The United States currently faces a shortage of cybersecurity talent. According to CyberSeek, a data source produced by the National Institute of Standards and Technology (NIST), there were only 72 cybersecurity workers available for every 100 jobs posted by employers from September 2022 through August 2023 (CyberSeek). Furthermore, the International Information System Security Certification Consortium, a leading professional organization of cybersecurity workers, estimates that there are up to 700,000 unfulfilled cybersecurity roles in the United States. As a result, it has become paramount for stakeholders to build stronger career pathways. This is the aim of initiatives such as the National Cyber Workforce and Education Strategy by the White House’s Office of the National Cyber Director, which has a strong focus on transforming cyber education and workforce development.¹ To accomplish these goals, however, policymakers need a better understanding of the educational pathways taken by current cybersecurity professionals.

Already, there are many established and prominent training mechanisms for the cybersecurity workforce. For instance, schools can apply to enter the National Security Agency’s National Centers of Academic Excellence in Cybersecurity Consortium (NCAE-C), joining 445 institutions that meet federal standards for cybersecurity education. Previous CSET research concluded that NCAE-C schools graduated almost 50% of all bachelor’s degrees in cybersecurity-specific disciplines in 2020, despite accounting for only 40% of bachelor’s degree graduates in all disciplines. It would follow that a large proportion of the cybersecurity workforce attended an NCAE-designated institution. In our dataset of cybersecurity workers on LinkedIn, 28% have at least one NCAE affiliation on their profile across all degrees. Clearly, NCAE schools are major producers of cyber talent. On one hand, the designation could be self-fulfilling: once schools get designated, they attract more talent and resources. On the other hand, there is a large proportion of the cybersecurity workforce who have no connection to NCAE schools. This raises the question of where the remaining cybersecurity workforce receives their training.

This data snapshot aims to illuminate the answer to this question by identifying top producers of cybersecurity talent in the United States. Below, we will examine these institutions by exploring CSET’s cyber jobs dataset through a series of interactives and visualizations.

Identifying Top Producers of Cyber Talent

Since LinkedIn users self-report their educational background in their profile, the educational background of our cybersecurity worker subset was readily available.² However, using self-reported data comes with a major caveat: listing an institution on a profile does not always imply that a user graduated from that institution. For instance, users may elect to list an institution after only completing some coursework through special seminars or list an informal, non-degree program offering. This is reflected in our dataset, where 45% of U.S. users listed an educational institution without corresponding degree information. Without knowing the actual coursework users completed at institutions, we refer to users with the umbrella term affiliates, rather than graduates, of an institution.

We developed a three-step approach to identify top cybersecurity institutions:

1. Size:  First, we disregarded any institutions with fewer than 10,000 affiliates in the overall workforce to ensure that we only focused on institutions with a substantial number of attendees.

2. Percent-Affiliated Metric: For each institution in our dataset, we calculated the percentage of affiliates in the cybersecurity workforce out of the total number of affiliates. We then focused only on the 100 institutions with the greatest percentage of cybersecurity affiliates out of total affiliates.

3. Difference-in-Workforce-Representation Metric: Finally, we calculated the difference between the percentage of cyber workers affiliated with a school and the percentage of workers in the general workforce affiliated with a school. We then selected the 100 institutions that had the greatest difference between the percentage of cyber workers affiliated with a school and the percentage of total workers affiliated with a school, as well as those that satisfied the two conditions above.

We adopted this approach to identify institutions with a cybersecurity focus, rather than just institutions with a high number of overall affiliates. For example, Arizona State University (ASU) is the 10th most affiliated institution among current cyber workers in our dataset, with 6,628 cybersecurity workers indicating that they have studied at the institution in some capacity. Yet, cybersecurity affiliates only represent 1.7% of the 389,515 total workers affiliated with the institution. Hence, the number of cybersecurity affiliates from ASU is not actually a substantial proportion of the overall number of affiliates, and a more robust approach was necessary.

Following this process yielded a list of 54 institutions. Below, we visualize the full list of institutions that satisfy this criteria. Click on the dropdown menu to view the list and select the name of a particular institution to explore its metrics. Hover over a particular element in the graph to view its exact percentage.

Using the explorer, we noticed several trends. First, many NCAE-C schools were top cyber-producing institutions. Out of the 54 identified institutions, 33 (61%) were NCAEs. The remaining 26 institutions were a mix of online colleges and skilling academies, international universities, for-profit institutions, and closed institutions. The seven international institutions were all large public universities in India, suggesting that a substantial portion of the cyber workforce is being trained abroad. This could be the result of international students immigrating to the United States or some work being outsourced abroad. Indeed, retaining and boosting foreign-born talent is one of the objectives of the 2023 National Cyber Workforce and Education Strategy.

With 14.2% of all its affiliates in the cybersecurity workforce, the institution with the highest percentage of cyber affiliates out of total affiliates was Year Up, a skills-based job training program with a unique training model. Year Up students can elect to choose one of several job training pathways that include tracks in business, finance, information technology (with cybersecurity and help-desk support tracks), and software development. The program offers students job training courses, pairs them with a corporate internship, and stewards them through their first full-time job search. Students hail from low-income backgrounds and do not have to be enrolled in a four-year university. According to the organization, 80% of all graduates are employed or pursuing higher education, speaking to the efficacy of the training model (Year Up). This is clearly reflected in our dataset.

In addition, many of the institutions, both within the NCAE-C consortium and outside of it, offered online programs. In some cases, the institution was fully online, such as American Military University, Community College of the Air Force, Excelsior College, Grantham University, and Trident University International. This suggests that cyber workers are taking advantage of more flexible training models to obtain degrees and gain new skills. Below, we offer a glance at what degrees cyber workers are getting from each institution. In some cases, an “unreported” degree suggests that the cyber worker did not obtain a degree from the school, but took courses there to boost their skills. Note that MBAs are not included in the “Master” category and have their own designation.

Finally, we found that cyber workers are making great use of online skilling academies. Udacity, Coursera, and Free Code Camp all produced a high and disproportionate amount of cybersecurity affiliates. These programs do not offer traditional degrees, which is reflected in the data explorer above. The widespread use of online training programs as a supplementary mechanism suggests that traditional educational programs may not be providing students with all the desired skills and training needed to enter the workforce.

In conclusion, there is a wide array of programs producing cybersecurity talent in the United States. Paired with well-established NCAE-C institutions, cybersecurity workers are also making ready use of other resources, such as online skilling academies and skills-based training programs. The success and widespread adoption of these training programs, especially incubators such as Year Up, reveals that cybersecurity workers are seeking alternative pathways to entering the workforce. Going forward, it will be up to stakeholders to pave more roads to ensure that more talent finds its way into a cybersecurity career.

Calculations reflect the last data update on April 24, 2024.

1. For a comprehensive guide, see CSET’s explainer on the strategy here.
2. Out of around ~1.4 million cyber workers analyzed, 235,159 workers have no reported education data.