Cover: Hackers Wanted

Hackers Wanted

An Examination of the Cybersecurity Labor Market

Published Jun 18, 2014

by Martin C. Libicki, David Senty, Julia Pollak


Download eBook for Free

FormatFile SizeNotes
PDF file 0.4 MB Best for desktop computers.

Use Adobe Acrobat Reader version 10 or higher for the best experience.

ePub file 2 MB Best for mobile devices.

On desktop computers and some mobile devices, you may need to download an eBook reader to view ePub files. Calibre is an example of a free and open source e-book library management application.

mobi file 0.8 MB Best for Kindle 1-3.

On desktop computers and some mobile devices, you may need to download an eBook reader to view mobi files. Amazon Kindle is the most popular reader for mobi files.


Purchase Print Copy

 Format Price
Add to Cart Paperback106 pages $22.95

Research Questions

  1. Is what is commonly referred to as a shortage of cybersecurity professionals a long-term crisis or a short-term problem?
  2. Is this shortage pervasive throughout the sector or in certain segments within the sector?
  3. What potential policy options exist for addressing these concerns?

There is a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace.

RAND examined the current status of the labor market for cybersecurity professionals — with an emphasis on their being employed to defend the United States. This effort was in three parts: first, a review of the literature; second, interviews with managers and educators of cybersecurity professionals, supplemented by reportage; and third, an examination of the economic literature about labor markets. RAND also disaggregated the broad definition of "cybersecurity professionals" to unearth skills differentiation as relevant to this study.

In general, we support the use of market forces (and preexisting government programs) to address the strong demand for cybersecurity professionals in the longer run. Increases in educational opportunities and compensation packages will draw more workers into the profession over time. Cybersecurity professionals take time to reach their potential; drastic steps taken today to increase their quantity and quality would not bear fruit for another five to ten years. By then, the current concern over cybersecurity could easily abate, driven by new technology and more secure architectures. Pushing too many people into the profession now could leave an overabundance of highly trained and narrowly skilled individuals who could better be serving national needs in other vocations.

Key Findings

Sudden demand creates scarcity, competition, and crisis

  • Whenever rapid demand increases hit a profession with nontrivial skill and/or education requirements, economic theory suggests that rapidly rising compensation packages and strong competition for workers can be expected.

Educational initiatives are already addressing the cybersecurity demand

  • In response to earlier indications of burgeoning demand for cybersecurity professionals, there has already been a large increase in education, notably government-supported education, but also an increase in the number of computer science majors.

It's normal for the labor market to lag demand and education initiatives

  • Theory suggests and experience confirms that the market may take a long time to respond to unexpected increases in demand.
  • In the short term, many large organizations have found innovative ways of meeting the demand for cybersecurity professionals through internal recruitment and training, as our interviews have found.
  • Theory suggests and our interviews confirm that even organizations that can meet most of their needs internally still face difficulties in recruiting or retaining cybersecurity professionals in the upper tier.

The best steps may already have been taken

  • The difficulty in finding qualified cybersecurity candidates is likely to solve itself, as the supply of cyberprofessionals currently in the educational pipeline increases, and the market reaches a stable, long-run equilibrium.


  • Civil service and related rules that unnecessarily prevent federal agencies from hiring talented cybersecurity professionals should be waived for such hires. At a minimum, NSA's ability to waive the rules should be extended to all.
  • A modest infusion of funds (perhaps matching funds) should go to cybersecurity education programs to allow them to buy the necessary software licenses and computing/network equipment for their students.
  • There are deliberate efforts to refine testing to identify candidates likely to succeed in cybersecurity careers. R&D should be invested in refining the testing instruments used to assess an innate ability to learn and understand the cyber domain and the nuances of information manipulation or protection.
  • Taking a longer perspective, more methods to attract women into this profession may also increase long-term supply.

This research was sponsored by a private foundation and conducted within the Forces and Resources Policy Center of the RAND National Security Research Division (NSRD). NSRD conducts research and analysis on defense and national security topics for the U.S. and allied defense, foreign policy, homeland security, and intelligence communities and foundations and other nongovernmental organizations that support defense and national security analysis.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.