The White House Director for Cybersecurity, Sean Cairncross, has already signaled that the upcoming new national strategy for cybersecurity will have workforce development as one of its key components. The Director has also indicated that the White House will look for input from the private sector as to how to implement the new plan.
For several years, the Internet Security Alliance has been promoting the virtues of creating a national virtual cybersecurity academy to address the ever-evolving workforce security needs we confront in the digital age. Now is the time to push the start button on this idea.
The virtual academy, which builds on several existing and successful models, has multiple advantages, including:
- Addressing the scale of the cyber workforce issues
- Institutionalizes planning and foresight into the evolving workforce issue
- Provides economic incentives to address these ongoing problems
- Is cost-effective
SCALE
The essence of the academy model is that, just as with the traditional service academies, the government would provide free tuition for those who enlist in the academy and in return, academy graduates are obligated to a period of government service upon completion of their program.
The virtual cyber academy differs in several key respects from the existing service academies. To begin with, the virtual academy would not have a physical campus similar to West Point or Annapolis. Instead, institutions, including colleges, universities, community colleges, and smaller certification programs, would be able to “opt-in” to the program, entitling their “students” to receive free tuition for completing an academy-approved curriculum.
When fully operational, there would be multiple specific curricula that could qualify for academy funding based on a national cyber workforce needs assessment, which would be part of the academy’s program.
The virtual nature of the academy solves multiple practical issues with gearing up an adequate workforce under the time pressures generated by an ever-increasing cyber threat. The academy classes could be taught using modern virtual technology and already existing distance learning protocols. This eliminates geographic limitations for both prospective students as well as vastly broadening access to the limited qualified teachers/trainers, and of course, it saves the cost of building a physical campus.
There are already a variety of similar, small government programs that use a version of this model. While these programs provide a useful beta-test of the model, they simply do not operate at the scale needed to address current and future workforce needs.
For years, estimates of the size of the workforce gap in the US have hovered between 500,000 and 750,000 available cyber jobs, with estimates of up to 35,000 of those jobs in the federal government alone – far more in states and localities that cannot hope to compete in the open market for skilled digital personnel.
Earlier in this Congress, the House Homeland Security Committee passed the PIVOTT Act, which is a variation on the virtual academy model. PIVOTT is, by far, the most aggressive proposal to address the cyber workforce gap. PIVOTT envisions ramping up to serving 10,000 students a year. While that number is aggressive compared to the status quo, even at PIVOTT’s aggressive target, it would take 50 years to meet the currently estimated gap.
PLANNING AND FORSIGHT: THE RISE OF THE “Q-MONSTER”
Nothing characterizes the digital age more than speed. Like everything else in the digital world workforce needs to change with the advancement in technology. We are already seeing this with respect to the impact artificial intelligence (AI) is having on the workforce issue.
AI is already enabling many larger organizations to relieve previous workforce gaps by substituting AI solutions. However, just as advanced technology solves one problem, advanced technology creates a new one. See the rise of the “Q-Monster.
Quantum computing research is advancing quickly, with many experts forecasting that “Q-day” will arrive before the end of the decade. “Q-Day” refers to the day when quantum computers will be able to use multi-state qubits (aka quantum bits) to break the encryption algorithms at the heart of digital security technologies we currently use to secure the internet and digital devices.
When Q-Day arrives, critical data, including intellectual property, banking information, personally identifiable information, personal health information, and other “secrets,” will be susceptible to decryption by quantum computers, making all current information vulnerable to exposure.
Many experts are advising that organizations start planning for the coming quantum transition now. However, current research suggests that is not generally the case. A 2026 Bain & Company analysis found that 90 percent of companies are unprepared for quantum security threats. In 2025, an ISACA study found that only 4 percent of organizations have a defined quantum strategy despite growing concern about the durability of existing encryption.
Lack of planning could make a timely transition impractical due to the lack of qualified technical staff. Multiple studies indicate that quantum risk is widely recognized, yet workforce planning for post-quantum transition has barely begun. In practice, post-quantum cryptography has moved beyond a research challenge to an execution challenge—and execution depends on people (ISC2, 2025).
The switch forms the cyber personnel gap to the quantum personnel gap is indicative of the need for a national digital workforce needs assessment which we currently do not have, and which ought to be a core feature of a cyber academy program.
ECONOMIC INCENTIVES
One of the most promising features of the anticipated new cyber strategy is the focus on economic incentives. No where is this more apparent than in the workforce space. Notwithstanding the happy evolution of AI to address some baseline cyber workforce gaps the core problem with cyber workforce for years – and likely will be for quantum– is that simply not enough people have chosen to go into these fields.
The virtual academy offers a tool begin to address a range of integrated issues. There is a growing awareness that Gen-Z, and to a lesser degree millennials, are deeply concerned about the job market they face and their longer-term prospects to achieve the American dream. In an aligned case, there is barely a family in the country with a child between the ages of 5 and 15 that isn’t concerned as to how to send their child to college or even if it’s worth the expense, despite compelling evidence that a college degree is still the best pathway to a more secure financial future. And, we have a current and evolving workforce issue.
The virtual academy offers a new pathway for tens of thousands of individuals to get a free education in a growth, if ever-changing, field with the promise of – indeed obligation – of employment following their education/training, all while serving a critical national security need.
COST-EFFECTIVENESS
A key feature of the virtual academy model is that graduates must “pay off” their free education/training with government service tied to the extent of the government’s investment (a two-year certification program might require 2-year service whereas a 4 your college program would trigger a longer service obligation).
Using the PIVOTT proposal already passed by the House Homeland Security Committee as an example of the virtual academy model, tuition higher-end 4-year model for 10,000 students a year, adding 20% administration cost — would cost the federal government approximately $1 billion a year.
However, currently the federal government is paying independent contractors to perform the functions required for its own cybersecurity at a cost of approximately $1 billion. The savings from hiring the academy graduates, assuming payment scales equivalent to that of a traditional academy graduate, to do the jobs the federal government is hiring the independent contractors for would save the government approximately $1 billion. In essence, the academy program not only solves a significant government problem but does so on a cost-neutral basis.
