Conclusions

This report is not intended to solve the cybersecurity workforce development problem, but rather to unpack the topics and questions embedded in that larger conversation and provide options for the path forward. It is intended to help frame the community’s future conversations on cybersecurity workforce development. Widening the pipeline of cybersecurity talent and creating alternative entry points into that pipeline leads to complex questions about the role of higher education, the future of work-based learning, and alignment between industry and education. In many ways, cybersecurity is a test case for a number of evolving questions in the relationship between work and education.

Cybersecurity workforce development happens to be both very urgent and very politically salient at the present moment. Both the Obama and Trump administrations have singled out the importance cybersecurity workforce development in official policies,¹ and Congressional hearings demonstrate growing interest from lawmakers.² The appetite for cybersecurity policy coupled with overlap with larger questions on the future of work and higher education has created an environment that is particularly conducive to innovative solutions that deliver wide-reaching impact.

Cybersecurity is a test case for a number of evolving questions in the relationship between work and education.

There is ample opportunity for further research from the cybersecurity community. This report underscores a number of questions not well understood due to a lack of data. From the percentage of the workforce trained in military and intelligence organizations to the number of jobs in other sectors that cross into cybersecurity, the empirics around pathways and dynamics through the cybersecurity workforce are extremely limited. For employers—in public and private sectors alike—who wish to make a meaningful investment in cybersecurity workforce development, research in these areas would inform future policy decisions, leading to better workforce development mechanisms across the cybersecurity community.

There are two basic principles that will certainly need to be a part of any solutions. First, broad stakeholder engagement will be critical to making any lasting change. Cybersecurity workforce development is characterized by its interconnectedness and the interdependencies between different mechanisms for change. The impact of the cybersecurity workforce on national security and economic stability make a very clear case for policy intervention to strengthen that workforce; however, effective policies will require input, acceptance, and ongoing coordination from different actors and sectors in the cybersecurity community.

Second, no single approach or solution will fill the all the open jobs in cybersecurity. The scale of the problem is too big—and its causes are too multifaceted—for there to be any silver bullets. Policymakers have a key role to play in initiating changes and aligning incentives among different actors, but policy interventions must be supported by other efforts. Nothing short of community-wide engagement across the full range of stakeholders will create lasting change to cybersecurity workforce development.