Priority #4: Cybersecurity Workforce Challenges – International Strategy to Better Protect the Financial System Against Cyber Threats

  • Rotational Programs: With careful planning and standardized job descriptions, organizations with cybersecurity roles in multiple departments, offices, or other components can take advantage of rotational programs. In the United States, both the legislative and executive branches of government have proposed creating cybersecurity rotational programs that move employees among federal departments.27 Rotations into new or adjacent roles provide room to learn while relying on the same basic fundamental skills. This can be valuable at any stage in an employee’s career but is particularly helpful for entry-level employees who may not yet know what type of work is most interesting to them.A good example is the U.S. National Security Agency’s development program.28 Upon hiring, entry-level employees rotate through a series of positions over the span of three years, allowing them to “enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.”29 Thus, employees acquire an evolving series of opportunities and a clear indication that the employer values their development, while the agency gains a workforce that has broad knowledge of the organization and its various functions.


  • Upskilling: Public institutions likely already employ personnel in fields that are adjacent to cybersecurity, like information technology (IT) support, audit and compliance specialists, and risk analysts. Employer-sponsored training could allow these workers to grow into future work in One particular challenge to executing upskilling programs effectively is aligning them with established career pathways. For example, a mid-career employee may not have the discipline-specific knowledge needed to move laterally into a mid-career level cybersecurity position but is unlikely to want to move to an entry-level position and start over.30 The Federal Cybersecurity Reskilling Academy in the United States is attempting to address this challenge,31 drawing on a pool of employees without an IT background who volunteered from positions across the federal government.
  • Work-based Learning: Fewer than a quarter[3] of surveyed cybersecurity professionals feel that education programs are preparing students to enter the industry,32 seeing hands-on experience as a better way of acquiring the necessary skills. In addition to using internships as a way to connect early-career workers with experience, some S. employers are beginning to experiment with registered apprenticeship programs in cybersecurity. Cybersecurity apprenticeships in U.S. public institutions are rare, but they exist,33 and the potential for growth is generating interest.34 In countries with a greater cultural familiarity with apprenticeships—for example, the United Kingdom35—cybersecurity apprenticeship programs are already underway, offering a compelling recruiting pitch for promising candidates.
  • Hiring Requirement Exemptions: To preserve a fair hiring environment, public institutions often implement requirements for new hires, specifying that they be from specific populations (for example, veterans), possess certain non-negotiable qualifications (for example, a bachelor’s degree in a specific field), or be hired via specific pathways. However, in the highly competitive market for cybersecurity talent, these requirements become increasingly burdensome. One tool to address this issue is a dedicated hiring system for cybersecurity professionals that bypasses these requirements.36 Creating such a program requires a very clear and standardized definition of what constitutes a cybersecurity role. It is true that exempting cybersecurity professionals from standards and requirements that the rest of the workforce must still observe may not be universally popular.37 However, creating flexibility does help to mitigate bureaucratic barriers in cybersecurity hiring.
  • Public-Private Partnerships: Employers often perceive cybersecurity hiring through the zero-sum perception that employers are competing with one another for a fixed pool of talent. A more sustainable long-term plan is for stakeholders to build a stronger cybersecurity ecosystem overall. For example, the Australian federal government established a nonprofit organization, AustCyber, to cultivate an Australian cybersecurity ecosystem,38 including building a pipeline for cybersecurity talent. The project is set up to receive government grant funding as well as to offer matched funding for industry-led projects. This enables a hub for government collaboration with industry partners toward the shared goal of a stronger cybersecurity workforce.Talent recruitment programs offer another potentially fruitful opportunity for public-private collaboration on cybersecurity workforce development. The aforementioned Cybersecurity Talent Initiative in the United States, for example, is a partnership between a number of government offices and corporations.39 The partners combine on-the-job learning in federal offices and corporate-funded tuition support for those participants who eventually choose jobs in the private sector. While not ideal for the federal government from a retention standpoint, federal workplaces nonetheless benefit from the recruitment opportunity. In particular, such arrangements allow federal workplaces to interact with program participants who might otherwise go directly to the private sector, giving government offices a greater chance of retaining this talent than they would otherwise have had.
  • 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19