, 
        optimizing job descriptions, building career pathways, 
        maximizing the value of learning and development, developing 
        apprenticeships, engaging with educators or other stakeholders, 
        and related activities. This will help to address the 
        expectations gap that creates misalignment between the needs of 
        employers and the realities of the existing cybersecurity 
        talent pool.
   Continue to update and refine the NICE Framework.--The rapid 
        evolution of cybersecurity skill requirements necessitates 
        frequent updates to the NICE Framework to ensure it remains 
        current. Moreover, additional data collection and industry 
        input can help NICE continue to further align the Framework 
        with the language and needs of employers.
   Provide frameworks and standards for educators to build 
        training content that is up-to-date and aligned with employer 
        needs.--This may take the form of baseline standards for 
        curriculum development, suggested steps for data collection and 
        analysis on market job and skill demand, recommendations for 
        strengthening employer engagement, tools for embedding hands-on 
        learning opportunities into curricula, resources for developing 
        co-ops and internship opportunities with local employers, and 
        related activities.
                               conclusion
    Expanding the cybersecurity talent pipeline is, undoubtedly, a 
complex issue. It requires coordination across a constellation of 
disconnected, yet interrelated, educational institutions, employers, 
and individuals. Aligning this diverse ecosystem of stakeholders 
requires a shared understanding of the problem, and clear, level-headed 
guidance on how to solve it.
    Thousands of stakeholders--both in the public and private sectors--
are already facing this challenge head on. Lightcast is committed to 
working with these stakeholders, and we welcome collaboration with 
anyone interested in creative, data-backed solutions to cybersecurity's 
pipeline challenges.
    Thank you again for the opportunity to participate in this hearing 
an I look forward to further engagement with the committee.

    Mr. Garbarino. Thank you, Mr. Markow.
    Ms. Wisniewski, I now recognize you for 5 minutes to 
summarize your opening statement.

    STATEMENT OF TARA WISNIEWSKI, EXECUTIVE VICE PRESIDENT, 
     ADVOCACY, GLOBAL MARKETS, AND MEMBER ENGAGEMENT, ISC2

    Ms. Wisniewski. Thank you, Chairman Garbarino, Ranking 
Member Swalwell, and Members of the subcommittee, for the 
invitation to testify on the national cybersecurity work force 
pipeline. We at ISC2 appreciate the opportunity to share our 
perspective on the current state of the cybersecurity work 
force and our vision for its future.
    ISC2 is an international nonprofit association with 425,000 
members focused on advancing a safe and secure cyber world. 
Best known for our acclaimed CISSP certification, ISC2 offers a 
portfolio of credentials that are part of a holistic, pragmatic 
approach to security, and built on strong, ethical foundations.
    Organizations are increasingly aware of the vital 
importance of resilient cyber systems leading to more demand 
for cyber talent as threats expand. Our annual Cybersecurity 
Workforce Study assesses the size of the current work force and 
looks for ways to address the existing talent shortage. Our 
2022 study found there is a worldwide gap of 3.4 million 
cybersecurity workers. ISC2 is currently in the process of 
collecting and analyzing data for our 2023 Cybersecurity 
Workforce Study, which will be released in September.
    In our early findings, we estimate there are 132,000 new 
entrants into the U.S. cybersecurity work force, an 11 percent 
increase from 2022. But at the same time, our data shows the 
work force gap will be over 480,000, which is a 17 percent 
increase from last year.
    One of the most critical investments ISC2 has made to grow 
the work force is development of a new entry-level 
certification called the ISC2 Certified in Cybersecurity, or 
CC. This certification allows those with little to no 
cybersecurity experience to gain the foundational knowledge and 
skills necessary for an entry-level cybersecurity role. It also 
provides an entry point for aspiring cyber professionals to 
begin their career and launch them into their first job.
    Because we believe so deeply in the importance of providing 
access to the profession, we have launched a campaign called 
One Million Certified in Cybersecurity, where we are delivering 
1 million CC courses and exams for free. Half of these course 
enrollments and exams are reserved for students at Historically 
Black Colleges and Universities, Minority-Serving Institutions, 
members of Tribal organizations, veterans, women, and 
neurodiverse individuals. We made this commitment during the 
Cyber Workforce and Education Summit at the White House last 
summer and are pleased to report that more than 200,000 future 
cyber professionals are already enrolled.
    We commend the Biden administration for its work on the 
2023 National Cybersecurity Strategy, particularly the 
Strategy's focus on enhancing the cybersecurity work force. We 
are also excited about the forthcoming work force strategy from 
the Office of the National Cyber Director, and appreciate the 
focus the subcommittee is giving to this very important issue.
    Yet we know that for these strategies to be implemented 
effectively, it will take all Federal agencies, including CISA, 
working together with the private sector to deliver impactful 
change. Innovative strategies are necessary to professionalize 
and build the cybersecurity sector. In that vein, we encourage 
Congress to consider a few recommendations.
    First, we must provide pathways for entry-level 
practitioners to join the cybersecurity field. ISC2's Certified 
in Cybersecurity certification responds to this problem, yet 
there is so much more to be done. We know we cannot create the 
talent pipeline to bridge our current gap until the 
cybersecurity ecosystem of Government, industry, academia, and 
organizations like ISC2 hire and invest in the professional 
development of entry-level professionals.
    Second, we must increase diversity. We know that diversity 
within an organization adds to the overall confidence of an 
organization's security posture because highly diverse teams 
directly contribute to greater success and prosperity. We also 
know from our research that organizations with DEI programs in 
place have smaller work force gaps. Yet despite these findings, 
meaningful progress to deliver more diversity, equity, and 
inclusivity in the cybersecurity profession has been slow.
    Additionally, there is a need to facilitate collaboration 
with public and private-sector entities. CISA's sustained long-
term commitment to the sector provides us with a natural 
partnership in this area. Working together, we can provide more 
cyber-readiness resources across all levels and roles in the 
public and private sector.
    Finally, we must professionalize cybersecurity. A 
digitally-skilled population and strong cyber work force leads 
to more resilient organizations and infrastructure. 
Certifications are a critical part of this work, including 
ensuring cyber professionals hold certifications built on 
strong, ethical foundations and accredited by international 
standard bodies.
    Thank you again for the opportunity to testify before the 
subcommittee today. ISC2 looks forward to working with you on 
this very important issue.
    Thank you.
    [The prepared statement of Ms. Wisniewski follows:]
                 Prepared Statement of Tara Wisniewski
                             June 22, 2023
    ISC2 thanks Chairman Garbarino and Ranking Member Swalwell and the 
Members of the House Homeland Security Subcommittee on Cybersecurity 
and Infrastructure Protection for the invitation to testify at this 
important hearing on the national cybersecurity talent pipeline. We 
appreciate the opportunity to share our perspective on the current 
state of the cybersecurity workforce and our vision for the future. The 
Cybersecurity and Infrastructure Security Agency (CISA) has been a 
critical partner in the work to close the cybersecurity workforce gap, 
among the many other roles it plays in securing cyber space. In 
particular, we greatly appreciate CISA's role in creating a safer and 
more secure cyber ecosystem through the harmonization of standards and 
regulations, encouraging collaboration between public and private 
entities to defend critical systems and information, investing in a 
cyber resilient future for public and private-sector stakeholders, and 
defending against an ever-evolving threat landscape.
   isc2 is a leader in developing the global cybersecurity workforce
    ISC2 is an international nonprofit membership association focused 
on building a safe and secure cyber world. Our organization is 
dedicated to understanding and addressing the barriers facing the 
cybersecurity workforce and serving as a leader in the implementation 
of solutions that will build and support a well-qualified and diverse 
workforce in the United States and globally.
    Best known for our acclaimed Certified Information Systems Security 
Professional, or CISSP, certification, ISC2 offers a portfolio of 
credentials that are part of a holistic, pragmatic approach to 
security. Our association is made up of over 425,000 members, 
associates, and candidates across the globe, including approximately 
200,000 in the United States. Our members are a critical part of 
delivering on our mission, given the tremendous work they engage in 
daily to advance the industry and ensure we live in a more secure 
world. Our membership includes a variety of certified cyber, 
information, software, and infrastructure security professionals 
responsible for securing our governments, economies, critical 
infrastructure, and personal information every day.
    Our charitable foundation, the Center for Cyber Safety and 
Education, supports ISC2's vision for expanding the cyber workforce and 
enhancing cybersecurity by educating the public about cyber risks, 
removing barriers to accessing the cybersecurity profession, and 
helping small organizations protect themselves from cyber risks.
                the state of the cybersecurity workforce
    With geopolitical and macroeconomic turbulence, a constant flood of 
high-profile cyber attacks threatening critical infrastructure and 
business resilience, and an evolving regulatory environment driving new 
cyber governance and compliance requirements, the stakes have never 
been higher. Mission-critical to all of these concerns is the need for 
a well-rounded, skilled cybersecurity workforce.
    Understanding the gravity of the demand for cyber talent as threats 
expand and organizations become increasingly aware of the vital 
importance of resilient cyber systems is essential for building 
solutions. This need for accurate data drives ISC2 to conduct our 
annual Cybersecurity Workforce Study to assess the size of the current 
cybersecurity workforce, as well as the existing talent shortage. This 
research has given us tremendous insight into the challenges and 
opportunities cyber professionals face, including hiring and recruiting 
trends, corporate culture and job satisfaction, career pathways, 
certifications, professional development, how the workforce is adapting 
to current events, and what the future of cybersecurity work looks 
like. It also shows us what conditions are essential to shrinking the 
talent gap.
    Our 2022 Cybersecurity Workforce Study found there to be global 
unfilled demand, or a workforce gap, of 3.4 million cybersecurity 
workers, representing a 26.2 percent year-over-year increase. In the 
United States specifically, our cybersecurity workforce grew by 5.5 
percent, reaching a total of 1.2 million cyber professionals in 2022. 
But at the same time, the estimated workforce gap grew 9 percent last 
year as more organizations realized their need for cybersecurity 
professionals and additional cyber roles opened up. In the United 
States in 2022, we estimate the cyber workforce gap is around 410,695 
unfilled roles.\1\
---------------------------------------------------------------------------
    \1\ ISC2 2022 Cybersecurity Workforce Study. https://www.isc2.org//
-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-
Workforce-Study.ashx.
---------------------------------------------------------------------------
    Given these numbers, the lack of a qualified cybersecurity 
workforce continues to be a top concern for all sectors, particularly 
critical infrastructure. Seventy-two percent of U.S. respondents 
reported their organization does not have enough cybersecurity 
employees, and 55 percent of those respondents said these staff 
deficits put their organization at a ``moderate'' or ``extreme'' risk 
of a cyber attack.\2\ As our world becomes more digitally reliant, the 
potential for cyber attacks grows and businesses and data must be 
protected. In fact, 95 percent of small businesses are unprotected, 
highlighting the critical need to ensure organizations of all sizes are 
able to find and retain qualified cybersecurity talent.\3\
---------------------------------------------------------------------------
    \2\ Ibid.
    \3\ Ibid.
---------------------------------------------------------------------------
    ISC2 is currently in the process of analyzing data for our 2023 
Cybersecurity Workforce Study, which will be released in September 
2023. Early estimations show there are 132,000 new entrants in the U.S. 
cybersecurity workforce, an 11 percent increase from last year's 
numbers, while the workforce gap grew to 482,985 unfilled roles.
        isc2 efforts to build a qualified and diverse workforce
    Considering these staggering cybersecurity workforce statistics, 
ISC2 is committed to finding solutions to address the cybersecurity 
workforce gap in the United States and around the world. Since our 
founding, ISC2 has been a leader in credentialing the global 
cybersecurity workforce with standards-based approaches to skills 
development. This is reflected in the Common Body of Knowledge for all 
ISC2 certifications and training materials, as well as our commitment 
to mapping all of our certifications to international standards. 
Further, our ecosystem of education and certification is built on a 
solid foundation of ethical best practices to which all members must 
adhere. For a profession that is critical to every major sector, 
expanding access to the cybersecurity profession, as well as setting 
reasonable, concise, and effective standards that include certification 
requirements, is pivotal.
    Over the last several years, ISC2 has increased our focus on the 
full life cycle of the cybersecurity workforce, and we continue to 
serve as an advocate for the profession and the professionals we serve. 
As part of this work, we are committed to creating a diverse talent 
pipeline through education, upskilling, re-skilling, and professional 
development. We have a particular focus on developing and supporting 
entry-level and early career professionals to ensure we have more 
entrants into the profession--where they are most desperately needed--
to help meet the ever-widening gap.
    One of the most critical investments we made last year was the 
development of an entry-level certification called the ISC2 Certified 
in Cybersecurity (CC). This certification allows those with little to 
no cybersecurity experience to gain the foundational knowledge, skills, 
and abilities necessary for an entry-level cybersecurity role. The CC 
certification is ideal for current IT professionals or other 
professionals looking to transition into cybersecurity, as well as 
college students or recent high school graduates interested in 
exploring the cybersecurity field. We believe this certification fills 
a critical gap in the cybersecurity workforce by providing an on-ramp 
for potential cybersecurity professionals to begin their careers and 
launch into their first jobs where they can continue to learn, grow, 
and access other certifications along their career path.
    In light of our pledge to implement meaningful solutions to the 
global workforce cybersecurity workforce challenges, ISC2 not only 
created the CC certification, but we also have pledged to deliver One 
Million Certified in Cybersecurity courses and exams--for free.\4\ We 
made this commitment during the Cyber Workforce and Education Summit at 
the White House last summer and are pleased to report that over 23,000 
professionals have earned the CC certification since that time, and 
more than 200,000 have enrolled in the program. As part of this 
commitment, we also pledged to direct half of these course enrollments 
and exams to students of historically black colleges and universities 
(HBCUs), minority-serving institutions (MSIs), Tribal organizations, 
and women's organizations.
---------------------------------------------------------------------------
    \4\ ISC2 Pledges One Million Free ISC2 Certified in Cybersecurity 
Courses and Exams. https://blog.isc2.org/isc2_blog/2022/07/isc2-1-
million-certified-in-cybersecurity.html.
---------------------------------------------------------------------------
     u.s. federal government solutions to address the workforce gap
    Protecting the Nation's critical infrastructure has never been more 
important as our forthcoming 2023 workforce study will show that more 
than half of information security professionals currently in those 
sectors believe their organizations are at a moderate to extreme risk 
of experiencing a cybersecurity attack. When hiring for cybersecurity 
positions, hiring managers put cybersecurity certifications at the top 
of list of qualifications they find most important. According to our 
data to be released in the coming months, among the skills hiring 
managers are looking for, risk assessment, analysis and management were 
at the top of the list (31 percent), while communications skills (29 
percent); security engineering (28 percent); and governance, risk 
management and compliance (27 percent) were also listed as important. 
When considering the needs of securing our critical infrastructure, 
ISC2 research suggests hiring managers in those sectors are open to 
nontraditional methods of increasing the workforce including 
prioritizing nontechnical skills and providing training and development 
for employees once hired.
    ISC2 is extremely proud of the work we have done to date to help 
address the gaps in the cybersecurity talent pipeline, but we recognize 
we cannot do this work alone. Governmental bodies around the world, 
including the U.S. Federal Government, will play an important role in 
creating policy and regulatory environments that allow cybersecurity 
professionals to thrive and grow. Given its mandate from Congress, the 
Department of Homeland Security and CISA specifically will be important 
stakeholders in finding and implementing solutions to address the 
current workforce gap we experience in the United States.
    We commend the Biden administration for its work on the 2023 
National Cybersecurity Strategy, particularly the strategy's focus on 
enhancing the cybersecurity workforce, increasing coordination and 
collaboration in public-private partnerships, responding to threats on 
critical infrastructure, and clarifying the responsibility of various 
entities in the cyber ecosystem for responding to cybersecurity 
threats.
    We believe efforts to create a strong and secure national and 
global cyber ecosystem built on partnership, communication, responsible 
action, and technological development are critical to addressing 
vulnerabilities throughout the public and private sector. We look 
forward to seeing the administration's forthcoming cyber workforce 
strategy, which will provide even more specificity to the Federal 
Government's plans to utilize its current authorities, structures, and 
programs to continue to develop the cyber workforce throughout the 
country.
    To ensure the success of the National Cybersecurity Strategy, all 
Federal agencies, including CISA, will play a critical role in its 
implementation. CISA's strengths in the implementation will stem from 
its role in raising awareness and increasing the visibility of 
cybersecurity and the important role cyber defense plays in protecting 
against the growing threats facing the Nation. The agency should 
continue to play an instrumental role in promoting dialog and building 
knowledge and awareness of information and systems security across the 
digital landscape. It also is important for CISA to continue to serve 
as a conduit between government agencies and the private sector to 
encourage collaboration, increase diversity within the sector, and 
explore and implement other measures related to cyber readiness to 
effectively manage the increasing cybersecurity risks facing the United 
States.
    To be clear, none of the goals in the National Cybersecurity 
Strategy can be accomplished without focusing on the need for more 
cybersecurity professionals and professionalizing the cyber sector to 
ensure cybersecurity professionals are equipped to respond to evolving 
threats. To address these issues, the U.S. Government and industry need 
innovative strategies for workforce development as the strategies of 
the past have not been sufficient to address the prolific cybersecurity 
workforce crisis. The answer to the cybersecurity workforce problem 
will not be found in a single program but rather a multitude of 
innovative solutions, including the recommendations outlined below.
   Provide pathways for entry-level practitioners to join the 
        cybersecurity field.--ISC2 conducted a recent study of hiring 
        managers to learn more about the best practices for hiring and 
        developing entry-level cybersecurity practitioners. Our 
        research found that organizations focused on recruiting and 
        developing entry-level cybersecurity staff, including those 
        with little or no technical experience, are helping to 
        accelerate the invaluable hands-on training that the next 
        generation of professionals need.\5\ Yet, it is often difficult 
        for professionals to get their foot in the door into those 
        initial roles to gain access to this valuable experience.
---------------------------------------------------------------------------
    \5\ ISC2 Cybersecurity Hiring Managers Guide. https://www.isc2.org/
/-/media/ISC2/Research/2022/ISC2-Cybersecurity-Hiring-Managers-
Guide.ashx.
---------------------------------------------------------------------------
    Understanding that what employers need most to shore up their cyber 
        defenses is entry- and junior-level cybersecurity 
        professionals--degrees are not necessarily required for 
        valuable early career roles--ISC2 developed the CC 
        certification to address this problem. Yet, there is more to be 
        done to open the floodgates for these pathways into the 
        cybersecurity profession. Organizations and the Government must 
        be willing to step in to provide incentives and hire entry-
        level professionals with entry-level qualifications, as well as 
        invest in the professional development of these professionals--
        otherwise, we will never create the talent pipeline necessary 
        to bridge the workforce gap.
    We are encouraged by several of CISA's education and career 
        development programs, including the Cybersecurity Education and 
        Training Assistance Program (CETAP) to inspire the next 
        generation of cybersecurity professionals through initiatives 
        to include cybersecurity education in K-12 schools. We also 
        appreciate CISA's work on the Cybersecurity Workforce 
        Development and Training for Underserved Communities program, 
        which is designed to increase diversity across the cyber 
        workforce, as well as the Cyber Career Pathways Tool to help 
        people gain a better understanding of cybersecurity and the 
        different roles available in the sector.
   Increase diversity within the cybersecurity field.--Given 
        the wide range of threats we see in the cybersecurity realm, it 
        is imperative we consider how to diversify the cybersecurity 
        workforce to ensure we have a diversity of thought and 
        experience available leading our cyber defenses. One of our 
        recent market research studies found that incentivizing a more 
        diverse information and systems security profession encourages 
        increased innovation.\6\ For example, our study showed 
        organizations with diverse leadership teams benefit 
        organizations culturally as well as in their bottom-line 
        revenues.\7\ This diversity also adds to the overall confidence 
        of an organization's security posture given that highly diverse 
        teams can directly contribute to greater success and 
        prosperity. Yet, despite these findings, meaningful progress to 
        deliver greater and more equitable diversity and inclusivity 
        within the cybersecurity profession has been slow.
---------------------------------------------------------------------------
    \6\ ISC2 ``In Their Own Words: Women and People of Color Detail 
Experiences Working in Cybersecurity.'' https://www.isc2.org/-/media/
ISC2/DEI/DEI-Market-Research-2021.ashx.
    \7\ Ibid.
---------------------------------------------------------------------------
    CISA can help in these efforts to diversify the cybersecurity 
        profession by channeling education resources to redefine the 
        image of the cybersecurity professional and the profession to 
        accurately reflect and value the diversity of the world it 
        protects. We hope to work with CISA to find innovative ways to 
        continue to bring people into the sector and retain them 
        because we recognize that we must focus our efforts not only at 
        the entry- and mid-levels but at the C-suite and executive 
        levels as well. To create a diverse and inclusive workforce and 
        reap the resulting benefits, diversity must be prevalent at all 
        levels of the organization.
   Facilitate collaboration with private-sector entities.--
        Collaboration is key to addressing cybersecurity 
        vulnerabilities and the workforce gap. As a global organization 
        with strong connections to law-making bodies and government 
        entities across the world, ISC2 recognizes the importance of 
        continuing to build strong partnerships and strengthen 
        collaborative relationships to further the profession's needs.
    CISA's commitment to sustain long-term dedication to the sector 
        provides us with a natural partnership in this area. Working 
        together, we can provide more cybersecurity readiness resources 
        across all levels and roles in the public and private sector 
        for the information and systems security profession.
    We believe it is important to consider the Federal Government's 
        role in addressing the cyber workforce gap, while acknowledging 
        the private sector's existing efforts to find creative 
        solutions to this problem. Working together, we believe there 
        are many opportunities to increase education, incentivize 
        professional development, and develop programs that are 
        available to as many people from as many backgrounds and 
        demographics as possible.
   Professionalize cybersecurity.--A digitally-skilled 
        population and strong cybersecurity workforce leads to more 
        resilient organizations and infrastructure. This is especially 
        important as the United States seeks to create more and better-
        paying jobs, spur prosperity, increase diversity, and drive 
        economic growth across the Nation. Given the nascency of the 
        cybersecurity profession, it is critical to consider how we can 
        continue to professionalize cybersecurity to ensure there is a 
        clear and understandable career path for professionals 
        interested in joining the field.
    The professionalization of other sectors such as finance and 
        accounting, which spans more than a century, is a model for the 
        cybersecurity field to follow as we look for ways to set 
        standards, establish ethical expectations, and increase public 
        trust in our cybersecurity professionals. Certifications are a 
        critical part of this work, including ensuring cybersecurity 
        professionals hold certifications accredited by international 
        standards bodies. Additionally, the profession will continue to 
        benefit from on-going professional education, immersive 
        courses, and other professional development opportunities, 
        including determining ways to upskill within an organization to 
        fill outstanding cybersecurity roles.
    Thank you for the opportunity to testify before the subcommittee 
and provide input on this important topic. ISC2 greatly appreciates 
your interest in this issue and your willingness to explore ways the 
Federal Government can work together with stakeholders in the 
cybersecurity space to address the gaps we are seeing in the 
cybersecurity workforce. We look forward to continuing to work with the 
subcommittee to find solutions that will benefit cybersecurity 
professionals, the organizations they serve, and the public overall.

    Mr. Garbarino. Thank you, Ms. Wisniewski.
    Colonel Starling, I now recognize you for 5 minutes to 
summarize your opening statement.

  STATEMENT OF COLONEL CHRIS STARLING, USMC (RET.), EXECUTIVE 
                  DIRECTOR, CALIFORNIA, NPOWER

    Mr. Starling. Chairman Garbarino, Ranking Member Swalwell, 
distinguished Members of the committee, thank you for having me 
here today.
    Since 2019, I've had the privilege to lead NPower 
California, and since last year, the NPower SkillBridge 
program.
    NPower is a nonprofit that provides veterans and young 
adults from underrepresented communities with tech training, 
social support, and full-time job placement assistance. NPower 
operates in 9 States and is still growing. We serve over 1,300 
unemployed and underemployed students per year Nation-wide. Our 
program is free of charge to all who enroll, and they represent 
75 percent ethnic minorities, and as of recent, 39 percent 
women in our courses.
    Tech is a main driver of the U.S. economy, and the tech 
sector is still predicted to grow faster than all other 
occupations. But people are not entering the field fast enough, 
especially in cybersecurity. Cybersecurity demand is outpacing 
supply.
    Many companies still seek applicants that have college 
degrees, but this is changing. Industry-recognized 
certifications can qualify people to work in tech and in 
cybersecurity. Access to high-growth tech careers is possible 
for more people now than it has been in past years, and NPower 
has a model that works. How is it done?
    First, we recruit those that are hard to find. We seek 
people in transition that are passionate about technology and 
who are willing to commit themselves to 16 weeks or more of 
training.
    Second, we understand that some people need help, not just 
in the classroom to learn the material, but with life. NPower's 
team of social support managers provides wraparound services by 
connecting students with local resources to help them solve 
everyday problems--things like rent, subsistence, 
transportation, interviewing attire, even child care--so that 
students can focus on learning and earning certifications.
    NPower creates the conditions that enable students to 
leverage their own grit and determination. This boot camp model 
drives change in both their personal and their professional 
lives.
    Upon completion of the course, job placement teams from 
NPower engage each graduate personally, making introductions, 
helping them schedule job interviews, and helping them actually 
land a tech job.
    Let me address some metrics quickly. Eighty-five percent of 
NPower students complete training on time and graduate. Eighty-
eight percent of graduates secure at least one industry-
recognized credential. Eighty-one percent of graduates are 
placed into quality employment or enrolled in continuing 
education at the 6-month mark and 1-year mark after graduation.
    The average wage increase for our tech fundamentals 
students is from $9,000 a year pre-program to over $43,000 per 
year post-program. That's a 420 percent increase in wages. For 
cybersecurity graduates of our program, their post-program wage 
average is $63,000 a year in a starting cybersecurity job.
    In 2021, the cybersecurity infrastructure support agency, 
CISA, awarded NPower a $1 million grant to develop cyber work 
force training in order to address the shortage in the 
cybersecurity work force. As you know, CISA supports 
nontraditional job training and apprenticeship programs. They 
recently started to hire people with certificates in lieu of 
degrees. I would submit that if it's good enough for CISA, then 
it can also work for Federal, State, local, and other 
governments.
    The NPower program that was funded by CISA is working. In 
the current course, our spring 2023 cohort, it's in week 18 
with a 92 percent retention rate. That's 18 weeks of pretty 
rigorous cyber boot camp with 55 of 60 students set to 
graduate.
    Our written testimony contains six recommendations, but I'd 
like to just touch on two.
    First, copying the CISA model is worthwhile. We can train 
and place nontraditional talent into open cyber jobs.
    Second, capitalizing on the talent pool of military-
connected individuals and families, including transitioning 
military service members, is easy. It's natural to retrain 
people from defending the Nation to defending the network.
    In summary, NPower has a model that's scalable for creating 
a diverse cybersecurity work force. We are partnering with 
Homeland Security, Department of Labor, and the Department of 
Defense. My recommendation is to build on these successes and 
continue to press the attack.
    I look forward to your questions.
    [The prepared statement of Mr. Starling follows:]
                  Prepared Statement of Chris Starling
                             June 22, 2023
    Chairman Garbarino and Ranking Member Swalwell, distinguished 
Members of the committee--thank you for the privilege to appear before 
you today on behalf of NPower to discuss growing our national 
cybersecurity workforce talent pipeline.
    My name is Chris Starling, I am a retired colonel of the U.S. 
Marine Corp, where I served for over 26 years. Since 2019, I joined 
NPower to run our program in the Bay Area.
    NPower is the premiere technology training organization providing 
young adults, veterans, and women of color from underrepresented 
communities with free tech training, social and emotional support, and 
full-time job placement assistance with many of the Nation's leading 
employers. Annually, we serve over 1,300 unemployed and underemployed 
students across the country with high-quality tech workforce training 
leading to industry certification, with social support, professional 
development, and job placement services.
    We work at the intersection of poverty alleviation, equity, 
workforce diversity, and the tech industry. Our program is delivered 
free of charge to men and women earning less than 200 percent of the 
Federal poverty level, and they primarily come from racial and 
socioeconomic backgrounds underrepresented in the tech industry.
    Technology is one of the main drivers of the U.S. economy, and the 
demand for talent constantly outpaces the supply of skilled workers. 
Experts project tech-sector employment to grow at the fastest rate of 
all occupations--and people simply aren't entering the field fast 
enough to replace retiring workers. Various factors are driving the 
increase, from innovations to natural disasters to the COVID pandemic, 
which prompted the whole country to work and deliver services remotely.
    In addition to the shortage of skilled talent, there's an enduring 
lack of diversity in the IT workforce that has long been recognized as 
a systemic national problem. Many tech job seekers today lack college 
degrees and therefore are overlooked in the talent sourcing of many 
companies. NPower meets learners where they are and offers them 
industry-recognized certifications and certificates to demonstrate 
their skill over pedigree.
    At NPower, we believe access to high-growth careers is possible for 
anyone, no matter where you start. We believe this is our key to 
creating a world where equity is possible. We blend best-in-class and 
trauma-informed tech training and personal support, to constantly 
innovate new ways to foster talent. A specialized team of Social 
Support Managers provide 360-degree support services by connecting our 
students with city and social service agencies for all their social and 
emotional needs.
    With our approach, we're building a new kind of pipeline to tech 
careers. Our students don't come from traditional backgrounds and many 
of them come to us at a pivotal moment of transition in their lives. We 
don't see that as a hindrance: we recognize their worth as powerful 
assets in their local communities. With our comprehensive support, they 
can leverage their own internal hunger, grit, and determination to 
drive change in their personal and professional lives.
               npower's key workforce performance metrics
    NPower has trained 560 individuals from under-resourced communities 
in cybersecurity since 2015.
    NPower evaluates impact based on program completion, attainment of 
industry credentials, and placement in quality jobs or continuing 
education. Our Key Performance Metrics map directly to the Workforce 
Innovation and Opportunity Act (WIOA) performance metrics used by most 
workforce development programs. Below are our impact metrics for our 
cybersecurity program:
   85 percent of enrolled students complete training on time 
        and graduate
   88 percent of graduates secure at least one industry-
        recognized credential
   81 percent of graduates are placed in quality employment or 
        enrolled in continuing education at 6 months and 1 year after 
        graduation.
    We track Measurable Skills Gains through demonstrated mastery of 
key competencies in hands-on labs and assignments, tracked through our 
custom Learning Management System.
    We also track income growth pre- and post-program. Consistently, at 
their first job post-program, NPower graduates achieve an immediate and 
dramatic salary increase that meets or exceeds the MIT Living Wage for 
their region. On average NPower graduates saw an average increase of 
roughly 420 percent, rising from an average pre-program income of 
$9,374 to an average post-program salary of $43,260. For our 
cybersecurity graduates their post-program wage average is $63,372! 
Their wages continue to grow as they gain experience, and the positions 
for which we train are designated by the U.S. Department of Labor as 
``Launchpad Occupations'' with higher-than-average salary growth. Our 
team continues to reach out to alumni periodically after the initial 
job placement to support and track job retention, promotions, raises, 
and overall career trajectory.
  cybersecurity infrastructure and security agency (cisa) npower grant
    In 2021, CISA awarded NPower a $1 million grant for the development 
of cyber workforce training. The partnership focuses on the development 
of a scalable and repeatable proof of concept to identify and train 
talented individuals around the country and help address the staggering 
cybersecurity workforce shortage facing our Nation, while also meeting 
the dynamic needs of the cybersecurity workplace. CISA supports non-
traditional job training and apprenticeship programs like NPower and 
acknowledges that more readied talent could lead Federal Government, 
State, local, Tribal, and territorial entities, as well as private-
sector employers to address current and future cyber workforce needs.
    The program has been successful thus far:
   Fall 2021
     91 percent job placement
   Spring 2022
     100 percent retention
     100 percent certification
     72 percent job placement
   Fall 2022 (mixed TF & Cyber)
     100 percent retention
     82 percent certification
     77 percent placement
   Spring 2023: Week 16
     100 percent retention
     50 percent certification
     Certification is in progress
                         policy recommendations
    We would like to offer to the committee the following policy 
recommendations as you seek to address the cybersecurity workforce 
shortages:
    1. Establish a permanent program that includes the core principles 
        of the pilot program on which CISA is currently collaborating 
        with NPower. Expanding the pool of cyber talent requires 
        sustainable and adequate funding.
    Core Principles of the Program are:
     Partner with nonprofits and Government agencies to upskill 
            men and women from underserved communities;
     Invest in credential-focused short-duration cybersecurity 
            workforce training programs that enable them to earn while 
            learning;
     Provide professional and soft skills development training 
            alongside technical skills training;
     Provide wraparound social support to ensure basic needs 
            for housing, food, and child care, eliminating the barriers 
            to success;
     Provide job placement support and ensure they gain crucial 
            paid work experience;
     Engage and incentivize employers to shift hiring practices 
            to focus more on skills-based hiring, nontraditional 
            talent, and apprenticeships;
     Create direct talent pipelines from training programs to 
            employers;
     Support long-term career pathways with plenty of training 
            on-ramps and off-ramps, recognizing it may take individual 
            workers years of entry-level tech training, alternating 
            with work, and continuing education to attain a 
            journeyman's level of cybersecurity expertise.
    2. Invest in Platforms for On-Demand Help Desk support for 
        individuals, nonprofits, and small businesses. NPower is 
        spearheading a national network of Community Help Desks that 
        provide free technical assistance and digital navigation to 
        local underserved communities, staffed by graduates of our tech 
        workforce training programs gaining vital work experience as 
        Registered Apprentices. NPower's programs are aligned to 
        national standards for U.S. Dept. of Labor Registered 
        Apprenticeship Programs.
     Community Help Desks provide critical human support to 
            help people on the wrong side of the Digital Divide take 
            advantage of on-line job, health, and education resources, 
            while offering trainees the opportunity to build their 
            resume through a paid apprenticeship.
     The Community Help Desk will serve as an especially vital 
            resource to local underserved seniors, public school 
            families, adult learners, and job seekers. The model 
            capitalizes on partnerships with community-based 
            organizations, and can provide a central hub for affordable 
            connectivity and device distribution.
    3. Modernize and reform Federal workforce hiring practices to adopt 
        skill-based hiring practices and the Registered Apprenticeship 
        model for technical roles. This allows the Federal Government 
        to compete for a talented and diverse workforce pool that 
        prioritizes skills and a candidate's ability to do the job, and 
        leads by example in equity-focused workforce development
    4. Establish a grant program within the Department of Labor to 
        support the creation, implementation, and the expansion of 
        registered apprenticeships in Cybersecurity and Information 
        Technology, modelled on high-growth State apprenticeship 
        programs such as California, Texas, and Michigan. Specifically, 
        the Secretary of Labor should provide grants, on a competitive 
        basis, to support the establishment, implementation, and 
        expansion of registered apprenticeship programs in 
        cybersecurity and technology.
    5. Integrate relevant State and Federal policy issues into 
        cybersecurity workforce training programs. A growing contingent 
        of cybersecurity job openings require both technical and legal 
        knowledge to guide companies on issues of privacy and security.
    6. Capitalize on the promising talent pool of military-connected 
        individuals and families, including transitioning Military 
        Service members, Veterans, Reservists, National Guard, and 
        their often-overlooked spouses. Department of Defense 
        statistics show 80 percent of military leave service without 
        another job in place. The protective nature of military service 
        leaves them well-suited for a cybersecurity career, and many 
        already carry higher-level security clearances from their 
        military years. They are a diverse group, with a majority who 
        come from racially and socioeconomically marginalized 
        populations. Military-connected individuals offer an especially 
        promising talent pool from which to grow a strong, diverse 
        cybersecurity workforce.
                               conclusion
    To address our cybersecurity workforce, we must find innovative 
ways to grow our workforce talent pool. For us, a key component has 
been embedding cybersecurity skills, concepts, and competencies 
throughout our expanded learning pathways. In addition, we seek to 
provide security awareness support services and troubleshooting to 
underrepresented communities as part of our national community help 
desk.
    We believe the key to unpacking this unlimited potential and talent 
comes from building training and support programs to command a shift by 
partnering with Government, industry, and employer partners in 
recruiting, hiring, assessing skills and competencies, and supporting 
people into cyber tech careers from various learning pathway.
    Thank you for the opportunity to appear before you today and I look 
forward to taking your questions.

    Mr. Garbarino. Thank you, Colonel.
    Members will be recognized by order of seniority for their 
5 minutes of questioning. An additional round of questioning 
may be called after all Members have been recognized.
    I now recognize the Chairman of the Subcommittee on 
Transportation and Maritime Security, my friend from Florida, 
Carlos Gimenez.
    Mr. Gimenez. Thank you, Mr. Chairman. I appreciate it.
    I'm intrigued by what you said, Colonel, about not needing 
a college degree. So I believe that--somehow in this country, 
if you don't have a college degree, you are somehow 
stigmatized; that somehow you may not be as smart as somebody 
who has a college degree.
    As someone who didn't get a college degree until I was 
about 46 years old, I guess I must have been pretty dumb until 
then, OK. But somehow it didn't hold me back. You know, I'm 
here in Congress for some reason. I must be lucky.
    You said--how long does it take, let's say, for a--you said 
16 weeks of training. In 16 weeks of training, you can get 
somebody up and running to be--to get into the cybersecurity 
space. Is that correct?
    Mr. Starling. We have two courses. The first is tech 
fundamentals. That's 16 weeks. Our advanced course in cyber is 
18 weeks after that. We like to take people that have zero 
experience to get them into a help desk or a junior systems 
admin role first. You can't take a soldier from boot camp and 
make him a Special Forces----
    Mr. Gimenez. So 16 and 18----
    Mr. Starling. So 16 for tech fundamentals and 18 weeks 
for----
    Mr. Gimenez. Even for noncollege graduates, 34? 34 weeks?
    Mr. Starling. That's right.
    Mr. Gimenez. Thirty-four weeks versus 4 years.
    What's the starting pay?
    Mr. Starling. We are starting people from cybersecurity at 
about $63,000. For the tech fundamentals role, national average 
is about $43-. Out in California, I get them about $50- to $55- 
starting salary.
    Mr. Gimenez. What's their career path? How much could 
they--what's their earning potential?
    Mr. Starling. I've got people making over $100,000 a year 
after 3 years. You've got to go in and do the work.
    Mr. Gimenez. How much does it cost for the course?
    Mr. Starling. It costs about $7,000, $7,500 per person to 
get a person through the course.
    Mr. Gimenez. Sixteen or 34--the whole 34?
    Mr. Starling. That's the--that's either course. The 16 
weeks or the 18-week course. We're mainly paying for 
instructors and we're paying for certifications.
    Mr. Gimenez. You said it was 16 and 18, or is it 16 or 18?
    Mr. Starling. Sixteen for tech fundamentals, 18 for the 
cybersecurity----
    Mr. Gimenez. That's on top of the 16?
    Mr. Starling. That's on top of the 16 weeks. Right.
    Mr. Gimenez. OK. So 7 and 7, $14,000?
    Mr. Starling. Yes.
    Mr. Gimenez. Versus $500,000 to go to college, and then 
paying back, you know, $500,000 for the rest of your career, 
and you end up probably getting the same job. Would that be 
accurate or not?
    Mr. Starling. That's definitely true.
    Mr. Gimenez. OK. Sounds like a good deal to me. I think we 
need to start, you know, letting people know about this.
    The other thing that I'm thinking about is artificial 
intelligence. It seems to me that artificial intelligence could 
go a long way in providing cybersecurity. I don't know who can 
answer this. Am I right or am I wrong on that?
    Ms. Wisniewski. I'm happy to take that question.
    Mr. Gimenez. Sure.
    Ms. Wisniewski. We believe that it's going to change the 
cyber work force. It's not going to eliminate the cyber work 
force. If anything, it probably will create even more 
opportunities.
    I know that there's been quite a bit of media coverage, 
especially lately, ChatGPT. Our position is that it is another 
emerging technology, and one that needs to be managed but also 
embraced, and that it actually is not a threat to the cyber 
work force. If anything, it's just going to--the problem is 
going to get worse, not better.
    Mr. Gimenez. I can see that, because you can use IA to 
defend yourself and you can use IA to attack somebody. So it's 
going to be a battle of IAs, and people are going to have to, I 
guess, monitor the battle?
    Ms. Wisniewski. Yes. Absolutely. Monitor and manage.
    Mr. Gimenez. Monitor and manage the battle. Then whoever 
has the brightest IA is going to win at the end?
    Ms. Wisniewski. Potentially. I think that there's still a 
lot of unknowns about the technology, and that's, I think, 
driving quite a bit of the media storm right now. But it is 
still a really important technology. Then, of course, there's 
quantum coming right behind it.
    Mr. Gimenez. Yes. Look, we had discussions with some people 
that--some folks that were working in that space, and I asked 
them the question of where AI was. You know, where is 
artificial intelligence? If you're 21 years old, and that means 
that you're a really bright person--I mean, you're now mature 
and all that--where is AI?
    They refused to answer the question as far as what the age 
was. They did tell me, though, that it was in the third inning. 
So it's one-third of the way there. It's pretty amazing what it 
can do right now. So when it finally gets fully developed, it's 
going to be something.
    So thank you for the testimony. Now, I think we need to see 
if we can push, you know, high school kids, our veterans, et 
cetera, to go into this field without having to go deeply in 
debt and make a really good career. So thank you, and I 
appreciate the testimony.
    I yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize Mr. Menendez from New Jersey for 5 minutes 
of questioning.
    Mr. Menendez. Thank you, Mr. Chairman, Mr. Ranking Member, 
for convening today's meeting.
    To all our witnesses, thank you for coming.
    Colonel Starling, as you explained in your testimony, 
NPower received a $1 million grant from CISA as part of a pilot 
program to support nontraditional cybersecurity training to 
reach underrepresented groups. From the statistics you shared 
today, it appears you have achieved significant success in 
retaining students, helping them achieve cybersecurity 
certifications, and placing them in cybersecurity jobs.
    This is a pilot program. How do you think this program can 
be scaled up to reach a larger number of individuals?
    Mr. Starling. We're actually scaling it already. Just to 
clarify, our program----
    Mr. Menendez. How so?
    Mr. Starling. So, first of all, we've got our advanced 
program--it's a Nation-wide program. So we're in 9 States right 
now. But the best students of those rise up and take either a 
cloud or a cyber course.
    I recently launched, last year, NPower SkillBridge. What 
I'm able to do--I'm a DOD partner. I'm allowed to go on 
military bases, recruit people within their last 6 months of 
active-duty service. With command approval, they come to my 
cybersecurity class, and I can ramp them up in 10 weeks' time 
during their last 3 to 6 months on active duty. Full-time 
class, I can ramp them up to get CompTIA, Security Plus, with 
the option of getting also Linux Plus. Those are your two key 
certifications for cyber. From then on, you can--you know, you 
can add to that.
    But we're already growing this program, and we're going to 
have more instructors and more cyber courses available. We are 
a nonprofit, so the training is free to all those who come to 
our class. But I got to go out and raise the money as a 
nonprofiteer. That's my hard job. I get some grants from the 
State of California. I get some grants from different 
corporations. So it really is a private--public-private venture 
to solve this problem.
    Mr. Menendez. Sure. So scalability would be a matter of 
resources?
    Mr. Starling. That's right.
    Mr. Menendez. The program itself is working, right?
    Mr. Starling. That's correct.
    Mr. Menendez. OK. I appreciate that.
    Ms. Dortch, a report last year estimated that over 30 
percent of the Federal Government's cyber work force is over 
the age of 55. In your testimony, you explained how SAP has 
managed to have 60 percent of its cybersecurity work force be 
millennials or Gen Z.
    From your perspective, what are the keys to recruiting a 
younger work force? How can the Federal Government learn from 
the private sector to bring in young cyber workers so we're 
prepared with the cyber work force of the future?
    Ms. Dortch. Thank you for the question. I think this is--
there's two elements to this. For SAP, DEI or diversity, 
equity, and inclusion, is a part of our DNA. So we have to be 
intentional about the goals we're setting, being public about 
it, setting them, holding ourselves accountable, and being 
transparent about where we are. So we do that, and definitely 
publicize where we're going in terms of our talent globally and 
committing to making sure that everybody has an equal 
opportunity to develop, engage, and grow in the cyber space.
    We do believe our Early Talent Program really helps in 
terms of engaging young talent. It's a very quick program. We 
actually have a cohort starting in July. Literally probably 
within 90 days, these kids will have access to our Newtown 
Square facility in Pennsylvania. They'll do rotational 
programs.
    I think one thing I will add--and you'll hear me use the 
word ``flexibility.'' These kids need flexibility. You can't 
sit them and say, you're just going to be a cyber defense 
analyst, and that's it. This rotational program is key to 
allowing them to see the different areas, specialties, roles 
that they can look at.
    Not only in America, but we also allow them to go abroad to 
our global headquarters in Waldorf, Germany, to look at what 
the opportunities are there, but also look at how we can work 
internationally. Cyber is an international--it's a global 
problem, and we have to work with our allies to address these 
issues.
    So for us, it's a global partnership with our allies and 
making sure that we're doing this on a global scale to educate 
folks that this is not just a U.S. issue; this is a global 
issue. Again, making sure that young talent has the flexibility 
to figure out what their interests are and what skill sets 
align, so then when they get the full-time role that we offer 
them, they know where they will fit best and can engage there.
    Mr. Menendez. Yes. I appreciate that from SAP. We want to 
keep the talent here. But it seems the flexibility within 
this--not just acknowledging the cybersecurity as this growing 
industry, but within it, it provides a variety of 
opportunities.
    Building the next generation of cyber talent will require 
us to educate about cybersecurity at a young age. With the 
CETAP program, CISA is taking important steps in helping to 
develop curriculum and provide training to K-12 teachers.
    Ms. Wisniewski, as you have deployed your new entry-level 
CC certification, to what extent have you seen recent high 
school graduates demonstrate an interest in the program, and to 
what extent do they have the existing skills to obtain the 
certification?
    Ms. Wisniewski. Thank you for the question. We believe that 
actually for the entry-level--so similar to Colonel Starling--
that there is not a need for a 4-year degree, right. So these 
students can go right into--you know, they've got the early 
credential, and they're ready. However, that does not mean that 
the private sector doesn't have to continue to invest in them. 
That's, I think, a really important point.
    There's a lot of work to be done around--for hiring 
managers to understand what actually are the right credentials 
for the right job. So we often see our CISSP, which is a 
globally de facto standard, we--it requires 5 years experience, 
endorsement, et cetera. We often see that on an entry-level job 
description. That doesn't match. So we have a lot of work to 
do.
    So it's not only about getting more people in, but there's 
a lot of work to bring the private sector to the table as well.
    Mr. Menendez. For sure. I appreciate that answer.
    I yield back. Thank you.
    Mr. Garbarino. The gentleman yields back.
    I now recognize Mr. Ezell from Mississippi for 5 minutes of 
questioning.
    Mr. Ezell. Thank you, Mr. Chairman.
    Colonel, I was very interested in what you were telling us. 
I think that's something that we need to work hard, because 
everybody understands the threat that is coming at us right now 
on a daily basis. We had a roundtable this morning discussing 
some of these things. So I want to thank each and every one of 
you for your hard work.
    I too was 37 years old before I got my degree. When I got 
out of high school, I went straight to work. As I progressed in 
my career, I realized the importance of getting a college 
degree and what it meant to me and to where we are today.
    But, you know, one of the things that I would like to ask 
you a little bit about is on your recruiting. Is this a Nation-
wide recruiting? You know, tell me about your recruiting and 
who you're reaching out to and how you're reaching out to them.
    Mr. Starling. Yes, sir. So right now, we are located in 9 
different States, and our recruiting is focused toward those 
communities that we're in, such as Baltimore; San Jose, 
California; Detroit, Michigan. We're recruiting there.
    Now, we can--when we go to the next level--that's tech 
fundamentals. When we go to the next level, we recruit Nation-
wide. The training is instructor-led and on-line. So they're 
accountable. We try to actually get people together physically 
from time to time for either the professional development or 
something that requires hands-on training.
    So the SkillBridge program that I run for Department of 
Defense--with the Department of Defense is Nation-wide. I've 
got people in Korea, in Germany. They're signed up for the 
class, they log in, it's instructor-led, and they've got to 
keep pace with the curriculum. So right now, this has the 
ability to scale Nation-wide very easily.
    Mr. Ezell. What about rural Mississippi? As if you can 
tell----
    Mr. Starling. Sir, we can definitely discuss that. We'd 
love to be down--I'd like to be in all 50 States.
    Mr. Ezell. OK. Well, I would like to help you get there. We 
have a diverse work force in Mississippi. We have some of the 
largest industry out there.
    One of the things that I was thinking about was, in my 
State of Mississippi, we have--if you look across the Nation, 
you know, our work force is retiring. Our police officers are 
retiring. In the State of Mississippi, you can work 25 years as 
a police officer or a teacher or somebody that works for the 
State and who is very still capable of entering this work force 
and would be an asset.
    You know, I know we want to get our young kids out there 
but, you know, old guys can--you know, we can still work too. 
So, you know, I would really like to see the focus to target 
some of these people who are retiring from State jobs who are 
still in their 40's that could give you 20 years of work who 
are educated in the world of getting up and going to work every 
day.
    So I would really like to work with you--and each of you--
to help get this going, because we know the threat is out 
there. We know that we've all talked about the shortage of the 
work force, the challenges that you have. I really think that 
we could come together on this, as everybody could, to get this 
done.
    So would any of you like to just add a few words to some of 
the things we're talking about?
    Ms. Dortch. Thank you, Congressman. I will add, I think, 
you know, we talked about our commitment to creating an early 
talent pipeline. But we also, with our Government Security and 
Secrecy team, it's very clear that we need professional--
seasoned professionals, especially in the national security 
space.
    As my opening statement mentioned, I mean, we have folks 
that have been in that sector for 30 years that we attract to 
SAP and find value. I think part of this is making sure that 
they stay connected to the missions that they previously were 
in. But there is the challenge of making sure that we--when we 
on-board folks, that we also make sure that they continue to 
develop and grow within our ecosystem, and that's something 
we're committed to at SAP. I would be happy to follow up with 
you on other ways we can look at upscaling and rescaling folks 
into cybersecurity roles.
    Mr. Ezell. Thank you very much.
    Colonel, or anybody else would like to say anything?
    Mr. Markow. If I may, I'd love to add to what you were 
saying about the need to reskill existing workers and find new 
opportunities to bring seasoned workers into the field.
    Mathematically, it's an absolute necessity for us to do 
that if we're going to close the talent gap. Even if we 
magically assumed that every single computer and information 
science graduate at any degree level went into cybersecurity, 
we would still need at least 200,000 additional people. So 
we're going to have to find ways to redeploy and reskill 
existing workers if we're going to close that talent gap within 
any human time scale.
    So being able to give clear guidance, both to individuals, 
but also to their employers about how to reskill those people 
and how to find the right pools of workers who can most readily 
and rapidly be redeployed into cybersecurity is one of the most 
important things we can do to help grow the cyber work force, 
leveraging existing workers. Lightcast is also more than happy 
to work with you to try to make that a reality.
    Mr. Ezell. Thank you very much.
    Mr. Chairman, I yield back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize the Ranking Member, Mr. Swalwell, for 5 
minutes for any questions.
    Mr. Swalwell. Great. Thank you.
    Colonel Starling, first, I just want to thank you for your 
three combat tours that you did for our country in the Marines. 
If that's all you did to serve our country, that would be 
enough. But here you are working to get veterans placed into 
jobs. I really appreciate that.
    With respect to NPower--and you went through with my 
colleague, Mr. Gimenez, what the cost structure is. Are those 
students--are they eligible for financial aid?
    Mr. Starling. Yes. Most of them are. We look for young--so 
we have veterans and young adults. Veterans and veteran spouses 
can be any age, any place. The young adults, we're looking for 
18- to 26-year-olds and 200 percent of the poverty line or 
lower, right. So that's mainly the socioeconomic group. Now, we 
might make an exception here or there if somebody's close, but 
that's what we're really looking for, to pull them out of a 
situation of poverty.
    Mixing veterans with young adults--about 50/50 in the 
class--is a great thing. The veterans are about 8 to 10 years 
older. They have some life experience. I tell them, I need your 
post-traumatic strength. You might have worked in a combat 
zone. These young people still live in one in some cases. So 
veterans and young adults is an amazing thing, and that's what 
makes me happy to get up and work every morning.
    Mr. Swalwell. Is that financial aid through FAFSA, like 
public financial aid, or is it private aid that they have to--
--
    Mr. Starling. Some of them would be eligible for that, but 
we don't take any money. Our program is 100 percent free. 
Especially for veterans, I tell them, your GI Bill is gold. You 
save that for college when you're ready to go. But some of them 
need a job now to feed their family. So getting through a 16-
week boot camp and then working at a place--we've got people at 
the San Francisco Giants, at Lawrence Berkeley Lab, some good 
jobs.
    Mr. Swalwell. Hey, they're in second place right now, by 
the way, and climbing.
    According to the survey last year--it's true. It is true. 
It's true.
    According to a survey last year by ISACA, 60 percent of 
cybersecurity professionals reported difficulties retaining 
cyber talent, and this is at a time that we have a tremendous 
shortage in the cybersecurity work force. Keeping existing 
workers in the field must be a part of that equation, of 
course.
    Mr. Markow, to what extent does your data show a problem 
with employee retention in the cyber work force, and are there 
challenges limited to employees moving between jobs, or is 
there a problem with workers leaving the cyber work force 
entirely?
    Mr. Markow. Thank you for the question. Our data definitely 
do show that there are retention problems within the 
cybersecurity work force. Consistently, cybersecurity workers 
leave more frequently than many other roles, even within 
information technology, which is already rife with many hiring 
challenges, due talent shortages. I think that there are also 
some unique challenges that are arising from the way that 
employers are hiring for cybersecurity workers in the first 
place.
    I think we've already talked about it some today, but many 
employers are effectively cutting out the entry-level rung into 
cybersecurity and saying you must have a bachelor's or master's 
degree. They're saying you must have at least 3 to 5 years of 
prior work experience. I usually liken that to hiring 
mercenaries. You're looking for somebody who already has the 
skills you're looking for--that you think you need to perform 
the job. But in many cases, those are the people who everybody 
else is looking for. It just becomes a game of poaching from 
one employer and poaching from another for a very small pool of 
workers that have this mythical set of unicorn skills.
    The companies that we actually see with the best retention 
rates are the ones that are taking more of a skills-based 
approach to hiring as opposed to a credential-based approach to 
hiring. So if we look at companies that are hiring workers with 
less than a bachelor's degree, they have better retention 
rates. If we look at companies that are hiring a more diverse 
work force, they have better retention rates.
    So one of the things that we try to educate employers on is 
to not cut out that entry-level rung of opportunity and to make 
sure that your talent pipeline has as wide an aperture as 
possible so that you're bringing in more diverse candidates, so 
that you're bringing in the workers who don't have a bachelor's 
degree. As a matter of fact, you're actually seeing better 
outcomes as a result.
    So I think that being able to communicate that to employers 
and speaking in their language, saying, you will see the return 
on your investment by making some of these changes and taking a 
skilled-based approach to hiring, can go a long way toward 
solving some of those retention challenges.
    Mr. Swalwell. Ms. Dortch, briefly, what are you doing to 
increase retention?
    Ms. Dortch. Just to add on, I think part of this is, again, 
flexibility. We're also looking at making sure fair pay and 
compensation--making sure we're competitive there.
    Mental health is something we talk about, burnout, and 
making sure that that's prioritized. We're always pulsing our 
employees every quarter to see how they are feeling and what we 
need to do to make adjustments with our work conditions.
    Then also a big piece for us is cyber professionals at SAP 
can take part in our global technology fellowship. So if they 
want to explore other options, they certainly can. We encourage 
them to do so.
    Mr. Swalwell. Thank you.
    I yield back.
    Mr. Garbarino. Thank you. The gentleman yields back.
    I now recognize Ms. Lee from Florida for 5 minutes of 
questions.
    Ms. Lee. Thank you, Mr. Chairman.
    Thank you all for being here today. This has been such an 
illuminating and important conversation for us to have.
    So I represent Florida's 15th Congressional District, and 
it is home to the University of South Florida, which has been 
working hard to ensure that we have the cyber talent, that 
we're developing young people to come in and work in these 
industries.
    The Florida Center for Cybersecurity at USF serves as a 
resource for us to enhance our cybersecurity education, 
facilitate research, conduct outreach initiatives in the 
community, and there are two particular education initiatives 
there that I want to mention.
    One is designed to address the work force shortage and 
build our pipeline. CyberWorks, which provides a 19-week 
curriculum to first responders, veterans, and other qualified 
participants to prepare for industry-recognized certifications 
and career opportunities.
    The second, Operation K-12, offers cybersecurity career 
prep and certification courses for high school students, 
professional development for teachers, lesson plans, and summer 
camps for elementary, middle, and high school students. They're 
both designed to expand the talent pipeline so that we can meet 
the roughly 34,000 cybersecurity job vacancies that we have in 
Florida right now.
    So, you know, I've been so interested to hear the 
innovative ways that each of you are describing developing that 
work force above and beyond the 4-year college degree.
    I want to start with you, Mr. Markow. Would you talk about 
the--go back to the value and utility of certifications, 
specialized certifications, and training. Obviously, we love 
our university graduates as well, but how those certifications 
and training can help build our work force. Are there certain 
types of certifications that stand out to you as being the most 
useful or constructive in addressing our current work force 
shortage?
    Mr. Markow. Thank you for the question. When it comes to 
certifications, I think that they are most effective when they 
are an effective proxy for proficiency in the skills that 
employers most value.
    So we see that the certifications that really communicate 
that to employers are the ones that are aligned with the--both 
foundational skills that are most needed within a field, but 
also some of the high-growth, high-value skills that employers 
value the most as well, or they at least communicate to 
employers that this worker has built the foundational knowledge 
to rapidly learn those new skills.
    We also see that there are different roles that 
certifications can play at different levels of somebody's 
career. So there are some entry-level certifications, such as 
Security Plus and a number of others, that are very effective 
at helping to open the door for many workers to enter into 
cybersecurity. But we also see that there are many more 
advanced-level certifications, such as CISSP, that are very 
good at communicating to employers that somebody is an expert 
in the field.
    Now, the challenge that we also see, though, is we need to 
educate employers to be responsible recruiters of these 
certifications.
    Ms. Lee. That's perfect. You actually just anticipated my 
next question, which is, do you feel like this message is 
getting to employers? Do you feel like they are recognizing the 
value of these certifications? What are you doing--or what can 
we do to try to help ensure that employers too are recruiting 
effectively to find this talent?
    Mr. Markow. It's a great question. I think that what we 
really need to do is to communicate to employers the role that 
each of these certifications plays and the skills that each of 
these certifications actually serve as an effective proxy for.
    This was mentioned earlier that often CISSP is requested in 
entry-level openings. That's actually not just a rare anecdote. 
We've actually seen about 20 percent of job openings calling 
for a CISSP. They also ask for fewer than 2 years of work 
experience.
    So I think that to really educate employers on the skills 
and the level that each of these certifications are effective 
proxies for is one of the most important things we can do to 
make sure that employers are responsible recruiters of 
cybersecurity certifications.
    Ms. Lee. Is there anything more that you perceive that we 
as Congress could be doing to help either foster the 
development of this talent pool or help get qualified people 
into the right placements?
    Mr. Markow. So I think that one of the most important 
things that Congress or the Federal Government more generally 
could do is to really help to educate employers through clear 
standards around skills-based hiring and around the types of 
practices--the hiring best practices--that they should be 
taking.
    I know we've talked a lot about what the supply-side, 
educators can do, and I think that there are many fantastic 
initiatives already under way on that side that can be built 
upon. But I also think that less has been done to educate 
employers on how to be responsible recruiters and how to take a 
skills-based approach to growing their cyber talent pipeline 
and to give them the tools that they need and the standards 
that they need to know how to do that within their 
organizations.
    Ms. Lee. OK. Thank you very much.
    Mr. Chairman, I yield back.
    Mr. Garbarino. The gentlelady yields back.
    I now recognize myself for 5 minutes of questioning.
    Ms. Dortch, we've heard about the many things that SAP is 
doing, and I've heard from other industry leaders of all the 
great things that the private sector is doing to address cyber 
work force challenges. Do you think these efforts should be 
coordinated?
    Ms. Dortch. We absolutely feel that these should be 
coordinated.
    If you look at what the European Union is doing right now 
with the establishment of their cybersecurity academy, they are 
really centralizing a lot of their efforts across the E.U. 
member states to build it on a platform, but also making sure 
that there's funding available. So finding the credentials, 
providing training for folks who are raising their hands to get 
trained, but also the jobs. They want to make sure that people 
know where the job opportunities are.
    So it's really about making sure that we have a centralized 
place for training. If I really just type in a search engine, 
how do I get into cybersecurity, it should take me to a search 
engine to find something that's affordable that I can get into. 
Then once I'm done, I should be able to find a centralized job 
database, whether it's USAJobs or another place, to find the 
job that matches my skill sets based off the certification 
program.
    But I do think the United States has the opportunity to do 
that. We're starting to see that with CyberSeek. I think we can 
do a lot more. But I do think the Europeans are getting a 
little bit ahead and playing a more strategic game, and I think 
the United States can definitely get there if we can put more 
concerted effort around centralizing these resources, making it 
easier for Americans to get upskilled or reskilled into 
cybersecurity roles.
    Mr. Garbarino. My next question was going to be, should the 
Federal Government be doing anything, because sometimes we 
shouldn't. We should let you all do your thing. But it sounds 
like, you know, funding, training, platforms similar to what 
the European Union's doing might be the best way to handle, 
from just what--from what you just said.
    Ms. Dortch. Definitely that. Then we would urge Congress to 
support the JOBS Act, which provides short-term Pell grants for 
programs, boot camps that are cybersecurity-focused that, 
again, if there's 8- to 12-week programs for, you know, 
critically-needed roles, we do think that that might be an 
option. Understanding we need to make sure that, you know, 
there's accountability, that there are actual matriculation 
into jobs is really important with that. We do think that that 
might be a tactic that Congress should look into, the JOBS Act.
    Mr. Garbarino. Thank you. It's very big, that JOBS Act. So 
I'd like to focus on the Pell grant section.
    Mr. Markow, workforce shortages are persistent across all 
16 critical infrastructure sectors. CyberSeek is able to 
procure job opening data across all those sectors, allowing 
potential job seekers to get an industry-specific preview of 
what their market looks like.
    In your view, what industries in the private sectors have 
taken effective steps and proactively addressed their cyber 
work force shortage?
    Mr. Markow. It's a good question, and I think that I will 
say there are employers across all sectors that have taken some 
very proactive steps.
    If I were to try and generalize across different sectors, I 
would say that the financial services sector has been a leader 
in many cases. I think that out of necessity, due to the 
sensitivity of the data and the information that they have, 
many organizations in financial services have been very 
proactive in trying to build their cybersecurity work forces 
and to really work collaboratively with educators, policy 
makers, and others.
    We've also seen some very effective examples across even 
retail, information, and some energy companies as well, who are 
very focused on building a pipeline of talent that they can 
manage in the same way that they would manage any of their 
supply chains. They're taking ownership over developing their 
own cybersecurity talent, working collaboratively with, again, 
educators, policy makers, nonprofits, and other stakeholders in 
their communities.
    So, again, there are very good examples across a number of 
different sectors, but I think that's--those are some of the 
industries that we've seen some of the more proactive 
approaches.
    Mr. Garbarino. I appreciate that. In your testimony you 
mentioned public-private partnerships as potential incentives 
to push individuals, educators, employers, and other 
stakeholders to help strengthen the cybersecurity talent 
pipeline. Many States have experimented with programs to 
improve these outcomes as well.
    Are there any potential programs that have proven to be 
significantly effective at recruiting and retaining cyber work 
force, and what programs at the State level could serve as a 
bellwether for future programs?
    Mr. Markow. It's a great question. I think transparently a 
lot of these programs are still relatively new. So there--they 
might also still be in the third inning. So we're still looking 
for more outcomes data.
    That said, there have been some initial promising results 
from things like TechCred in Ohio. Not sure if you're familiar 
with that, but it is a program that--in which Ohio employers 
are able to receive some funding and tax credits to support 
training their existing workers in industry-recognized 
credentials.
    So this enables them to more readily upskill and reskill 
their existing work force and to solve that problem of how do 
we bring in fresh blood as rapidly as possible. It's by 
investing in your existing work force. So that's one program 
that has shown some promise.
    This is actually not a State program. It's actually 
something DHS has done as well is to pilot some talent-sharing 
programs with employers, private employers. I think that can be 
potentially an effective way to solve the chicken-and-egg 
problem of how do you build more experienced workers when 
employers primarily only want to hire somebody who already has 
experience?
    So if CISA can help to reduce some of the friction for 
training the entry-level workers and giving them on-the-job 
opportunities either in DHS or in the private sector, then that 
can both help to solve that chicken-and-egg problem of how do 
you bring fresh blood into the industry and how do you make 
employers more incentivized to hire entry-level workers.
    But it also helps to facilitate sharing of skills and 
cross-pollination between both the public and private sector, 
which can have benefits to the actual productivity of your 
workers and the security of our digital infrastructure, both in 
the public and private sector.
    Mr. Garbarino. Thank you. My time has expired.
    I now recognize the gentlelady from New York, the former 
Chairwoman of this committee, Ms. Clarke.
    Ms. Clarke. Good morning. Let me start by first thanking 
Chairman Garbarino and Ranking Member Swalwell for allowing me 
to waive onto the subcommittee for this important hearing on 
growing our Nation's cybersecurity talent pipeline.
    Thank you to our panel of esteemed witnesses for joining us 
today.
    One of my most persistent chall--one of the most persistent 
challenges we face today in strengthening our Nation's 
cybersecurity posture has been the on-going shortage of trained 
cybersecurity professionals. Addressing this shortfall has been 
a priority of mine as Chairwoman of the Cybersecurity 
subcommittee last Congress, and I'm heartened to see that it 
remains a priority for this committee in the 118th.
    I'm also proud to say that, while we still have a ways to 
go, over the past 2.5 years, Congress and the Biden 
administration have taken important steps to increase 
investment in our cyber work force and do so in an inclusive 
way. For instance, the National Cyber Director is currently 
working to develop a cybersecurity work force strategy so that 
we can ensure agencies across the Federal Government are 
coordinating their efforts to address this challenge.
    I've been pleased by the administration's engagement with 
industry and academia in developing this strategy. I look 
forward to seeing how Congress and my--and this subcommittee 
can help further support these efforts in the coming months.
    While this new strategy will be essential to ensuring our 
cyber work force efforts have clear goals without inefficient 
redundancies, Congress and the administration are already 
working to implement important programs that will make sure 
there's a difference in building a larger and more diverse 
cyber work force.
    I am pleased to see that NPower, a national nonprofit based 
in Brooklyn, New York, that is dedicated to supporting the 
digital careers of veterans and young people from underserved 
communities, is represented on the panel today. I look forward 
to seeing the long-term fruits of this program and learning how 
we can further scale up to train more women and people of color 
for cybersecurity careers.
    In the CHIPS and Science Act enacted last year, Congress 
established the Dr. David Satcher Cybersecurity Education Grant 
Program, based on legislation that I cosponsored. This program 
authorizes NIST to provide grants to support cybersecurity 
training in Historically Black Colleges and Universities and 
other Minority-Serving Institutions.
    If we're going to meaningfully address the lack of 
diversity in the cyber work force, we must ensure that HBCUs 
and MSIs have the capacity to provide high-quality 
cybersecurity training to their students and ensuring this 
grant program has the funding to be effective and must be 
prioritized.
    So my first question is for Ms. Dortch and Ms. Wisniewski. 
In your organizations' partnerships with HBCUs and MSIs, what 
are the benefits you've seen from developing the next 
generation of cyber professionals at these institutions, and 
how important do you see building cybersecurity education 
capacity at HBCUs and MSIs?
    Ms. Wisniewski. Thank you, Ms. Clarke, for the question. We 
actually have had an incredible reception at HBCUs in terms of 
really embracing this topic, and we're pleased. Actually, we 
were just invited by the board of the United Negro College Fund 
to actually attend a conference in Atlanta this summer to kind-
of really dig in, right.
    I think that it's really important that the HBCUs in 
particular take a leadership role here because the reality is, 
on the academic front, cyber is actually a very young academic 
discipline. So there's an opportunity for leadership, and I 
think it's totally appropriate at HBCUs.
    One of the things we've also learned recently and--is that 
security in general at HBCUs is an important thing for people 
to think about. So cyber--having a robust cyber profile in an 
HBCU is not only important for the students, that they're 
pushing through a certain program, but also just for the 
university as well.
    So we think that there's incredible opportunity. We also 
think that with that--we can't do this without HBCUs and MSIs. 
I mean, it's just absolutely critical.
    Ms. Dortch. I'll just quickly add, for SAP, our University 
Alliances program, which is 25 years old, we really value our 
partnerships with MSIs and historically Black universities.
    We established what's called SAP Project Propel at certain 
HBCUs to make sure that kids have exposure to organizations 
like SAP. We can get them micro-credentials that may not be 
cyber-specific but get them exposure and ready to see 
opportunities in the cybersecurity space.
    I also want to commend the National Science Foundation for 
taking the opportunity to study the success rates that are 
happening for African Americans in the STEM pipeline. It's 
really important that we understand what tactics they're using 
to encourage kids to get into STEM, especially cybersecurity.
    SAP has encouraged the Office of the National Cyber 
Director to potentially work with NSF to explore this 
specifically for cybersecurity. How can we matriculate more 
African-American students out of historically Black 
universities into cybersecurity graduate programs?
    Ms. Clarke. Mr. Chairman, I yield back. Thank you.
    Mr. Garbarino. The gentlelady yields back.
    We're now going to start our second round of questions, so 
I recognize Mr. Gimenez from Florida for 5 minutes for his 
second round.
    Mr. Gimenez. Thank you, Mr. Chairman.
    Question for Mr. Markow. You stated that some companies 
look for college graduates and are looking for the same--same 
people and then they're mercenaries. They basically are there, 
looking for a great job. But then as soon as they get there, 
they're probably looking for the next job, seeing if they can 
go higher and higher and higher because there's a small pool of 
them.
    Do you find that--that some of those companies or most of 
those companies that have--that are looking for these college 
graduates, et cetera, et cetera, they're college graduates 
themselves?
    Mr. Markow. That definitely is more common. I would 
hesitate to pigeonhole and say that it's always going to be 
companies that have a large proportion of existing bachelor's-
level graduates. That said, we do see that heightened degree 
requirements are most common in regions and industries that 
have the highest proportion of people with a college degree.
    So we do see evidence in the data that people with a 
college degree are more likely to also look for somebody with a 
college degree, although it's not going to be across the board 
in the case.
    Mr. Gimenez. A different kind of discrimination then, huh?
    Mr. Markow. Well, I'll hesitate to opine on the reason for 
it. But I do think that people are more likely to hire for 
people who have a similar background to themselves, and I think 
that that's one of the types of cognitive biases that we do try 
to help employers break out of by giving them hard data to 
understand what the impact of that cognitive bias might be and 
how they can find a better way to recruit and retain workers 
who come from a more diverse background.
    Mr. Gimenez. Yes, we need to do something about that, that 
we seem to have as a--as a Nation maybe this bias that somehow 
if you don't have that piece of paper, you may not be--be as 
good. As somebody who beat the pants out of two Harvard guys 
when he first ran for college, I find, you know--I was really 
happy doing that. I didn't have the Harvard degree.
    So as a firefighter, because that's what I am, a 
firefighter, the United States has a U.S. Fire Academy, which 
is--which has been used to really elevate, you know, the 
profession.
    Do you believe that maybe we should have--we should sponsor 
a U.S. cyber academy for the same thing?
    Ms. Dortch? Sorry. Yes.
    Ms. Dortch. I think, you know, this is something that was 
also brought up by the CISA Cybersecurity Advisory Committee. 
They made the recommendation that CISA should have a cyber 
academy. I think it's something that we should consider. We do 
need to make sure that we are taking a multifaceted approach to 
getting people into cybersecurity. I don't think it's the sole 
silver bullet that will solve this challenge, but it is 
something I think we should explore as a Nation to see if we 
can get folks, multiple pathways, multiple entry points into 
cybersecurity and trained.
    You know, the biggest part to this also is just on-
boarding. Once we get them trained, let's get them into the 
roles, the jobs that are open, whether it's in the Government 
or in the private sector.
    Mr. Gimenez. Yes. The fire academy actually did a lot to 
and has done a lot to elevate, I guess, the professionalism of 
the craft. I believe that a cyber academy could do--could do 
the same thing, teaching best practices. Because really the 
academy, the fire academy, is really about training the 
trainers. The same could be done for a cyber academy. So it's 
something that probably we should be looking into to establish 
that.
    You said that the European Union had some kind of a similar 
academy. What is it that they do?
    Ms. Dortch. So this--notionally, it's not a formal academy. 
It's more of a platform to bring all of the resources that are 
already there, so private employers who have micro-credentials 
already or governments in other countries that have already set 
up similar reskilling boot camps.
    So it's really building a platform to centralize that 
information so candidates have the opportunity to kind-of pick 
and choose where they see their current skill sets and their 
interests, align those, and pick where they would like to go, 
which, I think--again, I keep using the word ``flexibility.'' 
You have to give professionals flexibility to figure out where 
their interests and current skill sets match up best. But also, 
if they are not a good fit, they have the ability to move 
around in the cybersecurity field.
    Mr. Gimenez. Do you know if the Chinese have something 
similar to that?
    Ms. Dortch. I am not aware of that.
    Mr. Gimenez. OK. Thank you very much.
    I yield my time back.
    Mr. Garbarino. The gentleman yields back.
    I now recognize Mr. Menendez from New Jersey for 5 minutes 
of questioning.
    Mr. Menendez. Thank you, Mr. Chairman.
    So we've heard about being less rigid in hiring practices 
for employers, being more flexible, and we understand our 
mission there.
    I'm curious. During this hearing, I was writing down the 
names of high schools and community colleges and Stevens 
Institute of Technology, which are in the Eighth Congressional 
District in New Jersey. Where should we be going to amplify the 
opportunities in the cybersecurity space? What should our pitch 
be? If we're not the right messenger, who is?
    That's for anyone on the panel.
    Ms. Wisniewski. So I'll take that one.
    I think that there's a lot--and, actually, the--with Mr. 
Gimenez, really important about the professionalization of the 
sector.
    So, you know, the idea that a cyber professional is, you 
know, the face of the cyber professional is in a black hoodie 
and in a closet, you know, that--that still exists and we 
really need to do a lot of work to actually change that.
    So I would argue that if--if Congress can do more to 
actually up the game in terms of the professionalization of the 
sector--and this is something that we also, like Mr. Markow, 
believe standards are really important here. There is an 
opportunity for us to, in the way that, say, the accounting 
profession or the engineering profession has a certain level of 
profile within the public, that that actually is really 
critical for the future of cybersecurity.
    There's actually a proliferation of activities that are 
happening at a Nation level. Not only we're familiar with the 
E.U. school's academy as well, in the United Kingdom there's 
the U.K. Cyber Security Council that's really driving a new 
licensing scheme for people to become chartered professionals.
    So I think if we can do more to actually raise that 
profile, that would be incredibly helpful.
    Mr. Menendez. Sure. Hopefully today's hearing is a good way 
of doing that because, you know, it's one of the joys of being 
here is to work on this issue in a bipartisan way.
    But in terms of reaching folks, right, and, you know, I 
think about this on the apprenticeship side across all 
different industries, right, and how do we access people, reach 
them, and let them know about different opportunities across 
different industries. Specifically with cybersecurity, where do 
you think we should be going to market these opportunities and 
letting know--and letting folks know they can avail themselves?
    Because it seems a pretty--from the testimony, it's a wide 
swath of folks, right, from retraining people already in their 
careers, retraining veterans, finding people on a 
nontraditional academic path, to people in a traditional 
academic path.
    So it seems a wide variety, and basically we need to pull 
from everywhere, and I get that. But where do you find the most 
efficiency or the places that are most ripe for wanting to be 
informed about opportunities and professions in the 
cybersecurity space?
    Again, to anyone who wants to take that question.
    Mr. Starling. You know, from my perspective, I work with a 
lot of young people and veterans. Most of us know more about 
cybersecurity than we think we do. I mean, it's--it's pervasive 
in our lives. I think getting young people excited about it, 
getting them motivated about it, it starts with parents. It 
goes into the school system.
    You know, we're inundated with all these video games and 
all these other things. If you can play these games for as long 
as you do, you can take that knowledge and apply it to 
something like cybersecurity, which is, you know, it's a lot of 
the same concepts. But now it's something that is, you know, 
defending your home, your company, defending the Nation.
    So I think with parents and with schools, and whether you 
do it in college or whether you take a nontraditional pathway, 
it doesn't matter, both of those exist.
    Mr. Menendez. Great. I appreciate that.
    Just, you know, in terms of the pipeline, you know, we've 
talked about sort-of the different folks that we can try to 
recruit into the cybersecurity.
    But I am curious. For folks that have sort-of the more 
traditional pathway of computer and information science 
backgrounds, who are we competing with? Or who are 
cybersecurity firms or companies competing with for access to 
that talent? Sort-of what sort-of potentially competitive 
disadvantage are cybersecurity professionals, the Government 
firms at compared to those other career paths that those folks 
could take?
    Mr. Markow. Happy to answer that question.
    I think that cybersecurity for a long time was not a field 
that had a very clear brand within many organizations, and I 
think that resulted in many people ending up in the field by 
happenstance. They had started working in networking. They had 
started as a developer. They had started anywhere else but 
cyber, and somebody said you're the cyber person now. So I 
think that there's a lot of branding work that needs to be done 
to overcome that.
    I think that some of the fields that do have a more 
effective brand within the IT community are fields like 
software developers and engineers, even networking roles, and 
now increasingly data scientists and others focused on 
developing AI and other emerging technologies. Cloud computing, 
for example, is a big one.
    I think that being able to communicate why cybersecurity is 
a compelling career path, even within the context of those 
other compelling career paths, is important. We do see that 
there are very compelling reasons to move into cybersecurity. 
On average, they pay salaries that are about 10 percent higher 
than other IT jobs. They offer fantastic job security. They can 
lead to just a sense of reward and accomplishment by knowing 
that you are protecting some of our most valuable digital 
assets.
    But I think that we need to communicate that story. We need 
to build the brand of cybersecurity jobs so that they can be as 
effective and they can essentially serve as a magnet to more 
people who are interested in a career in CS who for the longest 
time thought the best path to a good career in CS was to go 
work as a software developer at the next Facebook.
    Mr. Menendez. That's really helpful.
    I yield back. Thank you.
    Ms. Lee [presiding.] The gentleman yields back.
    I now recognize myself for a second round of questioning.
    My question for each of you is this: You've provided us 
such useful information already during this hearing, but I want 
to know, is there anything that you were hoping to share with 
us today that you think is important information for us to have 
that you haven't already had an opportunity to share?
    Ms. Dortch, I'll start with you.
    Ms. Dortch. I think the big thing right here is that, you 
know, in the United States we're seeing a transformation 
happening when it comes to the regulation within cybersecurity. 
We have CIRCIA, the Cybersecurity Incident Reporting for 
Critical Infrastructure Act. We have the Cybersecurity Maturity 
Model Certification. We have a proposed rule from the 
Securities and Exchange Commission for incident reporting of 
material cybersecurity incidents. The list goes on and on.
    With the increase in regulation, that drives the need for 
us to have cyber professionals who can help us meet the 
requirements, put in the security controls, maintain the 
network, and keep--make sure that we're responding, and working 
with the sector-specific agencies or CISA in that matter to 
respond to these things.
    But in order to really execute this, we do need time. I 
think it's really important that when the Government is looking 
at rolling out these regulations and these policies, that 
industry and the Government is giving itself more time.
    So really the ask of Congress is to urge certain agencies 
like the Office of Management and Budget, which has a memoranda 
right now on secure software development practices, we are 
really trying to make sure that we are in alignment with those 
and making sure we're compliant. But we need a little more time 
to make sure that, not only our contracting officers at Federal 
agencies are ready for the attestation statements that we have 
to submit, but that our software developers are meeting and 
complying with the frameworks that are in place and set by 
NIST.
    Ms. Lee. Thank you, Ms. Dortch.
    Mr. Markow.
    Mr. Markow. So I think that one--one thing we haven't 
really touched upon is the speed of change within 
cybersecurity. Building our cybersecurity work force is not a 
destination. It is a continuous journey. Skills are constantly 
evolving. New technologies are constantly being utilized both 
by bad actors, as well as cybersecurity professionals. We need 
to be constantly reskilling our people.
    In just the past 2 years, we found that about a quarter of 
the skills required for cybersecurity professionals have 
changed. So even if we were to graduate many folks with degrees 
at a Bachelor's level, a graduate level, what have you, their 
skills are going to be outmoded within just a few years.
    So being able to provide the resources, the information, 
and the tools to employers, educators, and individuals that 
they need to keep up with such a rapid pace of change in the 
industry, I think, is one of the things that the Federal 
Government can help to build the foundation for, so that we do 
have that information access for everybody who needs to keep up 
with such a rapid pace of change in the industry.
    Ms. Lee. All right. Thank you.
    Ms. Wisniewski.
    Ms. Wisniewski. Thank you. I agree with Ms. Dortch that 
actually the regulatory environment is incredibly active right 
now and is going to actually bring more requirements to cyber--
the cyber community, and so the problem's going to get worse, 
not better. So there is a real need for innovative strategies 
around work force development and new strategies around work 
force development. So old approaches don't apply.
    Fully agree with Mr. Markow that the profession is going to 
change dramatically so quickly. The combination of that change 
with the--a very active regulatory environment that is, I 
think, intentionally in a--trying to do the right thing, but 
the two are going to miss each other. So unless we do something 
drastic soon, it's just going to compound.
    Ms. Lee. Excellent.
    All right. Colonel Starling, anything you would add?
    Mr. Starling. So it's not just about the training of 
people. One of the things, we overlook a lot of talent because 
we're not--we don't access them. So having the training, plus 
some wraparound services that--that knock down the barriers 
that people have, whether that is getting child care, whether 
that is being able to make their rent payments, and then 
opening up apprenticeships and internships, paid 
apprenticeships and internships for those people.
    If we want to have a truly diverse work force, we got to go 
find them. It's not just the training. It's the other pieces 
that allow them to use their own grit and determination to 
succeed.
    Ms. Lee. Thank you very much.
    At this time I recognize Ms. Clarke from New York for 5 
minutes of questioning.
    Ms. Clarke. Thank you very much, Madam Chair.
    Equipping institutions of higher education with the 
resources they need to provide high-quality, high-level 
cybersecurity education as a discipline is so important. But it 
is only one piece of the puzzle when we think about long-term 
solutions to growing the cyber work force.
    We also need to consider early education opportunities so 
that school-aged children have the skills and understanding to 
consider careers in cybersecurity down the road.
    I know CISA has funded the nonprofit cyber.org to develop a 
nationally-focused K-12 cybersecurity education and training 
program for teachers to provide students with the cybersecurity 
education foundation across all 50 States.
    Mr. Markow, what can employers do to better engage with K-
12 sector--the K-12 sector to use these available resources to 
further develop effective career pathways into cybersecurity 
jobs, opportunities, and careers that are sustainable in the 
long run?
    Other panelists are free to respond as well.
    Mr. Markow. Thank you for the question. I think that 
employers can proactively go out and engage with schools in 
their communities to find opportunities to communicate the 
opportunities within cybersecurity.
    So going back to what we talked about around branding the 
field, you could have your CISO go into local elementary 
schools or high schools to talk about the great career 
opportunities that you have available within your organization.
    You also mentioned career pathways, which is critical. You 
actually need to be able to then communicate to students what 
that career pathway looks like so that they know that there is 
a future and a sustainable career opportunity for them, and you 
need to communicate what are the specific steps that students 
can start taking wherever they are in their educational journey 
to build the skill sets or other experiences that are going to 
be necessary in order to enter into the field.
    That could be even sponsoring cyber competitions in your 
local community or engaging in other relevant activities that 
your community is sponsoring to help grow the cybersecurity 
talent pipeline.
    Mr. Starling. One of the things that we do at NPower is we 
hold regular sessions that identify different pathways to 
different cybersecurity jobs, and that's to get people into our 
tech fundamentals class. So you can't just jump into the cyber 
world. You've got to have that basis of fundamentals, but 
definitely being out in the community and having live and 
virtual events that people can attend to learn more about those 
pathways.
    Congresswoman, I'd just like to thank you for your support 
of NPower. You've been a vocal supporter, and we appreciate 
that.
    Ms. Wisniewski. I would just add that I think that, you 
know, we know--we have 200,000 members in the United States. 
Our members are very active in their community because they are 
very passionate. Cyber professionals are very passionate about 
cyber. They've had that Kool-Aid, and they are handing it out, 
right.
    So I think even more opportunities--this is where I think 
there's an important role for public-private partnerships--more 
opportunities to get people out into the community talking 
about cyber. It's actually two-fold. This is not just about 
work force, but it's also just building cyber awareness and, 
therefore, more resilience within the general population.
    Ms. Clarke. Absolutely. I--I'm a fond--I fondly 
reminiscence about the science fair when I was in school. I 
think that certainly there's room for that type of creativity 
in our public school--in our elementary school settings.
    There's a program called Project REACH, which stands for 
Realizing Equitable Access to Cybersecurity in High School, 
which links K-12 school systems to higher education 
institutions, specifically HBCUs and MSIs. The goal of the 
program is to ease the transition into higher education 
cybersecurity degree programs.
    I wanted to ask the question to Colonel Starling. As 
Project REACH does for K-12, what can we do as a Nation to 
create a seamless transition for higher education to work 
force?
    Mr. Starling. Yes, I think it's--it's offering those 
training opportunities, but it's not just--again, it's not just 
the tech training. You need some professional development. 
Young kids coming out of high school don't necessarily have the 
savvy to go into an interview or to, you know, compete for some 
of these jobs. Same thing with veterans who are transitioning. 
They have a whole different language. The transition period is 
one of those volatile times in a person's life.
    So seamless transitions means my SkillBridge program is 
like a boot camp as you leave the military to go into the 
civilian sector, specifically cybersecurity.
    Same thing as we look at our young adult programs in places 
like New York and in St. Louis, we are preparing them 
holistically. We're helping them with their life. We're also 
training them professionally to have the right clothes, the 
right approach, and practice those things. It's--you know, 
repetition is the key to retention in those things. So it's a 
holistic approach to filling this work force for cybersecurity.
    Ms. Clarke. Very well.
    My time has expired. Thank you, Madam Chair. I yield back.
    Ms. Lee. The gentlewoman yields back.
    I now recognize Mr. Swalwell for an additional 5 minutes of 
questions.
    Mr. Swalwell. Great. Thank you, Madam Chairwoman.
    I would just first ask unanimous consent to insert into the 
record written testimony from the Information Technology 
Industry Council, their publication, ``Growing the National 
Cybersecurity Talent Pipeline.''
    Ms. Lee. Seeing no objection, it is so ordered. The 
testimony will be admitted into the record.
    [The information follows:]
        Statement of The Information Technology Industry Council
                             June 22, 2023
    The Information Technology Industry Council (ITI) appreciates the 
opportunity to provide written testimony to the subcommittee on growing 
the national cybersecurity talent pipeline. ITI is the premier advocate 
for the technology sector, representing the world's most innovative 
companies. We promote public policies and industry standards that 
advance competition and innovation world-wide. Our diverse membership 
and expert staff provide policy makers with the broadest perspective 
and thought leadership from technology, hardware, software, services, 
and related industries.
    Recruiting, training, and educating a diverse cybersecurity 
workforce is a top priority for ITI and its member companies. The on-
going shortage of cybersecurity professionals profoundly impacts ITI's 
membership. We welcome the committee's attention to this pressing 
national issue for both the Government and private sector. While ITI 
member companies take a range of actions to invest in and develop their 
cybersecurity professionals, we would like to focus our attention on 
the role that Artificial Intelligence (AI) must play in reducing the 
security workload and empowering cybersecurity professionals.
    ITI recently launched our AI Futures Initiative, which crafts 
action-oriented AI policy recommendations to address emerging AI 
questions in the United States and globally. Led by a task force of 
technical and policy experts and serving as a convener for a diverse 
set of stakeholders ranging from industry to academia to civil society, 
the AI Futures Initiative will explore topics relevant to AI policy 
discussions, from transparency and accountability to AI's societal 
impacts. The AI Futures Initiative will feature a robust exploration of 
the foundational models that underpin Large Language Models (LLM--such 
as OpenAI's ChatGPT or Google's Bard) and how generative AI more 
broadly will impact cybersecurity.
    It is important to note that the cybersecurity industry benefits 
from a workforce that reflects a variety of backgrounds, perspectives, 
and experiences. As part of the tech sector's efforts to engage with 
educational institutions to prepare a diverse and ready workforce, ITI 
established the National Initiative to Increase Diversity in Tech, in 
partnership with Morehouse College, one of the most pre-eminent 
Historically Black Colleges and Universities (HBCU) in the United 
States. This initiative connects ITI's member companies with Morehouse 
leadership and educators to develop innovative programs that provide 
both the private sector and other professional fields--including the 
Federal Government--with a skilled workforce that understands the 
technology sector's cybersecurity needs.
                      the cybersecurity challenge
    The U.S. Government (USG) or other large organizations have three 
primary challenges when developing and maintaining effective 
cybersecurity--finding the true signal in the noise of logged data, a 
constantly evolving threat landscape, and an insufficiently skilled 
workforce. Each of these areas requires dedicated attention and policy 
solutions to address and improve the resilience and security of the IT 
ecosystem. As illustrated by these three challenges, the modern 
cybersecurity reality is that even the most skilled security operators 
are aways playing catch-up with security risks.
    The volume of data being created and shared continues to grow 
exponentially minute-by-minute; the threat landscape continues to 
evolve with the pace of technology; and at best we are providing only 
small-scale increases in the IT security workforce. The USG and their 
private-sector partners need to change the game to improve the calculus 
for cyber operators. Advances in technology, especially AI, can be 
leveraged to empower a skilled workforce to focus on the most complex 
problems and keep pace with the most sophisticated threats.
    AI, when used properly, can find the few actual threat events among 
the billions of logged activities any large system deals with on a 
daily basis. According to a recent threat intelligence survey, 84 
percent of global business and IT leaders, are concerned that their 
organization is missing threats or incidents due to the high volume of 
alerts and data that they need to analyze.\1\ AI-powered analytical 
tools can help identify the new and novel tactics, techniques, and 
behaviors of sophisticated and well-resourced adversaries. This is an 
especially important security use case as we must assume that malicious 
cyber actors will train their own AI systems to look for and exploit 
vulnerabilities in our defenses.
---------------------------------------------------------------------------
    \1\ Google Cloud Blog, ``Why AI: Can new tech help security solve 
toil, threat overload, and the talent gap,'' posted on Apr. 26, 2023 
available at https://cloud.google.com/blog/transform/why-ai-can-new-
tech-help-security-solve-toil-threat-overload-and-talent-gap. (last 
viewed on Jun 20, 2023)
---------------------------------------------------------------------------
    Finally, properly applying AI systems, services, and capabilities 
can help solve one of the biggest challenges facing the security 
operations workforce--the amount of time and energy that must be put 
into simply collecting and organizing data. The continued use of legacy 
systems across the USG, and other large organizations, means that the 
workforce in a security operations center (SOC) spends much of their 
time simply trying to integrate data from different, often outdated, 
and outmoded, systems. The repeatable and time-intensive activities of 
aggregating and enriching data from multiple sources adds no direct 
cybersecurity value, yet are essential for the operations of the SOC, 
and consume much of the work force's time.\2\
---------------------------------------------------------------------------
    \2\ See e.g. blog post ``Expanding our Security AI ecosystem at 
Security Summit 2023, posted on June 12, 2023 available at https://
cloud.google.com/blog/products/identity-security/expanding-our-
security-ai-ecosystem-at-security-summit-
2023?utm_source=newsletter&utm_medium=- 
email&utm_campaign=newsletter_axioscodebook&stream=top. (last viewed on 
Jun 19, 2023)
---------------------------------------------------------------------------
                   ai and the cybersecurity workforce
    Due to these three challenges, cybersecurity is no longer a human-
scale problem. Advances in AI, machine learning, and other automated 
processes are revolutionizing how cybersecurity practitioners identify 
and resolve vulnerabilities and manage increasingly sophisticated 
threat actors.
    AI-powered tools, capabilities, and services enable the analysis of 
massive quantities of risk data to speed response times and focus 
skilled security operators on the highest-risk activities; thereby 
improving outcomes and reducing strain on the workforce. A recent Wall 
Street Journal article found that 75 percent of chief information 
security officers in the United States are experiencing burnout.\3\ 
There is also a global cybersecurity workforce shortage of nearly 3.4 
million--an all-time high.\4\ Cyber attacks are being launched faster 
than companies can recruit and train the skilled security professionals 
necessary to combat these increasingly sophisticated threats.
---------------------------------------------------------------------------
    \3\ Catherine Stupp, Cybersecurity Leaders Suffer Burnout as 
Pressures of the Job Intensify, WSJ (May 17, 2023) available at https:/
/wsj.com/articles/cybersecurity-leaders-suffer-burnout-as-pressures-of-
the-job-intensify-b0609ef1#:?:text=Seventy-
three%20percent%20of%20CISOs,- burnout%20in%20the%20past%20year.
    \4\ https://securityintelligence.com/articles/bridging-workforce-
gap-cybersecurity/.
---------------------------------------------------------------------------
    AI technologies do not offer a silver bullet solution to 
cybersecurity challenges and cannot replace the value of human analysis 
and decision making when it comes to security operations. Rather AI 
technologies augment the abilities of the security workforce whose time 
and resources are limited. ITI member companies have identified, and 
currently employ, a range of AI-enabled tools to address key challenges 
and improve overall effectiveness of cyber solutions:
    1. Detection & Prevention.--Cybersecurity systems that leverage AI 
        can better provide real-time analysis and prevention compared 
        to cybersecurity systems that do not incorporate the latest 
        technologies. Leveraging AI means detecting anomalous activity 
        becomes faster and more accurate, improving the proactive steps 
        that network defenders can take to identify and mitigate 
        threats. One ITI member company takes in 36 billion security 
        events per day and requires only 8 of those to be manually 
        analyzed.\5\ In those security events, an organization could 
        face millions of potential Indicators of Compromise (IOC) per 
        day, which requires security teams to have contextual awareness 
        and visibility from across their entire environments to put 
        their time and resources where it will have the greatest 
        impact.
---------------------------------------------------------------------------
    \5\ Palo Alto Networks, Quarter 3 Fiscal Year 2023 Earnings Call 
(May 23, 2023) available at https://investors.paloaltonetworks.com/
static-files/70379c02-346b-493b-81c0-69ef1498b730.
---------------------------------------------------------------------------
    2. Advanced Threat Response.--AI-powered capabilities allow for the 
        automation of security recommendations and responses, 
        streamlining security operations and allowing for human 
        expertise to focus on the highest-risk threats. Sophisticated 
        cyber attackers require specific responses to their unique 
        behaviors and tactics, and AI-enabled technologies can help 
        defenders adapt by identifying new patterns that correlate to 
        known malicious activity.
    3. Scaling Productivity of Security Specialists.--When combined 
        with cloud services, AI-delivered security capabilities can 
        also help scale security efforts through continuous learning, 
        make best-in-class security tools available to small and 
        medium-size organizations, and keep on top of the latest 
        vulnerability mitigations. These efficiency gains broaden the 
        impact of security experts and operations to identify 
        intrusions more quickly and empower network defenders to act to 
        mitigate potential harm, without specialized domain knowledge 
        or deep tool expertise.\6\
---------------------------------------------------------------------------
    \6\ Google blog, Jun 13.
---------------------------------------------------------------------------
    4. Cost Effectiveness.--ITI member companies have identified a 
        strong correlation between deploying AI in cybersecurity with 
        reduced costs. One ITI member found that fully-deployed 
        security AI and automation was associated with average breach 
        costs that were $3.05 million lower than with no security AI 
        and automation deployed, a difference of 65.2 percent, the 
        largest cost savings in the study.''\7\ These are cost savings 
        that can be used to address the workforce capacity issues 
        facing both the Government and large organizations.
---------------------------------------------------------------------------
    \7\ Cost of a Data Breach Report 2022, conducted by Ponemon 
Institute, sponsored, and analyzed by IBM (2022) available at https://
www.ibm.com/security/artificial-
intelligence?mhsrc=ibmsearch_a&mhq=cybersecurity%20ai%20for%20dummies.
---------------------------------------------------------------------------
         recommendations on ai adoption and the cyber workforce
    Given the beneficial impact of AI tools, capabilities, and services 
on an already-strained cyber workforce, the following recommendations 
provided to the committee will help accelerate the use and 
implementation of AI to improve cybersecurity outcomes.
   Consider how to leverage technology like generative AI to 
        supplement and improve security practitioners' skills, 
        including data analysis, in cases where automation is not 
        helpful or appropriate.
   CISA and other Federal cybersecurity policy makers should 
        support the use of AI for cybersecurity purposes and 
        incorporate AI systems into threat modeling and security risk 
        management. To the extent practicable, we urge the committee to 
        leverage existing U.S. frameworks for assessing and mitigating 
        AI-related risks, such as NIST's AI Risk Management and 
        Cybersecurity Frameworks, rather than tasking the Office of 
        Management and Budget (OMB) or other Federal agencies with 
        creating new and potentially duplicative or conflicting risk 
        models.
   CISA should increase access to Government sources of 
        publicly available data, as appropriate, in machine-readable 
        formats to enable access by AI tools and services. Data is 
        fundamental to innovation in AI, and cybersecurity is no 
        different. As network security becomes more automated, and AI 
        manages repeatable tasks, AI will be more able to assist the 
        human network defenders.
   Prioritize Federal procurement of AI-based technologies and 
        applications. In particular, it will be increasingly important 
        to invest in security solutions that are aimed at countering 
        adversarial AI attacks.
   CISA and other Federal agencies should also explore funding 
        research and development of AI systems that are resilient to 
        manipulation by adversaries. Malicious actors use machine-
        learning models to misinterpret inputs into the system and 
        behave in a way that is favorable to the attacker. To produce 
        the unexpected behavior, attackers create adversarial examples 
        that often resemble normal inputs, but instead are meticulously 
        optimized to break the model's performance.
   ITI member companies encourage the committee to consider 
        ``The National Community College Cybersecurity Challenge Act,'' 
        which creates a funding stream for eligible State applicants to 
        grow and develop cybersecurity programs at community colleges, 
        as well as to assist States in promoting educational 
        advancement for the in-demand jobs of the cybersecurity 
        workforce.
                               conclusion
    We commend the committee's focus on addressing the cybersecurity 
workforce and skills gap. In the constantly-evolving and fast-moving 
technology ecosystem, the expanded use of AI will benefit both 
attackers and defenders. Last year, Rob Strayer, ITI's executive vice 
president of policy, testified before this subcommittee that, ``As 
innovation in Artificial Intelligence (AI) continues and the technology 
itself evolves, it is important for policy makers to consider how to 
harness the benefits of AI while simultaneously addressing societal or 
other challenges that may emerge.''\8\ It is incumbent on governments 
and the private sector to realize and invest in AI-enabled 
cybersecurity services and tools to raise the cost of conducting cyber 
attacks and ease the workload on security professionals.
---------------------------------------------------------------------------
    \8\ Rob Strayer, Executive Vice President of Policy Information 
Technology Industry Council (ITI), before the U.S. House Committee on 
Homeland Security Subcommittee on Cyber, Infrastructure Protection, and 
Innovation on June 22, 2022 on a hearing entitled, ``Securing the 
Future: Harnessing the Potential of Emerging Technologies while 
Mitigating Security Risks.'' Available at https://www.itic.org/
documents/cybersecurity/20220622ITIHouseHomelandCmte- 
TestimonyonEmergingTechandCyber.pdf.

    Mr. Swalwell. Great. Thank you.
    Also, Mr. Markow, in your testimony, you mentioned that 
demand for certain emerging cybersecurity skills like cloud 
security, automation, and secure application development has 
been growing at a rapid rate and can result in a salary premium 
because of a shortage of trained professionals.
    To what extent do you believe current cybersecurity 
education and training programs have curricula that meet the 
skills that employers demand? Are there aspects of 
cybersecurity where we should be focusing more acutely?
    Mr. Markow. I do think that, in general, most cybersecurity 
curricula are very focused on the skills that employers demand, 
but I think that it is a game of cat and mouse. The skills are 
constantly changing. Even if you build a curriculum that 
addresses the skill needs of today, it could be outdated within 
1 to 3 years.
    When you think about the typical program development cycle 
and curriculum development cycle at many universities, which 
can take 5 years or more, that makes it very difficult to 
rapidly adapt the curricula to some of the emerging tools and 
technologies that cybersecurity workers need to utilize.
    So that said, we have seen that many colleges and 
universities and other trained providers are very laser-focused 
on trying to rapidly adapt their curriculum. We also see some 
very innovative approaches coming from boot camps or other 
shorter-term training programs that are hyper-focused on some 
of these emerging fields such as cloud security or others that 
you just mentioned.
    So I think, in general, there are some structural 
challenges to many programs that are trying to adapt their 
curriculum as rapidly as possible. But I also feel that, in 
general, our education system is doing a good job of trying to 
respond to those challenges as quickly as they can through a 
variety of innovative approaches.
    Mr. Swalwell. Thank you for that.
    I also want to go into an issue where--immigration in 
Congress, obviously, it is a charged issue. But I think there's 
actually broad consensus among both parties about the need for, 
you know, skill--high-skilled immigration in areas where we 
just don't have enough American workers.
    My priority on cyber is, look, if we can train an American, 
I want to do that and make that the priority, you know, to 
exhaust the effort to do that before we ever say, you know, we 
need to import, you know, that work force through an 
immigration system.
    But can you just all let--just educate me and the 
committee. Do we have enough folks right now that we can train 
to meet our needs or, you know, would a skilled immigration--an 
expansion of the skilled immigration process help us meet that 
need?
    I'll just leave that open to anyone.
    Ms. Wisniewski. So I think that it could help. But the 
reality is, is that there's basically zero percent unemployment 
in cyber globally. So you're--you know, sure, but at the same 
time, you know, other--other nations around the world have the 
same problem that--that we do in the United States. There are 
simply just not enough professionals.
    So while I think that there's always value for effective 
policy in the realm of immigration, I think for cyber, it's 
just another lever that we can pull. But it doesn't--I think 
the most important thing is not to lose sight of the really big 
picture, which is zero percent unemployment, right.
    So even at some point during the panel even this morning, 
you know, the poaching that happens within the industry is so 
significant----
    Mr. Swalwell. Yes.
    Ms. Wisniewski [continuing]. And people are staying in jobs 
less than a year because they're getting poached onto the next 
thing. So there needs to be a lot of--again, I think industry 
has a really important role to play. I guess I'll leave it at 
that.
    Mr. Swalwell. Well, I just want to thank all of you for 
participating and educating us on this hearing today.
    Again, I want to thank the Chairman, before I yield back, 
for doing this. I mean, this--this is something that we just 
hear all over, not just the United States but world-wide, and 
not just in the public sector but also in the private sector.
    So we've got our work cut out for us. As I said, the good 
news here is there's no partisan excuse. There's a lot of good 
partisan excuses for why we can't take on other intractable 
issues. On this one, we're aligned. So that's the good news of 
this piece, but we can only do it, you know, with private 
sector buy-in and collaboration.
    So with that, I yield back.
    Mr. Garbarino [presiding.] Absolutely. Thank you, Ranking 
Member Swalwell.
    I recognize myself for 5 minutes for my second round of 
questioning.
    As you heard in my opening statement, addressing the 
national cyber work force challenge is one of my biggest 
priorities as Chairman of this subcommittee.
    Part of that difficulty is addressing--in addressing it is 
figuring out where to start. I think we've had some great 
testimony here today. But it's not, you know, it's not just--we 
can't solve it here alone on the Federal level. It can't be 
done alone on the private-sector level. It can't be done alone 
on the education level. It's the all-of-the-above approach I 
think there has to be.
    But what this subcommittee does oversee certain agencies in 
the Federal Government and specifically CISA.
    So I'll start with Ms. Wisniewski. In your view, how should 
the Federal Government specifically--how should the Federal 
Government prioritize its efforts to address this issue? 
Specifically, what is--what should CISA's role be in the 
equation?
    Ms. Wisniewski. So I think that we have to continue--
actually, I think we need more resources, right, more focus, 
more investment in actually solving the challenge, so, again, 
innovative work force strategies.
    Particularly for CISA, CISA has an opportunity to really 
serve as a convener and serve as, you know, the ringleader, if 
you will, in terms of really being able to drive all of the 
things that we've talked about today.
    I think that there are--there are just many--I think CISA 
has done a good job of being an example of--of not only the 
good, bad, and the ugly in terms of they have their own work 
force challenges, right, of recruiting people in. So I mean, 
you know, it's there, right.
    But I think CISA has a real leadership role here, and we 
look forward to deeper partnership with CISA and more 
opportunities, and also with the Office of the National Cyber 
Director. We have a deep partnership with them. We think the 
combination of those two units to serve as a leader is really 
important.
    Then actually, you know, this is also a global game, right. 
So we as--as the United States really need to take serious if 
we want to be a leader here, because we should be.
    Mr. Garbarino. Thank you.
    Does anybody else want to comment on that?
    Sure, Ms. Dortch.
    Ms. Dortch. I'll just quickly add, agree with her comments. 
I think, you know, big thing for CISA is to make sure they have 
the right expertise in the room to really help look at how we 
can transform the cyber work force in America.
    I think a great example of this, as we've seen, again, the 
CISA Cybersecurity Advisory Committee has the Subcommittee on 
Transforming the Cyber Workforce. But we need to make sure that 
we have H.R. professionals at the table, that we have folks 
from academia to really take a look at things that are working 
in the Federal Government and industry and really figure out 
how we can tactically address this issue.
    Mr. Garbarino. Either of you?
    Mr. Starling. Yes, I would just add that, you know, we've 
had a great relationship with CISA. Their grant really 
propelled us into some new territory, and we proved that we 
could do it. We're looking forward to continue to work with 
CISA and other Government agencies to continue to find 
nontraditional talent and to help solve this problem.
    Mr. Markow. I would wholeheartedly agree with everything 
that everyone else has already said.
    The only thing that I would add is that I think CISA is in 
a unique position to help make all of the great information 
that is already out there as accessible as possible.
    I think that there's no shortage of resources and 
information that lots of people have already provided in the 
Federal Government to support cybersecurity work force 
development, but I think that at times it can also be 
information overload. So I think that CISA could serve as that 
convener of both stakeholders but also information to make it 
as easy as possible to access the tools and resources that are 
most valuable.
    The other comment I would make on this is that I think CISA 
is also in a unique position to provide information to 
employers. I think we have overindexed on providing information 
for other stakeholders and underindexed on providing 
information, tools, and standards for employers so that they 
know how to be responsible recruiters and developers of 
cybersecurity talent.
    Mr. Garbarino. Thank you all.
    One final question, because I have about a minute left. But 
in our first hearing of this committee, we heard from someone 
from the Bank Policy Institute that cyber professionals in 
their field are spending 40 percent or more of their time on 
compliance.
    Ms. Wisniewski, earlier in this--in your response, you 
mentioned additional cyber regulations will likely worsen the 
work force problem. Right now we're seeing, you know, the 
National Cyber Strategy coming out of the White House has--
focuses a lot on regulation. The Energy and Commerce Committee 
just recently passed a bill out of committee, adding a new 
regulation on reporting.
    How can Congress help reduce this additional burden on a 
work force that is already stretched so thin?
    Ms. Wisniewski. So I do think that there's an opportunity 
for Congress to actually partner with the regulatory 
environment to really, I think, appreciate what is really 
important here, because unless we can do more--so what often 
happens, right, is the regulatory environment kind of works in 
its own little world. Then you've got, you know, policy makers 
working in a different world.
    In this case, there needs to be a lot more synergy so that 
there can actually--if there is going to be more regulations 
coming, that those regulations actually can be fulfilled. 
Because if there's no one to meet the regulation, then, you 
know, how is that going to solve?
    The other challenge, I think, is that we really, because of 
the environment in cyber, we really need to make sure that 
we're not building a checklist environment where it's just a 
checklist for compliance, because then you're just not--you're 
not--you're missing the point. You're actually not protecting 
the world.
    So I think more synergy there and, again, just more 
investment on the work force development.
    Mr. Garbarino. Thank you.
    I'm out of time, but I'm the Chairman. So you can go ahead, 
Ms. Dortch.
    Ms. Dortch. Thank you. I appreciate that.
    It's really a call for harmonization of these regulations 
and removing duplication. I think that's key.
    I agree. I think a big part of this, NIST has done a lot of 
work around building the Cybersecurity Framework, the National 
Initiative for Cybersecurity Education, the AI Risk Management 
Framework. We need to continue to fund that.
    But also to her earlier point, frameworks are not meant to 
be compliance documents, so making sure that these are best 
practices that we can incorporate into our businesses and make 
sure we're fostering good cyber hygiene practices.
    Mr. Garbarino. Thank you very much.
    So I want to say I thank the valuable testimony and the 
Members for their questions today. Again, this is I think the 
second time we've done a second round of questions because it 
was such a great hearing.
    The Members of the subcommittee may have additional 
questions for the witnesses, and we would ask the witnesses to 
respond in these writings pursuant to committee rule VII(D). 
The hearing record will be held open for 10 days.
    Without objection, this subcommittee stands adjourned.
    [Whereupon, at 11:52 a.m., the subcommittee was adjourned.]

                                 [all]