Closing the Cyber Workforce Gap: Why Hands-On Experience Matters

Photo Credit: Getty Images

This OpEd was originally published in S.C. Media.

January 26, 2026

Author: Valerie Moon, Executive Director, ICIT

Increasing the pool of cybersecurity talent in the U.S. is a bipartisan issue. Senators Gary Peters, D-Mich., ranking member of the Homeland Security and Governmental Affairs Committee ,and Mike Rounds, R-S.D., earlier this month introduced legislation to strengthen the Defense Department's cyber workforce.

Similarly, Senators Josh Hawley, R-Mo., and Maggie Hassan, D.-N.H,, from the Committee on Health, Education, Labor, and Pensions, along with Sen. Mark Kelly, D-Ariz., last year introduced a bill that would require the development of a comprehensive rural hospital cybersecurity workforce development strategy.

I worked on cyber policy issues at both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) for more than a decade, and I have spoken at numerous conferences where I urge young students to get their degrees in cybersecurity. Needless to say, it's been hard for me to hear the stories of so many young college graduates who are unable to find employment in cybersecurity.

While there remains an overall shortage of cybersecurity talent in the U.S., with approximately 500,000 unfulfilled jobs in the mid-to-senior-level range, there is a surplus of entry-level cyber talent. Unless companies invest in entry-level hiring and training, there will be no sustainable pipeline for developing mid-level and senior talent.

The driving factor behind the reduction in the number of entry level cybersecurity positions seems to be AI. As the use of AI continues to grow, and industry continues to cut the number of entry-level positions, the pipeline to fill mid-career and senior positions is shrinking.

We as a nation need Gen Z, who are digital natives, in our cybersecurity workforce. This is where the federal government can really help.

The federal government, on both the military and the civilian sides, is excellent at providing technical skills that can make entry-level workers more marketable to both the private and public sectors.

Many of the top cybersecurity firms and cybersecurity departments across all industries are eager to hire candidates with experience at government agencies like the National Security Agency (NSA), the FBI, the CIA, the U.S. Secret Service (USSS) and CISA.   

States as cyber workforce incubators

Bills like Peters and Rounds', which focuses on the military's cyber workforce, as well as Hawley, Hassan, and Kelly's bill, which focuses on the cybersecurity of rural healthcare systems, are important steps forward that Congress and the federal government need to build upon to help increase employment opportunities for entry-level cyber workers.

Many states are also providing relevant technical skills to their students to make them more employable once they graduate. Massachusetts' MassCyberCenter is a great example of an organization that offers the type of apprenticeships that students can use to augment their academic skills, making them more employable upon graduation.

Massachusetts has also invested in building Security Operations Centers (SOCs) and Cyber Ranges that provide students with opportunities to develop skills for real-world protection against cyber threats.

The cyber ranges provide a safe place for students and adult learners who are changing careers to test and develop tools, software, techniques or hardware, all while isolated from the internet.

The concept of the range comes from the military exercises in which one team plays offense, executing mock cyber warfare to hone attack skills, and the other team plays defense to hone its defensive skills. These ranges can be physical, with servers on-premises, or virtual and cloud-based.

The SOC provides students with hands-on experience monitoring network operations. It also provides a focal point for initial incident detection and response for municipalities, non-profits, and small businesses. The SOC can be owned by an organization as part of its IT management or provided by third-party vendors.

Cyber workforce development is not just an education issue

We cannot treat cybersecurity workforce development as an educational problem alone. While degrees and certifications remain important, they are no longer sufficient to prepare students for the realities of defending complex, AI-enabled systems.

Hands-on experience in security operations centers, cyber ranges, and federal cyber internship programs at agencies like the NSA, FBI, CIA, USSS, and CISA can bridge the gap between academic theory and operational readiness, helping entry-level cybersecurity candidates find meaningful employment in the field.

These environments allow students to develop the judgment, technical proficiency, and confidence that employers demand. As we see with Massachusetts' program, there is the added benefit of strengthening the cybersecurity posture of underserved communities.

Federal legislation aimed at strengthening the cyber workforce is a necessary step, but it should be complemented by increasing the number of federal cyber internships and supporting states like Massachusetts that provide real-world experiences to students through programs like the MassCyberCenter.

Investing today to secure tomorrow's cyber workforce

If we fail to invest now, the talent shortage will only deepen as today's unfilled senior roles remain vacant tomorrow.  Cyber threats are only increasing as AI reduces the barriers to entry for malicious cyber actors.

We must support the next generation of cyber workers and provide them with meaningful applied skills to complement their education and give them a pathway to employment.  

Val Moon

Val Moon is Executive Director of the Institute for Critical Infrastructure Technology (ICIT), advancing people-centered, secure, and resilient infrastructure. Previously, she served as Chief Strategy Officer at DHS’ Cybersecurity and Infrastructure Agency (CISA) and spent 22 years at the FBI in senior cyber and technology leadership roles, including service on the Cyberspace Solarium Commission.

About ICIT

The Institute for Critical Infrastructure Technology (ICIT) is a nonprofit, nonpartisan, 501(c)3think tank with the mission of modernizing, securing, and making resilient critical infrastructure that provides for people’s foundational needs. ICIT takes no institutional positions on policy matters. Rather than advocate, ICIT is dedicated to being a resource for the organizations and communities that share our mission. By applying a people-centric lens to critical infrastructure research and decision making, our work ensures that modernization and security investments have a lasting, positive impact on society. Learn more at www.icitech.org.