Appendix: Unanswered Questions in Cybersecurity Workforce Empirics

The body of this paper has highlighted a number of areas in which additional empirical information could help improve understandings in cybersecurity workforce development. Those questions are gathered and presented here. These are not intended to be rhetorical or conceptual questions about policy, but rather areas where statistical data and measurable observations could enable better decision-making. Because these questions have been removed from their original context, in some cases the questions have been rephrased or expanded to make meanings clear.

Workforce Sources

• How many U.S. cybersecurity professionals got their initial training in the intelligence community or military? What are the costs of this training to the federal government? What are the economic benefits to the rest of the cybersecurity community? What would comparable education cost if conducted outside of government?
• How many U.S. cybersecurity professionals came directly out of a higher education degree program?
• How many U.S. cybersecurity professionals learn in informal settings—on-the-job or through self-teaching—and, without a degree, how do they market themselves to employers?
• What degrees, certifications, experiences do jobseekers possess when they are hired into cybersecurity jobs? Note that this is a different question than asking what job postings require of applicants.
• How many employers are sourcing employees from capture-the-flag or similar competitions? Which types of employers find this method of screening candidates to be useful?

State of the Workforce

• How many cybersecurity workers are in the federal government? (This research is underway.)
• How many jobs in sectors or functions outside of cybersecurity require significant cybersecurity expertise?
• For what percentage of cybersecurity jobs is a bachelor’s (or master’s or PhD) critical to success?
• How many private sector employers offer significant training for entry-level employees? What do these programs look like? What percentage of internally-trained employees stay with the company?
• What is the return on investment of industry certifications for an individual job seeker (or employee), controlling for other variables like years of work experience, current employment, and prior certifications?

Individual Outcomes

• What percentage of baccalaureate graduates (with a degree applicable to cybersecurity) that intend to go into cybersecurity get a job in the field? Are they more likely to be hired into the private or public sector?
• Do certifications (and/or which certifications) correlate with success on the job?
• What percentage of computer science (or similar) graduates go into cybersecurity?
• What are the long-term career paths for cybersecurity professionals trained in the military or intelligence community? How many go back to school to pursue additional degrees? How many pursue other forms of training or credentialing?
• What are the employment outcomes for students that pass through cybersecurity bootcamps?
• How does education via massive open online courseware impact a cybersecurity professional’s long-term career? At what point in their career do professionals use these resources (e.g. for upskilling, career transitions, or as an alternative to a bachelor’s degree)?