IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

What’s the Latest on Cyber Talent and Staffing Shortages?

The topic of cyber staffing shortages is a hot issue that has grown hotter during the pandemic. So what are some of the latest trends, newer perspectives and opportunities available?

Cybersecurity workforce concept showing a white lock symbol in the foreground and silhouettes of business people in the background.
Throughout the country, technology and security teams are struggling to attract and retain enough cybersecurity talent – especially in the public sector. And while this challenge has been growing for a decade or more, the situation has reached crisis levels in some organizations during the pandemic.

At the end of 2021, TechBeacon reported on (ISC)²'s survey: 700K more cybersecurity workers, but still a talent shortage. “For the second year in a row, the global shortage of cybersecurity workers has eased, but it's still not time to celebrate, much less relax.

“The decline from 3.12 million to 2.72 million unfilled job openings was reported in October by (ISC)², the world's largest nonprofit association of certified cybersecurity professionals, in its annual Cybersecurity Workforce Study.”

Meanwhile Forbes described the talent situation this way back in late January: “Over the past few years, one issue has remained prevalent and will continue to be as we head into 2022: a cybersecurity manpower shortage and talent gap. This is becoming a more recognizable problem as companies come to grips with the reality of cyber attacks, crime and the havoc they’re bringing on their victims. These aren’t just big names that are covered by the media; they're businesses next door that might’ve already become a statistic of cyber crime. …”

And don’t be fooled by articles, like this one, that describe our cyber talent shortage as a myth. The reality is that the person interviewed in this article describes the same dire situation – only with different reasons as to how we got to where we are. According to the article, the “real” issues causing the crisis are an escalation in cyber threats, a need for better training for all and, most of all, the need for more secure systems with fewer alerts and a better security culture.


According to Cyber Seek — a project supported by the National Initiative for Cybersecurity Education, a program of the National Institute of Standards and Technology in the U.S. Department of Commerce — the total employed cybersecurity workforce in the United States consists of a little over a million people. Currently, there are nearly 600,000 vacant positions with both public and private organizations, a figure estimated to grow significantly through 2025.


Over the past few months, I have participated in several focus groups, discussions with CISOs and conference sessions that are examining potential solutions that are being tried right now around the country to help ease the pain in this area. Some of the recent strategies I see being used include:

No wrong door for entry into cyber roles. Some combination of the following:

  • Allowing (or even encouraging) staff to apply for cybersecurity jobs from other IT roles and functions within an organization.
  • Lowering the required degree or specific certification requirements for entry roles.
  • Highlighting business skills and drive/passion for the field.
  • Continued focus on mentoring, internships and student hires.
  • Working with military and other organizations looking to place staff.

Nationwide options. Organizations are open to fully remote candidates and/or fewer days in-office as a permanent part of the roles.

Pay and benefits being re-examined. Reclassification of roles, years of experience and other aspects of pay. Also, more use of bonuses and hiring timeline flexibility.

Some great examples:

This case study from IBM: “… Education initiatives with the U.S. Department of Veterans Affairs (VA), Specialisterne Foundation, and six Historically Black Colleges and Universities (HBCUs) to provide no-cost STEM job training to U.S. military veterans, neurodivergent learners worldwide and university students from underrepresented communities in the U.S.”

This Government Technology article on getting more women in IT: “And while having women well-represented in gov tech leadership roles is the goal, that means getting more women trained in tech skills. To fuel that effort, GWIT created a group that helps high school and college students, as well as women returning from incarceration, to gain skills they need to enter the technology workforce. Because if you want more women at the top, Bag said, you need more women coming in at the bottom as well. …”

This case study from the U.S. Army: “Despite the universal shortage of cyber talent, the Army does attract highly qualified personnel. In internal Army analysis that hasn’t been publicly released (and research supported by RAND), the Army has identified that within its cyber operations specialty, 23 percent of Army enlistees possess a bachelor’s degree and 35 percent achieve scores in or above the 93rd percentile on the Armed Forces Qualification Test. Additionally, the average age for new cyber recruits is twenty-three, far older than the traditional eighteen-year-old enlistees that join right out of high school. For the officer corps, commissioning as a cyber operations officer is extremely competitive, with nearly 7,500 individuals competing for roughly 120 annual available cyber slots. To augment this process, the Army has successfully been accepting direct commissions for over five years, which has proven Army Cyber Command’s ability to bring in highly experienced and advanced degree–holding professionals at higher ranks.

“All potential candidates for cyber operations positions take assessments and undergo extensive interviews to assess their skill sets and abilities. Upon selection, the entry level and professional military education required after assessing as a cyber operations enlistee or officer is lengthy and rigorous. Those assessed as most qualified are given the opportunity to attend additional schooling and training to become interactive operators, or Army hackers. These students end up receiving around $500,000 in specialized education over the course of nearly three years. However, the challenge for the Army after educating and training this highly effective cyber workforce is retaining them beyond their mandatory service commitments. …”


No doubt, this topic has been hot for a while. Here are some other helpful blogs and articles that I have written on attracting and retaining cyber talent:

“What’s Really the Reason Behind ‘The Great Resignation’?”

“3 Strategies to Rethink Hiring Cybersecurity Talent”

“Stock Options, IPOs and Acquisitions Accelerate Cybertalent Divide”

“Need Talent? Consider Hiring Our Heroes”


Consider this CNBC story regarding pilot shortages on U.S. airlines: “A regional airline proposed reducing flight-hour requirements before joining a U.S. carrier, and airlines are rethinking training programs to lower the barrier to entry. Earlier this year, Delta Air Lines joined other big carriers in dropping a four-year degree from its pilot hiring requirements.

“Kirby estimated the regional airlines United works with currently have about 150 airplanes grounded because of the pilot shortage. …”

Also, this New York Times story about how people all over the U.S. are trading up for better paying jobs: “‘It’s absolute craziness,’ said Mr. Haner, 32, who quit his job at Applebee’s last summer and accepted a fully remote position in sales at a tech company. ‘I decided to take a chance because I was like, ‘If it doesn’t work out, there’s 100 more jobs out there that I can find.’

“More than 40 million people left their jobs last year, many in retail and hospitality. It was called the Great Resignation, and then a rush of other names: the Great Renegotiation, the Great Reshuffle, the Great Rethink. But people weren’t leaving work altogether. They still had to make money. Much of the pandemic stimulus aid stopped by the fall, and savings rates dropped to their lowest in nine years, 6.4 percent, by January. What workers realized, though, is that they could find better ways to earn a living. Higher pay. Stable hours. Flexibility. They expected more from their employers, and appeared to be getting it.”


With the current state of the economy, many experts believe the country could be heading toward a recession later this year or in 2023. Obviously, this could change the paradigm for cyber jobs as well as other technology positions.

One of the major differences that a recession and/or a major stock market correction could bring includes less of a pull from tech and cyber startups or the stock options that the private sector brings – as described in this piece on stock options and pay.

Finally, as mentioned in this article regarding the U.S. Army, Daniel Pink’s book Drive suggests that employees are much more likely to stay with their employers if their jobs provide them with three things: autonomy, mastery and purpose.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.