In the United States alone well over a million organizations have become so dependent on cyberspace that their vital interests are now vulnerable to attack, accidents, and design failures that may compromise those interests. Many experts believe the situation is getting worse; that new vulnerabilities are being pumped into cyberspace, and that the bad guys are coming up with more sophisticated and scalable attacks faster than the good guys are coming up with improved defenses. The technical R& D pipelines do not show much promise for generating solutions that will provide discernable, measureable, readily and massively scalable improvements in cyber security for enormous populations of users. Nor is there much expectation that a broadly operational engineering science of cyber security, nor a set of voluntary standards and calls for information sharing, nor a set of government laws and enforcing institutions, will achieve this end any time soon. Cyberspace is thus an environment where all dependent organizations are vulnerable and at risk. Even NSA admits to its inability to guarantee its own information security. But not all users are equally vulnerable. There are a multitude of products, procedures, standards, and policies that, if appropriately used, can make some users safer and more secure than others in cyberspace. But it takes knowledgeable people to bring these possibilities to bear, and to sustain and update their use. However, many organizations cannot or will not invest in many or any full time cyber security employees. Since millions of organizations worldwide are largely responsible for their own cyber security, this implies a huge workforce need and shortfall. Many organizations may be dependent on personnel who are not full time cyber security professionals to perform security functions or to be able and knowledgeable enough to obtain needed training, products, and services from outside their organizations. A premise of this presentation is that the primary bearer of risk when things go wrong in cyberspace is the organization that has become so dependent on computer-communications systems, not the hardware and software in the computer-communications systems. There are an enormous number and variety of such organizations in national, state, and local governments, in the business and educational sectors, and arguably has come to include most of the organizations that have a payroll, engage in on-line transactions, have their intellectual property and other vital information on computers, or are otherwise strongly reliant on their presence on the worldwide web. They have many different forms of dependencies and risk tolerances. Their customers and the users of their products and services make up extended organizations of dependencies and risk. It will be useful to distinguish need, demand, and supply in the context of the cyber security workforce. Following [ NRC 2013]: " Need is the number ( and skill mix) of cybersecurity workers that are required to provide satisfactory cybersecurity ( a judgment that will vary according to who makes the assessment). Demand is expressed by the desired capabilities stated in job descriptions, the number of such positions that are created and filled, and the salaries offered to those who have those abilities. Demand will fall short of national or societal need to the extent that cybersecurity is a public good-that is, organizations will invest to meet their own requirements but not necessarily to achieve societally desirable overall requirements. Demand can also fall short of an organization's own needs if ( 1) the organization lacks the required resources or ( 2) an organization underestimates the threats it faces. Supply is the number of available qualified workers willing to fill positions, and is a function of the visibility and attractiveness of cybersecurity occupations, the availability of appropriate training and education, and ( as in all fields) the overall labor market in which potential workers respond to salary and other signals about demand."
