Cyber Workforce Strategies Should Produce at Scale

The national cyber director recently held an event at the White House on the cyber workforce shortfall. One remark that stood out came from Secretary of Labor Marty Walsh, who noted that he had begun working on cyber workforce issues 25 years ago as a freshman member of the House of Representatives. There have been many efforts to expand the cyber workforce since then, but none have adequately addressed the problem. The creation of the Office of the National Cyber Director (NCD) provides an opportunity to change this.

The primary reason that the 25 years of effort to meet the workforce shortage has been unsuccessful is that these efforts have not worked at scale. There are other reasons, including that the growth in demand for cybersecurity workforce labor outpaces supply, but the primary cause is the absence of programs that produce the necessary volume of trained cybersecurity workers. The number used in the NCD White House meeting was a shortfall of 700,000 people. There was discussion at the meeting of apprentice programs, which, for all their merits, produce only a few hundred new workers annually. Some of the larger programs provide a few thousand new workers annually. At this rate, it will take decades (if not centuries) to meet the shortfall.

There are precedents from earlier crises for building a workforce at scale. These include the pilot training programs of World War II and the Eisenhower administration’s National Defense Education Act (NDEA) programs, which created the STEM workforce that underpinned U.S. technological leadership. These twentieth-century programs suggest that a workforce strategy should addresses the five major issues listed below.

  • Scale: The main conclusion the United States can draw from previous workforce strategies is that they produce at scale. This means training thousands of people annually. There are now a number of strong cyber training and education programs, but they produce workforce in artisanal quantities. Scattered efforts at building a cyber workforce lead to fragmented outcomes and inadequate numbers.

  • Coordination: The problem for NCD is not to create a single, centralized program, but to play a coordinating role among many actors and efforts to ensure that the objectives of scale and quality are met. NCD has an opportunity to create an effort that produces at scale by issuing and implementing a strategy that coordinates the many existing programs.

  • Curriculum: A central tool for coordination is the development of a common core curricula. Having many separate programs is not an issue if they provide the same skills for a new cybersecurity workforce. These need not be four-year or junior college programs, but programs designed to produced certification of expertise within a few months. This may sound impossible, but it is in fact how must training is structured—teaching basic skills that would be reinforced later by experience and additional classes. There are many existing curricula, and NCD can draw upon them, but part of the strategy should begin with surveys with chief information officers and chief information security officers to identify what skills are needed for the cybersecurity workforce and guide curricula development. A CSIS survey found that many companies need to retrain newly hired cybersecurity workers because their education had not provided the necessary skills.

  • Engagement: Coordination requires an engagement plan to connect NCD with dozens of government offices and programs now in existence and use NCD’s coordinating functions to focus on what will remain a distributed training process. This engagement plan will require a complicated, multistep effort that NCD should lead to reach agreement on curricula while leaving room for diverse approaches and experimentation. In doing this, the strategy must recognize how education has changed in the United States. Student preference for virtual training to obtain certificates is as much or more than their preference for traditional degree programs. There is still room of traditional degrees, but these will not meet the demand for a cyber workforce and, judging from numerous interviews, may not provide the skills companies need for cybersecurity. It is not necessary for NCD to tell how cybersecurity should be taught, but it is necessary to develop a cyber workforce strategy that embraces new modes of education.

  • Incentives: Incentives to encourage people to be trained (perhaps in the form of tuition subsidies) are essential. The lesson from the Cold War NDEA is that if the United States subsidizes education in targeted fields, student will enter them. Many subsidy programs of varying sizes already exist, and NCD should map the available federal, state, and private incentives, link then to a core curriculum, and work with educators and Congress to reinforce and expand existing programs and identify where new ones are needed.

  • Government training at scale: NCD can work with Congress and the relevant departments to establish large-scale, short-term training programs for civilian federal agencies and in the military that create a pipeline of cyber talent. This federal pipeline should have an established curriculum and a timeline measured in months, similar to the mass pilot training of WWII. Many federal employees already study on their own time for advanced degrees. The objection that people will leave federal service if given new and valuable skills ignores the greater benefit for the nation of an expanded workforce. An easy incentive would be to provide federal employees a step increase in salary if they completed an NCD-approved certification program.

  • Metrics: Current estimates of workforce shortages tend to be somewhat ad hoc. NCD will need to identify and develop the right metrics to identify success. An easy metric is to ask, when new programs are created, how many graduate from them, how many are hired, and how many need to be retrained once hired.

Coordination, engagement, curricula, incentives, a federal pipeline, and metrics provide the pieces needed for a workforce strategy. Many of these pieces already exist in an ad hoc fashion, but this highlights the principal dilemma for all previous workforce efforts. Their distributed nature means they did not produce at scale. NCD will need a strategy that produces at scale and takes advantage of its new and important role as the cyber coordinator to bring these distributed efforts together if it is to avoid adding to the list of well-meaning but inadequate efforts that began more than two decades ago.

CSIS Studies on Workforce 2010–2022

Irving Lachow, Equity and Diversity in the Nation’s Cyber Workforce: Policy Recommendations for Addressing Data Gaps, (Washington, DC: CSIS, April 2022),

James A. Lewis, The Cybersecurity Workforce Gap, (Washington, DC: CSIS, January 2019),

Franklin S. Reeder and Katrina Timlin, Recruiting and Retaining Cybersecurity Ninjas (Washington, DC: CSIS, October 2016),

Katrina Timlin and James A. Lewis, McAfee and CSIS, Hacking the Skills Shortage: A Study of the International Shortage in Cybersecurity Skills (Santa Clara: 2016),

Karen Evans and Franklin Reeder, A Human Capital Crisis in Cybersecurity (Washington, DC: CSIS, November 2010),

Eugenia Lostri, James A. Lewis, and Georgia Wood, A Shared Responsibility: Public-Private Cooperation for Cybersecurity (Washington, DC: March 2022),

James A. Lewis is senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.  

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program