The cybersecurity workforce crisis: A clear and present danger to national security

Every cyberattack, no matter the target and no matter how small, is a threat to then national security of the United States and other countries as well. Unfortunately, there aren’t enough cybersecurity professionals available to protect corporate or government systems. That’s a problem for protecting national interests.

With a global deficit of 2.8 million cybersecurity professionals and only 72% of cybersecurity roles being filled according to Boston Consulting Group (BCG) and the Global Cybersecurity Forum, the US and other nations face mounting vulnerabilities that extend far beyond the IT department.

Cyberattacks represent one of the most pressing national security threats of the 21st century. According to BCG, the global cost of cybercrime has risen from $445 billion in 2015 to over $2.2 trillion in 2024. It’s not going to get better any time soon. The BCG report found that 85% of cybersecurity leaders highlight the rise in the frequency of cyberattacks as a rapidly growing cause for concern.

Attacks can compromise everything from power grids and water systems to financial networks and healthcare infrastructure. A successful cyberattack on a critical system can cascade into broader disruption, economic instability and erosion of public trust, all of which undermine national security.

There’s common misconception is that only attacks on government entities pose national security risks. That’s not the case. Every cyberattack, no matter how small, has the potential to become disaster for national security. Here's why:

Critical infrastructure dependency: Modern economies rely on interconnected private-sector infrastructure. An attack on a private energy company, for instance, can leave millions without power. An attack on a financial services firm can trigger market instability. BCG notes that financial services, technology, and the materials and industrials sector are the targets of approximately 70% of all global cyberattacks.

Supply chain vulnerabilities: A breach at a single supplier can compromise entire industries. When attackers infiltrate a technology vendor or manufacturing company, they gain potential access to dozens or hundreds of downstream organizations, including government agencies and defense contractors.

Economic warfare: Nation-state actors increasingly use cyberattacks against private companies as a form of economic warfare. Intellectual property theft, market manipulation and disruption of key industries can weaken a nation's competitive position and economic strength.

Data as a weapon: Private companies hold vast amounts of sensitive data about citizens, from health records to financial information. Attackers can weaponize stolen data for espionage, blackmail or influence operations that undermine national institutions.

The cybersecurity workforce shortage isn't simply about empty seats. It's a complex crisis driven by multiple factors that create both a shortage of professionals and a gap in critical skills.

BCG found that fewer than four qualified professionals exist to fill every five cybersecurity jobs, and 59% of CISOs say workforce shortage is a top barrier for achieving their security posture. The US, despite leading globally in cybersecurity maturity and housing 70% of the world's cybersecurity vendors, is not immune to this crisis.

About 64% of organizations identify the primary challenge in filling cybersecurity positions as a lack of qualified candidates, while 47% cite intense competition from other organizations as a major barrier, according to BCG.

But the challenge goes deeper than simple supply and demand. Cybersecurity skills are evolving at one of the fastest rates across industries, creating a dynamic skills gap that widens as technology advances. BCG found that the most significant skill gaps exist in cybersecurity leadership (50% of organizations identify this as their top challenge), network security (46%), security architecture (46%) and cloud security (44%). All of those areas require rare combinations of technical expertise, business acumen and deep security knowledge.

The connection between a shortage of cybersecurity expertise and national security risk is more direct and measurable than it might seem at first blush. One projection in the BCG report suggests that the shortage will become the key factor behind more than 50% of significant cybersecurity incidents worldwide.

Several dangerous scenarios emerge when organizations cannot fill critical security positions or lack professionals with the necessary skills:

Delayed threat detection: Understaffed security operations centers miss warning signs of intrusions. By the time breaches are discovered, adversaries have often established persistent access and exfiltrated sensitive data.

Inadequate defense architectures: Without skilled security architects and engineers, organizations deploy incomplete or misconfigured defenses that sophisticated attackers easily bypass.

Slower incident response: When attacks occur, insufficient cybersecurity staff means longer response times, greater damage and more extensive compromise of systems and data.

Accumulated technical debt: Security teams stretched too thin focus on urgent issues rather than long-term strategic improvements, leaving their organizations open to attacks.

For the US, the risks are particularly severe. As a global economic and military superpower, The US faces advanced persistent threats from nation-state actors who specifically target its interests. The cybersecurity workforce shortage creates exploitable weaknesses in both the public and private sectors, including across government agencies, defense contractors, critical infrastructure providers and key industries.

Addressing the cybersecurity workforce crisis requires coordinated action across multiple domains.

Long term, integration of cybersecurity education into primary and secondary school curricula can cultivate early interest and foundational knowledge. Cybersecurity clubs and partnerships with industry professionals are effective tactics for building interest.

At the university level, regularly updating educational curricula to align with rapidly evolving demands is essential. Embedding cybersecurity training across multiple disciplines such as law, business and engineering is critical.

Organizations should adopt skills-based hiring practices and expand talent pools with inclusive practices and a willingness to train, focusing on aptitude and potential rather than just experience.

Developing strategies to build inclusive, diverse and supportive cultures also helps organizations, retain employes and can give them more candidates for cybersecurity training and retraining.

BCG found that 60% of organizations view continuous training as essential to maintaining effective cybersecurity teams. Establishing continuous learning platforms that provide ongoing access to the latest knowledge, tools and best practices keeps workforces ahead of emerging threats.

Organizations providing more learning initiatives tend to have higher workforce satisfaction, a strong indicator that investing in employees’ growth has benefits beyond enhancing technical skills.

Artificial intelligence, particularly generative AI, represents both a potential solution and an emerging threat in the cybersecurity landscape.

Seventy percent of organizations have already integrated AI into their cybersecurity frameworks, according to BCG. Organizations using GenAI effectively could see up to a 30% increase in operational efficiency.

That efficiency gain is crucial in addressing the workforce shortage. AI can automate routine tasks such as log analysis, vulnerability scanning and incident reporting, allowing fewer cybersecurity professionals to cover more ground.

However, the same capabilities that make AI a powerful defensive tool also empower adversaries. BCG also found that 58% of cybersecurity leaders express concern over new adversarial techniques and AI-enabled cyberattacks. Furthermore, 57% of leaders are concerned about AI-enabled social engineering attacks such as phishing, while 52% worry about AI-enabled malware.

AI expands the attack surface and creates new vulnerabilities even as it strengthens defenses. Attackers use AI to craft more convincing phishing campaigns, automate reconnaissance, identify zero-day vulnerabilities and evade detection systems. The democratization of these capabilities means that even less sophisticated threat actors can now launch attacks that previously required nation-state resources.

The cybersecurity workforce shortage is not merely a human resources challenge. It is a fundamental threat to national security that demands urgent, coordinated action. Organizations struggling to defend critical systems could lead to potential breaches that disrupt industries, governments and economies, with costs measured not only in financial losses but also in the erosion of trust in digital systems that underpin the global economy.

For the US to maintain its security posture in an increasingly hostile cyber environment, stakeholders across government, industry and education must work together to expand the cybersecurity workforce, close critical skills gaps and build a diverse, well-trained cadre of cyber defenders. The alternative exacerbates a vulnerability that adversaries are already exploiting.

The time for incremental change has passed. The national security implications of the cybersecurity workforce shortage demand transformative action, and they demand it now.