Workforce Development

The efforts by multiple organizations, such as government, industry, or academia, to ensure an adequate supply of workers with specialized cybersecurity knowledge and skills comprise workforce development.

Utilities need their IT staff, security staff, and engineers to have specialized technical knowledge regarding cybersecurity. Government agencies can help meet this need through workforce development programs that provide cybersecurity training.


Securing the electrical grid against cyberattacks is necessary for the safe, reliable operation of this critical infrastructure. However, there is a gap between the number of qualified cybersecurity professionals in the workforce and the number needed. The International Information System Security Certification Consortium estimates the workforce shortfall of skilled cybersecurity professionals to be more than 4 million worldwide ((ISC)2 2019). Furthermore, utilities everywhere must compete against other industries—finance, retail, manufacturing, etc.—when hiring for cybersecurity positions.

Workforce development can help by making cybersecurity educational resources available to citizens who wish to learn these skills. Workforce development programs may be implemented by national governments, not-for-profit organizations, utilities, or any entity with an interest in ensuring an adequate supply of cybersecurity professionals.

Intersections With Other Building Blocks

The workforce development building block augments utilities’ efforts in the cybersecurity awareness training building block. Whereas cybersecurity awareness training addresses the basic, safe cybersecurity habits that all employees should have, workforce development cultivates those specialized, in-depth cybersecurity skills needed by IT professionals, security professionals, and engineers. Those technical professionals can help monitor and coach nontechnical staff, making cybersecurity awareness training more effective.


Figure 11. Information passed from the workforce development training building block

Processes and Actions

Government agencies may consider incentives to encourage organizations to create workforce development programs as a way of ensuring an adequate supply of cybersecurity professionals for all industries, including critical infrastructure. Governments may even consider organizing such programs themselves.

Whoever establishes a workforce development program should engage entities that operate critical infrastructure related to their cybersecurity needs and the gaps in skills they see among job candidates. Because grid security is an issue of national security, defense or military agencies might also contribute by identifying workforce training objectives. The responsible government agency can then review educational resources internal to the nation (universities, trade schools, etc.) that may be able to establish in-person or online learning opportunities. If defense or military agencies have sufficient resources, they may also provide cyber training to civilians (including utility staff).

Workforce development opportunities may also be available through for-profit institutions or even foreign government agencies. A plan for cybersecurity workforce development should be written and reviewed by all stakeholders (being sure to take into account skill gaps and budget). Government agencies might consider incentives that would encourage individuals already working in critical infrastructure to increase their skills in cybersecurity. These incentives could be provided directly to the individuals or their utility/critical infrastructure employers, or to the organizations that provide the training programs.

Essential Data

Whether it is a government agency, not-for-profit organization, university, or other institution, anyone setting up a workforce development program should find out if critical infrastructure entities (such as utilities) currently have access to the following skills (either through staff or contractors). Assembling this data will better focus the workforce development program on the needs of critical infrastructure.

  • Access control and account management
  • Network security and network segmentation
  • Applicable laws, regulations, and standards
  • Physical security
  • Security needs specific to the systems and networks needed for delivery of services (for instance, in an electric utility, this might include security for SCADA systems).

Recommended Reading

ISC2. “(ISC)2 Finds the Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap and Better Defend Organizations Worldwide.” November 6, 2019.