The Heart and Soul and Muscle of Cybersecurity: The IT Sector and Its People
Before World War II, the United States viewed warfare as occurring in two primary domains: land, overseen by the Army, and sea, managed by the Navy. The attack on Pearl Harbor revealed a third essential domain—the air—forcing the U.S. to rethink its defense posture. After the war, one of the U.S. government’s first major initiatives was the creation of the Air Force Academy to ensure the nation had a sufficient supply of trained personnel to defend this new theater of conflict.
Today, the United States faces a nearly identical deficiency—this time in the domain of digital conflict. The nation, including every critical infrastructure sector, is under constant cyberattack from well-financed nation-state actors, yet it lacks an adequate number of trained personnel to defend both government and private-sector systems. As Representative Bennie Thompson has warned, “Make no mistake, addressing cyber workforce challenges is a critical security priority” (13). The United States urgently needs a virtual cybersecurity academy to train the cyber defenders that national security now demands.
The threat environment is severe. Ranking Member of the House Oversight and Government Reform Committee Robert Garcia has stated, “Every company, every government faces serious threats from hackers from foreign intelligence services. We all know that Russia and China and other countries are trying to steal secrets, steal technology, steal patents—not just within one company, but across our nation” (14). The nation endures millions of cyberattacks daily, with total annual losses measured in the trillions of dollars. Intelligence reporting confirms that nation-state actors—including China—have infiltrated U.S. energy and telecommunications infrastructure and are “living off the land,” using our own administrative tools, credentials, and infrastructure against us (1).
The response from the IT community has been aggressive. Massive investment, innovative product development, AI deployment accompanied by surge staffing during national-level incidents, coordinated threat intelligence exchanges, and the rapid deployment of advanced monitoring and detection capabilities across public and private networks have all expanded significantly (11)(12). Yet even with these accelerated defensive measures, no technology company—or coalition of companies—can independently withstand a determined nation-state adversary.
Despite high investment in cybersecurity, the workforce deficit is overwhelming: an estimated 500,000 to 750,000 cybersecurity vacancies nationwide, including 35,000 unfilled positions within the federal government. Technology itself is complicating the workforce challenge, as AI is automating many roles once considered adequately staffed, while demand shifts toward next-level training and specialization. State and local staffing conditions are even worse. Even relatively affluent states and municipalities cannot compete in today’s tight and highly sophisticated IT security labor market. As Ranking Member Garcia has noted, “There are so many small cities and towns that don’t have the capacity to actually deal with some of these cyber threats. Municipalities and smaller governments face real challenges responding effectively” (14). Compounding the problem, many trained cybersecurity professionals are leaving the field due to stress, regulatory pressure, and burnout.
Regulatory Surge and the CISO Liability Crisis
A major driver of burnout is regulatory escalation. In July 2023, the Securities and Exchange Commission implemented sweeping cybersecurity disclosure rules requiring:
- Disclosure of material cyber incidents within four business days
- Annual reporting on cybersecurity governance, strategy, and risk management
These requirements appear under new Form 8-K Item 1.05 and Regulation S-K Item 106.
These rules significantly increase personal liability for chief information security officers (CISOs) and senior cyber leaders, raising the consequences of misjudgment or delayed reporting. Analysts warn of a growing “CISO liability crisis,” with burnout now compounded by legal exposure (9). AuditBoard similarly observes that these rules require formalized board oversight, more transparent materiality determinations, and documented cyber-governance frameworks (10).
The IT / Cyber Workforce Under Extreme Pressure
Cyber and IT personnel shoulder intense operational burdens. They confront escalating threats, highly complex systems, and expectations of flawless performance in a domain where any failure can have catastrophic consequences.
- 91% of CISOs experience moderate or high stress (3)
- Cybersecurity job satisfaction has fallen to 66% (4)
- 44% of cybersecurity professionals report severe work-related burnout (5)
- 65% of SOC analysts have considered quitting due to stress and alert fatigue (3)
- 75% of CISOs are contemplating job changes due to burnout and liability concerns (6)
The combined effects of workforce shortages, alert fatigue, and expanding regulatory demands increase operational risk across every sector of the economy.
The IT Sector as a National Security Vector
The IT sector is not merely a support function—it is a core component of national security. Skilled cybersecurity professionals defend:
- Critical infrastructure
- Energy grids
- Telecommunications networks
- Financial systems
- Defense industrial base systems
- Healthcare and emergency services
When defender capacity collapses—through burnout, attrition, or regulatory pressure—national exposure escalates rapidly. Untriaged alerts, delayed incident response, and leadership turnover create exploitable conditions for nation-state adversaries.
Conclusion
National defense is inseparable from cyber and IT resilience. Cyber professionals responsible for defending critical systems are under unprecedented operational stress and increasing personal liability. Their role now resembles that of national-security commanders, yet they face shrinking staff levels, rising burnout, and overwhelming expectations. Meanwhile, highly sophisticated nation-state actors are aggressively seeking footholds in U.S. critical infrastructure (1).
The United States must respond with the same urgency demonstrated after World War II. While some government programs promote cybersecurity training in exchange for public service, including proposals for a virtual academy, these efforts remain far too limited in scale. The challenge must be addressed systemically.
The PIVOTT Act, recently passed by the House Homeland Security Committee, represents the first program designed to address this challenge at scale, with a goal of training 10,000 recruits for government service annually. Academy graduates would be compensated at levels comparable to those of West Point and Naval Academy graduates during their required service—far below the cost of the independent contractors currently performing these roles. The resulting savings would effectively offset the full cost of training, making this approach functionally cost-neutral for the federal government. Moreover, after completing their government service, academy graduates are likely to transition into private-sector cybersecurity roles, where they will continue defending the nation against state-sponsored cyber threats.
However, recruitment alone is insufficient. It is equally critical to reduce the extreme pressure under which IT professionals operate. Extensive documentation shows that the fragmented, duplicative regulatory system—combined with the practice of assigning personal liability to chief security officers for breaches caused even by sophisticated nation-state attacks, such as SolarWinds—has accelerated the loss of experienced personnel. Cybersecurity requirements are necessary, but when they are uncoordinated and lack cost-benefit discipline, they ultimately undermine security rather than strengthen it. The National Defense Authorization Act can and should address these issues immediately. We do not have time to waste—we are already under continuous nation-state attack.
Endnotes
-
Politico. (2025, November 1). Telecom CISO: “We’re really dealing with an extremely sophisticated nationstate threat actor…” https://www.politico.com/.
-
Securities and Exchange Commission. (n.d.). Cybersecurity. https://www.sec.gov/securitiestopics/cybersecurity.
-
Bitsight. (2024). 5 shocking IT & cybersecurity burnout statistics. https://www.bitsight.com/blog/5-shocking-it-cybersecurity-burnout-statistics.
-
Cyber Magazine. (2024). Burnout is becoming endemic across the cybersecurity sector. https://cybermagazine.com/news/burnout-is-becoming-endemic-across-the-cybersecurity-sector.
-
Zhang, J., & Kumar, S. (2024). Burnout and mental health among cybersecurity professionals (arXiv:2409.12047). https://arxiv.org/abs/2409.12047.
-
Cybersecurity Ventures. (2024). The rise in CISO job dissatisfaction. https://cybersecurityventures.com/therise-in-ciso-job-dissatisfaction-whats-wrong-and-how-can-it-be-fixed.
-
CSO Online. (2024). Low turnover leaves job-seeking CISOs with nowhere to go. https://www.csoonline.com/article/3575323/low-turnover-leaves-job-seeking-cisos-with-nowhere-togo.html.
-
SEC. (2023, July 26). Press Release 2023-139. https://www.sec.gov/newsroom/press-releases/2023-139.
-
Raconteur. (2024). CISOs are burned out – now they face personal liability too. https://www.raconteur.net/technology/cisos-personal-liability.
-
AuditBoard. (2023). SEC cybersecurity disclosure rules: What you need to know. https://auditboard.com/blog/sec-cybersecurity-rules.
-
CISA. (2024). Joint Cyber Defense Collaborative: Annual Report. https://www.cisa.gov/
-
Microsoft Threat Intelligence. (2024). Nation-state cyber operations: Trends and defensive coordination. https://www.microsoft.com/security.
-
Thompson, Bennie. “Committees and Caucuses.” Office of Congressman Bennie Thompson, U.S. House of Representatives. Accessed January 2026.
-
Miller, Gabby. “Transcript: House Committee Hearing to Assess Microsoft’s Cybersecurity Shortfalls.” TechPolicy.Press, June 15, 2024
