JOIN ISA

ISA NATIONAL DEFENSE CYBER THREAT REPORT: INFORMATION TECHNOLOGY

The Heart and Soul and Muscle of Cybersecurity: The IT Sector and Its People

Before World War II, the United States viewed warfare as occurring in two primary domains: land, overseen by the Army, and sea, managed by the Navy. The attack on Pearl Harbor revealed a third essential domain—the air—forcing the U.S. to rethink its defense posture. After the war, one of the US government’s first major initiatives was to create the Air Force Academy to ensure the USA had a sufficient supply of trained personnel to defend the nation in this new theater of conflict.

Today, the United States faces a nearly identical deficiency—this time with respect to digital conflict. The nation, including every critical infrastructure sector, is under constant cyberattack from well-financed nation-states, and we lack an adequate number of trained personnel required to defend both government and private-sector systems.

The United States urgently needs a virtual cybersecurity academy to train the cyber defenders that national security now demands.

The threat environment is severe. The nation endures millions of cyberattacks daily, with total annual losses measured in trillions of dollars. Intelligence reporting confirms that nation-state actors—including China—have infiltrated U.S. energy and telecommunications infrastructure and are “living off the land”. using our own administrative tools, credentials, and infrastructure against us1.

The response from the IT community has been aggressive. Massive investment, innovative products, AI deployment accompanied by surge staffing during national-level incidents, coordinated threat intelligence exchanges, and the rapid deployment of advanced monitoring and detection capabilities across public and private networks11,12. Yet even with these accelerated defensive measures, no technology company—or coalition of companies—can independently withstand a determined nation-state adversary

Despite high investment in cybersecurity, the workforce deficit is overwhelming: 500,000–750,000 cybersecurity vacancies nationwide, including 35,000 unfilled positions in the federal government. Technology itself is complicating the workforce issue as AI is replacing many individuals who were once considered properly trained but now find their positions automated, while demand for next-level training evolves. State and local staffing levels are worse. Even the more affluent states and localities have no chance of competing in the tight, sophisticated IT security labor market.  Compounding the problem, many trained cybersecurity professionals are leaving the field due to stress, regulatory pressure, and burnout.

 

Regulatory Surge and the CISO Liability Crisis

A major burnout driver is regulatory escalation. In July 2023, the SEC implemented sweeping cybersecurity disclosure rules requiring:

  • Disclosure of material cyber incidents within four business days
  • Annual reporting of cybersecurity governance, strategy, and risk management

These requirements appear under new Form 8-K Item 1.05 and Regulation S-K Item 1068.

These rules increase personal liability for CISOs and cyber leaders, raising the stakes of misjudgment or delayed reporting. Analysts warn of a growing “CISO liability crisis,” with burnout now compounded by legal exposure9. AuditBoard similarly notes that these rules require formalized board oversight, more transparent materiality processes, and documented cyber-governance frameworks10.

 

The IT / Cyber Workforce Under Extreme Pressure

Cyber and IT personnel carry intense operational burdens. They confront escalating threats, highly complex systems, and expectations of flawless performance in a domain where any failure could be catastrophic.

  • 91% of CISOs experience moderate or high stress3
  • Cybersecurity job satisfaction has fallen to 66%4
  • 44% of cybersecurity professionals report severe work-related burnout5
  • 65% of SOC analysts have considered quitting due to stress and alert fatigue3
  • 75% of CISOs are contemplating job changes due to burnout and liability concerns6

The combination of workforce shortages, alert fatigue, and growing regulatory demands increase operational risk across all sectors of the economy.

 

The IT Sector as a National-Security Vector

The IT sector is not merely a support function—it is a core component of national security. Skilled cybersecurity professionals defend:

  • Critical infrastructure
  • Energy grids
  • Telecommunications
  • Financial networks
  • Defense industrial base systems
  • Healthcare and emergency services

When defender capacity collapses—through burnout, attrition, or regulatory pressure—national exposure escalates rapidly. Untriaged alerts, slow incident response, and leadership turnover create exploitable conditions for nation-state adversaries.

 

Conclusion

National defense is inseparable from cyber and IT resilience. Cyber professionals who defend critical systems are under unprecedented operational stress and increasing personal liability. Their role now resembles that of national-security commanders, yet they face shrinking staff, high burnout, and overwhelming expectations.

Meanwhile, highly sophisticated nation-state actors are aggressively seeking footholds in U.S. critical infrastructure1.

The United States must respond with the same urgency shown after World War II. While there are some government programs to promote cybersecurity training in return for government service, as would the virtual academy, they are far too small.  We need to address the problem at scale.

The PIVOTT Act, recently passed by the House Homeland Security Committee, is the first such program that begins to address the problem at scale with a goal of training 10,000 recruits into government service a year.  The “academy” graduates would be paid at a level similar to that of West Point and Annapolis graduates during this required government service.  That salary is far lower than the independent contractors the government currently hires to do these jobs.  The difference in what we would pay the academy graduates and the independent contractor is so significant that it would make up for the full amount the government has to pay to train them –essentially, this is free cybersecurity for the federal government.

Moreover, once the academy graduates complete their government service, they will likely go into cybersecurity jobs in the private sector, where they will continue to defend our nation from nation-state attacks.

However, it’s critical not only to recruit more trained personnel but to make the highly pressurized working conditions we ask the IT community to work in less oppressive. It has been repeatedly documented that the massively uncoordinated and duplicative regulatory system, including unreasonably targeting the chief security officers for personal liability in the case of even nation-state attacks such as the SolarWinds regime, is contributing to the rapid depletion of current experienced personnel.  Cybersecurity requirements are necessary, but if they are not streamlined and based on cost-benefit analysis, they wind up undermining security, not enhancing it.

 

The National Defense Authorization Act can and should address these issues immediately. We do not have more time to waste; we are already under constant nation-state attacks.

 

 

 

Endnotes

  1. Politico. (2025, November 1). Telecom CISO: “We’re really dealing with an extremely sophisticated nation-state threat actor…” https://www.politico.com/.
  2. Securities and Exchange Commission. (n.d.). Cybersecurity. https://www.sec.gov/securities-topics/cybersecurity.
  3. Bitsight. (2024). 5 shocking IT & cybersecurity burnout statistics. https://www.bitsight.com/blog/5-shocking-it-cybersecurity-burnout-statistics.
  4. Cyber Magazine. (2024). Burnout is becoming endemic across the cybersecurity sector. https://cybermagazine.com/news/burnout-is-becoming-endemic-across-the-cybersecurity-sector.
  5. Zhang, J., & Kumar, S. (2024). Burnout and mental health among cybersecurity professionals (arXiv:2409.12047). https://arxiv.org/abs/2409.12047.
  6. Cybersecurity Ventures. (2024). The rise in CISO job dissatisfaction. https://cybersecurityventures.com/the-rise-in-ciso-job-dissatisfaction-whats-wrong-and-how-can-it-be-fixed.
  7. CSO Online. (2024). Low turnover leaves job-seeking CISOs with nowhere to go. https://www.csoonline.com/article/3575323/low-turnover-leaves-job-seeking-cisos-with-nowhere-to-go.html.
  8. SEC. (2023, July 26). Press Release 2023-139. https://www.sec.gov/newsroom/press-releases/2023-139.
  9. Raconteur. (2024). CISOs are burned out – now they face personal liability too. https://www.raconteur.net/technology/cisos-personal-liability.
  10. AuditBoard. (2023). SEC cybersecurity disclosure rules: What you need to know. https://auditboard.com/blog/sec-cybersecurity-rules.
  11. CISA. (2024). Joint Cyber Defense Collaborative: Annual Report. https://www.cisa.gov/.
  12. Microsoft Threat Intelligence. (2024). Nation-state cyber operations: Trends and defensive coordination. https://www.microsoft.com/security.

A leader in Cyber Policy, Practice, and Promotion.

Contact
Helpful Links
Subscribe

Enter your email to be added to our email list:

Facebook Linkedin Twitter
Copyright © 2025 Internet Security Alliance, All rights reserved.