Several weeks ago, I had the pleasure of participating in a panel discussion at the University of Maryland’s first annual Executive Cybersecurity Summit. There, I was able to share some insights our team has gained through supporting several statewide and regional efforts focused on advancing cybersecurity industry ecosystems. Notably, many of these insights run contrary to what we’re used to seeing in the DMV (for our non-Washingtonian friends, that refers to the DC, Maryland, and Virginia nexus). For example:

• Cyber industry growth across the US isn’t always sparked by cybersecurity concerns. In our beltway backyard, cyber industry growth is mostly responsive to technical needs, particularly to fulfill network security requirements for federal agencies. But outside of the DC area, many cyber ecosystems have flourished in response to concentrated economic and workforce development initiatives. Cybersecurity professionals earn more than double the average salary in many parts of the country, indicating the industry’s effectiveness as a targeted lever for advancing a community’s workforce and economy. Accordingly, the Commonwealth of Kentucky commissioned us to conduct a statewide cybersecurity industry analysis as a means of assessing the career field’s viability for targeted workforce diversification. Similarly, California’s cyber initiative is as focused on education, innovation, and workforce development as it is on technical implementation.   

• Cybersecurity initiatives aren’t always driven from the top. Just as federal government requirements play an outsized role in shaping the direction of the DC-area cyber industry, governors’ offices often drive successful statewide initiatives such as those seen in Virginia and Indiana. But in other areas, more localized efforts — often with the leadership and support of academic institutions — are making a splash. The Colorado Springs Chamber of Commerce and Economic Development Corporation, in partnership with Pikes Peak Community College, engaged us to map out the area’s cyber ecosystem and develop a strategic plan aimed at attracting cyber executives, investors, and workers to the region. And South Carolina’s statewide cyber initiative was born out of organic efforts within the University of South Carolina.

• Just “doing cyber” won’t put you on the map — but specialization will. We’ve all heard about executives who decide they need to “get some of that social media” without having a plan for why — and the same goes for locales that plan to “get into the cyber game.” But areas that carve out a niche cyber application, a targeted industry angle, or a differentiating value proposition can more effectively coordinate resources and stakeholders according to a coherent strategic plan. Once again, DC’s federal (and security clearance-heavy) market serves as its own differentiator. But absent such an inbuilt distinction, Michigan has become known for its Cyber Civilian Corps and Cyber Range; San Antonio has built a strong cyber education system to complement its defense assets; and Augusta (Georgia) and Colorado Springs both advertise quality-of-life as a differentiating factor for cybersecurity professionals seeking a new home.

It’s worth pointing out that there is no single correct pathway for building a cybersecurity ecosystem. At one end of the spectrum are jurisdictions that test the waters by commissioning exploratory studies to assess the industry’s economic impact before determining whether a next step is even prudent. Moving along that spectrum, we find highly sequenced initiatives such as California’s CASCADE program, which began with supply chain mapping; then moved to strengthen the provider network through diversification efforts; and now leverages that improved network to offer more robust cybersecurity services, workshops, and assessments to wider industry across California. And at the other end of the spectrum, New York’s cyber thrust comprises an interconnected series of initiatives that marshal the unparalleled wealth and diversity of its economic resources. 

If there has been a consistent factor for success, it might be the assistance of the Department of Defense’s Office of Economic Adjustment (OEA). Through one of several types of grant programs it offers communities, OEA has funded efforts in many states aimed at enhancing the resilience of the defense supply chain — in which cybersecurity companies play an important role. Whether seeking to help separating military personnel find a second career in the cybersecurity industry, or to help the cybersecurity industry itself decrease its reliance upon defense spending, OEA has enabled many cyber economy initiatives across the country to initiate and grow towards self-sustainability. And no matter your personal thoughts on the right amount of US defense spending, decreasing our national workforce’s reliance upon it — while also improving cybersecurity capacity and capability in dozens of states — is a good thing.