Cybersecurity

Need cyber talent? Look to prisons, suggests new NASCIO report

A new report from the National Association of State Chief Information Officers suggests running more programs that train prisoners and former prisoners with cybersecurity skills, but one expert said such programs could face challenges.

By Colin Wood

May 8, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

(Colin Wood / Scoop News Group)

The National Association of State Chief Information Officers on Wednesday published a report proposing a solution to the nation’s persistent shortage of cybersecurity workers: Create more programs that train prisoners and former prisoners for those jobs.

One analysis tallies more than 450,000 open cybersecurity jobs in the United States, but counts enough workers to fill only 83% of those roles. And the research firm Gartner in 2023 predicted that more than half of critical cybersecurity incidents would soon be driven by that workforce gap.

To fill the nation’s cyber jobs, NASCIO’s report points to the more than 600,000 people released from state and federal prisons and the more than nine million bouncing out of municipal or county jails each year. In addition to providing fresh talent for the cybersecurity workforce, such educational initiatives could also reduce recidivism, the report suggests.

At least half of former inmates reoffend within three years of release, and educational training — especially college education — correlates with reductions in recidivism. One 2023 metaanalysis shows that college education correlated with a 28% reduction in recidivism, compared to a 6.3% associated with basic adult education, and 9.4% for vocational education.

The report points to a program administered by the National Cyber Security Training Academy called Second Chances that offers non-violent, low-level offenders who’ve been vetted by a panel to select from six cybersecurity courses aimed at landing them jobs like network field engineer, penetration tester or cybercrime investigator.

Kalea Young-Gibson, the NASCIO policy analyst who drafted the report, told StateScoop that she gathered feedback from state chief information officers and chief information security officers during her research.

“Our members are interested to see how this could integrate with existing offender reentry programs,” she wrote in an email. “For example, in Kentucky, a few weeks ago our governor announced several new reentry vocational training programs and adding a cyber component could be an interesting new step.”

Kentucky Gov. Andy Beshear last month announced more than a dozen new vocational programs at the state’s correctional facilities. These include courses for skills like plumbing, basic construction skills and commercial vehicle operation, according to a press release. Cybersecurity wasn’t among the offerings, but Young-Gibson said she hopes her state or another will take up the idea.

Justin Miller, an associate professor of cyber studies at the University of Tulsa, agreed that there’s a shortage of cybersecurity professionals, particularly those who both possess technical skills and understand policy and governance. But Miller, who spent 25 years in the Secret Service, a job that included leading cyber fraud task force investigations, said he had some misgivings about how such training programs would work.

“I’ve had to track down and arrest a lot of cyber criminals,” Miller said. “I don’t see a lot of people putting faith in networks or data or [personally identifiable information], [Health Insurance Portability and Accountability Act] records, [Family Educational Rights and Privacy Act] records in the hands of prior criminals. … And if you’ve spent time in prison, you’re probably not going to get a security clearance and you’re not going to be able to work on sensitive projects.”

Miller said he’s also observed that many private prisons he’s visited were “severely” understaffed, adding an additional challenge to supervise such technical programs in-house.

Some states have operated programs to train military veterans with cybersecurity skills, such as one in Virginia that partnered with Amazon Web Services, Fortinet and other tech firms to bolster the cyber workforce, while helping a population with unique challenges reintegrate into society. Miller said a vocational program that targets former inmates would likewise need to account for the psychologies of its participants.

“What I found is a lot of the veterans were missing limbs or had traumatic brain injury or PTSD … and then they had to work in forensics labs where they had to pull digital forensics on child exploitation cases,” he said. “I felt it was almost cruel in the sense that here we had this veteran who served our country and has been injured in such a significant way, and our thanks is yes, we’ve given you a job and we’ve given you great training, but we’re exposing you to additional material. I felt like we were re-victimizing our veterans all over again by doing that.”

But perhaps the biggest challenge would-be cybersecurity practitioners with criminal records would face is the growing interest among technologists to understand every component of their increasingly sprawling technical environments. Miller said it used to be the case that cyber practitioners didn’t give much thought to the people behind the services they used — but that’s changing.

“Look outside of your networks,” he said. “What can affect you? The Target breach [in 2013] was affected by a third-party vendor. If we’re doing business with third-party people or they have access, I kind of want to know your hiring processes. Who are you employing to manage these things?”