America faces a cybersecurity skills crisis: Microsoft launches national campaign to help community colleges expand the cybersecurity workforce
The last year has brought unrelenting headlines about cybersecurity attacks. Foreign governments have tampered with the software supply chain, targeted on-premise servers, and hacked into sensitive government files. Criminal ransomware groups have attacked schools, penetrated hospitals and shut down a critical national pipeline. As we documented in the recent Microsoft Digital Defense Report, these attacks are growing and becoming more sophisticated. We’ve entered a new international era that falls short of war but with constant foreign cybersecurity attacks that threaten not only our businesses, but our students, healthcare and daily lives.
We recognize that no one has a higher responsibility to address cybersecurity threats than leading tech companies. It’s why we’ve increased cybersecurity investments and broadened our efforts across Microsoft, working closely with government and business leaders across the country. Earlier this year we committed $20 billion over five years to advance our security solutions and protect customers, as well as $150 million to help US government agencies upgrade protections, and expand our cybersecurity training partnerships. And as we shared earlier this week, we continue to innovate and bring new solutions to customers and individuals around the globe like passwordless login, identity management, endpoint security and more.
But this work has also brought an additional and daunting realization: the country’s cybersecurity challenges in part reflect a serious workforce shortage. Until we redress the cybersecurity workforce shortage, we will fall short in strengthening the country’s cybersecurity protection.
That’s why today Microsoft is launching a national campaign with U.S. community colleges to help skill and recruit into the cybersecurity workforce 250,000 people by 2025, representing half of the country’s workforce shortage. While some of these individuals will work at Microsoft, the vast majority will work for tens of thousands of other employers across the country.
But even with this effort, much more will needed to solve this problem. That’s why I’m writing this blog – to share what we’ve learned so far and encourage all of us to learn more from each other and do more together to address with urgency a problem we need to treat as a national crisis.
* * *
America’s critical cybersecurity workforce shortage
Let me start with two personal experiences that illustrate the problems we need to solve.
The first moment was in February as we looked back at Microsoft’s work to respond to the sophisticated Russian attacks that originated with tampering last year of a software update from SolarWinds. Early on we concluded that most customers could protect against the attacks by deploying cybersecurity best practices. It’s a phenomenon we’ve also seen repeatedly as we work with customers on ransomware attacks. We responded to the Solorigate incident in part by publishing more than 30 blogs so cybersecurity professionals could understand the technical issues and address them for their employers. But we found that a shortage of trained cybersecurity workers slowed our customers’ responses. In short, there were not enough people with the training needed to read everything we were writing.
The second moment came this fall as I traveled the country. On a Monday morning in Green Bay, Wisconsin, a group of local business leaders talked about their hiring frustrations. As one person put it, “every small business and start-up I know is complaining they can’t find people with cybersecurity skills.” As I moved from state to state, the people and conference rooms changed but the conversation remained the same.
We’ve worked to compare what we’ve been hearing with an assessment of broader data. We therefore asked one of our data analytics teams to bring together the best workforce data sets in the country, including from LinkedIn and cyberseek.org. And the conclusions are striking.
Consider this – for almost every two cybersecurity jobs in the United States today, a third job is sitting empty because of a shortage of skilled people. It’s like going into baseball’s World Series with only six players on the field when the other team has all nine. (And as we encounter every day at Microsoft, the nation’s cybersecurity adversaries are fielding complete and world-class teams.)
Currently there are 464,200 open jobs in the United States that require cybersecurity skills. They account for 6% of all open jobs in the country.
That’s right – more than one out of every 20 open jobs in America today is a job that requires cybersecurity skills. And every projection shows that the number of these jobs will grow even more in the years ahead.
And these are great jobs! They pay an average of $105,800 per year. Some are full-time cybersecurity jobs, like a chief information security officer, or CISO. Others involve a combination of cybersecurity and other IT functions. In our own (slightly biased) opinion, the work is fascinating and noble. And regardless of where you live in the United States, there are plenty of open cybersecurity jobs nearby.
We’ve created the Power BI dashboard below so you can check out the details for each state in the nation.
There is another piece of good news. Many of these open jobs don’t require a four-year college degree. You can qualify by earning an industry-recognized certificate or by getting a certificate or associate degree from a community college.
In sum, we hope that people of all ages who are interested in the country’s cyber protection will consider the half-million open cybersecurity jobs as a personal invitation to a rewarding and exciting future. And we’re prepared to put Microsoft’s technology, financial resources, learning materials, connections and voice behind a new national campaign to help take the next step.
Marshaling the nation’s resources
For months we’ve been working to develop a plan to help expand and strengthen the cybersecurity workforce. Given the magnitude of the challenge, it was soon obvious that success will require that the country marshal its most important resources. This includes the efforts of nonprofit groups and companies across the tech sector. It will require expanded work by the country’s four-year colleges and universities. But more than all of this, one conclusion consistently rose to the top. It’s this:
We need to mobilize America’s community colleges and enlist them in the cybersecurity battle.
Community colleges are the single greatest potential asset the United States has in expanding the cybersecurity workforce. They are one of the nation’s most remarkable and ubiquitous assets, and with some targeted assistance, they can move quickly to help address the cybersecurity workforce shortage. Consider the following:
- Community colleges are everywhere. There are 1,044 community colleges located in every state and territory, and in every setting – urban, suburban, rural and tribal. As one community college leader said to us recently, “there are three things that you can find everywhere in the United States, a bakery, a bank and a community college.”
- Community colleges serve students at all educational stages, from recent high school graduates to job seekers to people in the workforce. Currently 11.8 million Americans attend classes at a community college. Almost two-thirds (65%) attend classes part-time, while they hold jobs or help raise families (or both). This makes them ideal places for people who want to add to their current skill set by developing cybersecurity skills.
- Community colleges are flexible. Interestingly, 58% of community college students are enrolled in credit-earning courses, while the remaining 42% are enrolled in noncredit, workforce and skills training courses. They’re well-suited to help American workers earn the additional skills they want the way they want, from a little to a lot.
- Community colleges are effective. In 2018-2019, community colleges awarded 878,900 associate degrees, 619,711 certificates, and 20,700 baccalaureate degrees.
- Community colleges are more affordable. Community colleges average only $3,770 in annual tuition and fees, versus $10,560 for four-year public colleges. Moreover, 59% of community college students can access financial aid, including 33% who receive Pell Grants.
- Community colleges are diverse. Students at community colleges reflect the diversity of America, including 40% who are Black or African American or Hispanic. In addition, 29% are their family’s first generation to attend college, 20% are students with disabilities, and 5% are veterans. And 57% of students at community colleges are women.
The last aspect is important for an additional reason. Currently the nation’s cybersecurity workforce is notably lacking in diversity. Today 82.4% of the country’s cybersecurity jobs are held by men and 80% are held by people who are white. We need to build a cybersecurity workforce that is both larger and more diverse. Community colleges are uniquely situated to help the country do both.
A new partnership to help community colleges move faster
Since January we’ve spent time working with and listening to administrators, faculty, and students at 14 community colleges in six states across the country, specifically:
Our goal has been to learn more about their needs and how we can be most helpful. We’ve also spent valuable time with national leaders at the American Association of Community Colleges and at the National Cybersecurity Training & Education Center (NCyTE), which is located north of Seattle in Bellingham, Washington, at Whatcom Community College.
One thing we heard repeatedly is that when community colleges invest and innovate with cybersecurity offerings, the payoff for students and the community comes quickly. For example, in Cheyenne, Wyoming, Laramie County Community College has developed a new hardware lab it calls Cyber City and Cyber Range. Students use the two cyber environments to attack and defend a mock city as they learn about the various ways cybercrimes occur. Deployed utilizing a portion of resources provided to the school as a member of the Microsoft Datacenter Academy program, the students learn and progress at a rate that is impressive to even a hardened cybersecurity expert.
Similarly, we’ve partnered with faculty at the Fox Valley Technical College in my own hometown of Appleton, Wisconsin to launch new cybersecurity initiatives. As they’ve reported, “cyber talent is in high demand.” Participants in these initiatives will quickly land jobs across a wide variety of industries.
So, what are the barriers that community colleges face?
This question is even more important, and the answer is three-fold.
First, community colleges need access to state-of-the art curriculum materials they can deploy immediately and use broadly to expand their courses.
Second, train more faculty to teach in cybersecurity programs as well as to teach courses they have not taught before to address emerging threats.
Third, they need to expand financial aid and additional learning services to help more students pursue cybersecurity degrees and certificates, especially if we want to reach the more diverse population that is not well represented in the cybersecurity field today.
If we can address these three barriers, we can harness the power of the nation’s community colleges to address the cybersecurity workforce shortage.
Microsoft’s new cybersecurity jobs campaign
Today, Microsoft is launching a four-year campaign to help fill 250,000 cybersecurity jobs in the United States by the middle of this decade. This will address half of the nation’s cybersecurity workforce shortage. Our initial commitment will:
- Make curriculum available free of charge to all of the nation’s public community colleges.
- Provide training for new and existing faculty at 150 community colleges.
- Provide scholarships and supplemental resources to 25,000 students.
Here are some of the specifics:
- Deliver ready-to-teach, industry-developed curriculum for community colleges
Through the Microsoft Learn for Educators program, we will provide every community college in the country (and all higher education institutions) with access to free curriculum, educator training, and tools for teaching. This will include Microsoft Security, Compliance and Identity Fundamentals (SC-900) and Microsoft Azure Security Technologies (AZ-500) certification aligned course materials. To further support delivery of Microsoft’s ready-to-teach curriculum, we will also provide faculty at all these institutions with access to additional resources including free practice and certification exams, curriculum integration support, course delivery prep sessions led by Microsoft Technical Trainers, and entry to our global community of educators committed to helping students succeed. We will also continue to develop and expand our work to provide educational institutions with easy access to courses through LinkedIn Learning.
- Build educator and administrative capacity in cybersecurity learning paths
We will go even deeper with 150 community colleges to help these institutions train and retain cybersecurity faculty. We will partner with the National Cybersecurity Training & Education Center (NCyTE) to provide faculty with deeper professional development opportunities and to support these institutions in attaining the Center of Academic Excellence in Cyber Defense (CAE-CD) designation. This support will build the foundation for cybersecurity training at nearly 15% of the community colleges across the United States.
We will also work with the American Association of Community Colleges to launch a community of practice for institutions offering cybersecurity education. We will provide grants to fund and provide technical assistance to 42 community colleges that are accelerating their cybersecurity programs. Our goal is to learn from this effort and explore ways to scale promising practices to additional community colleges across the country.
- Announcing the Microsoft Cybersecurity Scholarship Program
Finally, today we are launching a new national Microsoft Cybersecurity Scholarship Program. We will provide scholarships and additional resources that will reach at least 25,000 students during the next four years. This will provide funding to supplement existing federal, state and other financial aid that is already available but is not sufficient to meet student needs, especially at the lower end of the income spectrum. This funding will help address tuition costs as well as the other financial challenges that often stand in the way of course completion, including certification exam costs and childcare expenses.
Our new program will also include support for critical tools for success, including mentorship from Microsoft employees and student supports, as well as free LinkedIn Premium accounts to help close the networking gap and connect them to jobs. Students will also receive access to GitHub education benefits, including student developer packs and access to local GitHub sponsored events. This new program will partner in part with the Last Mile Education Fund, through which we will provide Microsoft Cybersecurity Scholarships to 10,000 low-income students – including veterans – at community colleges pursuing cybersecurity career pathways and certifications.
Not just a program, but a campaign
We believe the steps we’re taking today can make an important contribution to addressing America’s cybersecurity workforce shortage. But we also know that much more is needed. That’s why we are thinking about this effort as not just a program, but a campaign. Building on our Microsoft Skills for Jobs global initiative, this new campaign can grow quickly to involve more companies, more nonprofits, and governments at the federal, state, and local levels. With additional volunteers from other companies and added financial resources, we can scale even farther to reach our full national needs.
We also recognize the importance of reaching additional educational institutions as well. We’re preparing already to support other institutions, including four-year colleges including the nation’s Historically Black Colleges and Universities and Hispanic-Serving Institutions. Stay tuned as we take more steps in the months ahead.
Ultimately this is also about getting out and making the case to people across the country to consider the opportunity to pursue a cybersecurity career. That’s something we’ll do as well – speaking on campuses, to chambers of commerce, and reaching people both in person and through social media and virtual meetings.
We want to give people across the country the opportunity to see more clearly something we see directly at Microsoft every day. If we’re going to protect the nation’s future, we need to strengthen cybersecurity protection. And we need a larger and more diverse cybersecurity workforce to succeed. Great jobs are waiting to be filled. Now we need to recruit the talent and provide the skills that people need.
On many days and on many issues, disagreements can divide our country. But we need a cybersecurity jobs campaign that protects the nation and brings us all together. We’re committed to its success.