The Aspen Institute

Diversity, equity, and inclusion in the cybersecurity industry is a national security issue.

What is cybersecurity education and workforce development?

Efforts to educate and sustain the nation’s cybersecurity workforce can be divided into at least three overarching categories of activities:

• Youth awareness: Capturing the imagination and interest of a diverse array of students, many of whom will otherwise dismiss cybersecurity as a potential career pathway.
• Education and skill development: Working through schools, companies, governments, and intermediaries to guarantee equitable access to the financing and resources needed to transform interest into relevant knowledge, skills, and abilities for cybersecurity roles.
• Employer engagement: Changing how companies and government agencies recruit, hire, train, and retain cybersecurity workers to expand participation by underrepresented groups across all cybersecurity roles.

Why is this a priority?

People are the most important element in cybersecurity, and organizations are in desperate need of trained workers who can spend limited budgets wisely and use technology correctly. The past two administrations have described the nation’s cybersecurity workforce as a “strategic asset” that suffers from a persistent supply gap: employers in the United States alone report over 520,000 open cybersecurity roles. Driving this gap are (a) structural barriers to education and employment opportunities and (b) outdated hiring practices that disadvantage women and racial minorities, artificially restricting the pool of available cybersecurity talent.

Addressing these inequities is not only a moral and ethical imperative—it is an essential component of national security strategy. Our nation boasts enough citizens with the talent and passion to perform cybersecurity roles, and diversity, equity, and inclusion are not merely “nice to have.” They are a core business objective. Without serious, consistent, and persistent recognition that representation is an inseparable part of the cybersecurity mission, government and industry will continue to leave untold talent on the table and a mature national risk posture will continue to elude us.

Unlike many other domains in cybersecurity policy, addressing the cybersecurity skills shortage is not just another budget item. Transforming how the nation approaches cybersecurity talent will reduce unemployment, bring high-skill jobs and wage-growth to geographically isolated communities, and fight systemic racism that excludes underrepresented groups from the technology workforce. Because of this, cybersecurity education and workforce initiatives have captured the imagination of countless state, local, and nonprofit leaders who are eager to scale past successes and achieve rapid progress.

Outcomes:

• More filled cybersecurity positions in companies and government agencies.
• A cybersecurity workforce that reflects our nation’s gender, ethnic, racial, geographic, and ideological diversity.

What have been the obstacles to progress?

• Funding: Limited funding for cybersecurity education in schools, upskilling for entry-level employees, and training programs for career-switchers means restricts opportunities for underrepresented groups to discover and enter the cybersecurity field.
• Too little, too late: Career awareness development targets young adults or high school students—far too late considering that many learners start narrowing their interests in middle school or even earlier.
• Structural barriers: Lack of qualified instructors in K-12 schools and higher education frustrates efforts to scale cybersecurity instruction. Most learning standards, assessments, and teacher certifications—all critical to shaping course design and directing limited resources—do not treat cybersecurity as even a minor component of education.
• Narrow talent aperture: Outdated recruitment and hiring practices artificially limit the talent pool with unnecessarily restrictive job qualifications and relying on off-putting or vague job descriptions that dissuade potential high performers.

Action Steps

1. Appropriate new grant funding and direct grantmaking agencies to support organizations dedicated to growing the representation of underrepresented communities in the cybersecurity field. Like the STEM field, the cybersecurity profession tends to discourage, exclude, or mistreat women and communities of color. Not only is this morally reprehensible—it also undermines cybersecurity as an objective matter. By excluding (even unintentionally) so many candidates from the talent pool, employers virtually guarantee that the industry will never fill its 500,000 open positions. A growing number of organizations have already established real-world programs to support underrepresented groups interested in cybersecurity. Grantmaking agencies such as the Department of Labor and the Department of Homeland Security should explore flexibility to direct existing grant funds toward nonprofit, industry, and academic partnerships with demonstrated success in improving diversity across the cybersecurity workforce, and Congress should appropriate new funds to support this new emphasis.
2. Change how employers recruit cybersecurity workers to diversify and expand the talent pool. A primary driver of the cybersecurity skills gap is the outdated recruitment practices by companies and agencies. Too many entry-level cybersecurity job openings list prerequisites that are more appropriate for more senior roles, demanding mid-career certifications or requiring applicants to have four-year degrees when less onerous, less expensive credentials suffice. Terminology alone can also discourage potential cybersecurity workers from applying to open positions. The result is a cybersecurity workforce ecosystem that imposes a disparate impact on underrepresented groups that undermines national security. The Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce offers actionable steps for employers who want to expand their talent aperture, and the Aspen Cybersecurity Group has assembled a voluntary coalition of over 30 companies that have publicly committed to instituting or strengthening practices to diversify their cybersecurity talent pool. Leveraging the authority of the White House, and convening bodies like the American Workforce Policy Advisory Board, and influential leadership organizations like the Business Roundtable, the next administration should build on the Aspen coalition to rapidly scale the number of employers—including federal agencies—who commit to reviewing and revising their hiring practices.
3. Authorize and fund a national repository of K-12 cybersecurity resources.Congress should direct and pass appropriations for the National Initiative for Cybersecurity Education to create and sustain a searchable, living repository of K-12 cybersecurity curricula and practical resources with a transparent classification system that is easy for non-experts to navigate. Such a repository should clearly indicate which curricula are aligned with existing state education standards. This repository can also serve as a foundation for an Open Knowledge Network for the K-12 cybersecurity community.
4. Create and scale an industry-to-school pipeline for part-time instructors. Many experts working in industry are willing to volunteer their time and expertise to instruct students or help teachers apply curricula guides. Yet there is not a widely known, trustworthy mechanism for connecting volunteers with schools that need and are ready for such assistance. As a start, the White House and Congress should identify incentives for companies with deep benches of technical experts to launch initiatives that pair volunteer computer science experts with schools to expand computer science course offerings, such as Microsoft’s TEALS Program.
5. Elevate and scale apprenticeship models. Cybersecurity apprenticeships offer an excellent avenue for growing a more diverse, skilled cybersecurity workforce. More and more employers and educational partners are proving that cybersecurity apprenticeships improve opportunities for underrepresented groups and allow employers not only to train but also retain skilled workers. Stakeholders are primed to scale similar programs nationwide if the federal government—led by the Office of Apprenticeships at the Department of Labor—assumes a greater leadership role. A first step is pushing federal hiring managers to value apprenticeships, starting with an executive order establishing a task force to pilot a cybersecurity apprenticeship pathway for federal employees. More broadly, Congress should revive and prioritize proposed legislation to (a) create state-level apprenticeship hubs that build new programs in regions with high demand for cybersecurity skills and (b) convert state apprenticeship expansion grants to formal block grants. Finally, workforce development champions must fight an emerging partisan split over registered apprenticeships versus industry-recognized apprenticeship programs (IRAP). Both models are important pieces to the overall mission of aligning employer needs with equitable worker access to high-quality job opportunities.
6. Create a leadership structure for coordinating federal cybersecurity workforce activities. A coherent planning and implementation structure is essential to avoid duplication of work and inoculate workforce efforts—for which success depends on steady, long-term commitments—against political and leadership changes. As recommended by the U.S. Cyberspace Solarium Commission, the White House should establish an interagency leadership structure centered on building:
   • A high-level steering committee comprising the key agencies involved in cybersecurity workforce development (OMB, OPM, CISA, NIST/NICE, NSA, DOD) that creates a unified federal vision for these activities and apportion resources.
   • A staff-level working group available to all federal offices to implement guidance from the steering committee.
7. Improve equitable access to broadband Internet services for all communities. One advantage of cybersecurity roles is their ability to allow geographically isolated communities tap into high-skill job markets. But as the COVID-19 pandemic has made painfully obvious, many students and working adults (both rural and urban) do not have access to Internet speeds that are necessary to either take advantage of online cybersecurity education or perform cybersecurity roles remotely.  The Coronavirus Aid, Relief, and Economic Security Act enacted in early 2020 allows states to use federal relief funding to expand broadband connectivity access, and the White House and Congress should ensure that additional relief and recovery support includes similar authorization. In addition, recent innovation in satellite broadband offers new potential for overcoming the digital divide in low population areas, and the White House and Federal Communications Commission should encourage robust competition in this sector to lower costs and improve service delivery.
8. Create pay flexibility for all federal departments and agencies. Many talented cybersecurity experts who might otherwise work in federal service choose private employment because (a) the federal hiring process, particularly for sensitive cybersecurity positions, lasts too long and (b) traditional federal pay scales cannot compete with private sector salaries. While cutting the time needed to conduct background checks for new employees has long been an elusive goal for reform-minded federal leaders, enabling more flexibility to incentivize cybersecurity experts to join the civil service is more immediately achievable. As the U.S. Cyberspace Solarium Commission has recommended, Congress should expand past changes in federal law that provide the Department of Defense and Department of Homeland Security with more pay flexibility for cybersecurity experts to apply to all federal offices.
9. Increase funding for CyberCorps to expand its focus. One highly successful cybersecurity workforce initiative is CyberCorps: Scholarship for Service (SFS), which is jointly administered by OPM, DHS, and the NSF. CyberCorps aims to steer more students toward government service, offering interest-free financing to students who agree to work for a limited term in a federal, state, local, or tribal office after they graduate with a cybersecurity degree. However, federal law requires that at least 80% of CyberCorps participants must be placed in a federal agency, limiting the program’s ability to strengthen the overall cybersecurity talent pool. While this reflects an understandable desire to focus federal funding on improving federal institutions, this restriction (a) misses an opportunity to build on the success of SFS to solve multiple problems at once and (b) reduces pressure on federal agencies to improve their own hiring systems and incentives to be competitive on their own merits.

Dig Deeper on Education and Workforce Development

Learn More

• Aspen Cybersecurity Group – Growing and Sustaining the Nation’s Cybersecurity Workforce
• Cyberspace Solarium Commission – White Paper #3: Growing a Stronger federal Cyber Workforce
• New America – Teach Cybersecurity with Apprenticeship Instead
• Frost & Sullivan – Innovation Through Inclusion: The Multicultural Cybersecurity Workforce
• Cyber.org – Empowering Educators to Teach Cyber

Legislation, Regulations, Executive Orders, and Guidance

• NIST – NICE Cybersecurity Workforce Framework
• Executive Order – America’s Cybersecurity Workforce
• Legislative Proposal from the Cyberspace Solarium Commission – Recruit, Develop, and Retain a Stronger Federal Cyber Workforce (Page 29)