This report is the first in a series examining specific workforce domains (cybersecurity and privacy, teaching and learning, and IT leadership) in higher education. Following the COVID-19 pandemic, a number of workforce domains in higher education saw significant shifts in focus, reductions in staff size, and structural reorganizations. Now, several years out from the onset of the pandemic, we are taking a look at the current state of affairs, gauging whether the higher education workforce has continued to shift, shrink, or reorganize, in addition to exploring other timely and relevant workforce issues. The data in this report are taken from a survey of cybersecurity and privacy professionals in higher education, conducted in July 2023, representing 350 respondents from different position levels at their institution.

In this report, we describe the findings of the survey in five key areas:

• Respondent composition
• Department structure, size, and reporting lines
• Staffing and budgets
• Work role experiences
• Competencies and professional development

• A majority of respondents said that staffing issues have had a negative impact on cybersecurity and privacy services offered at their institution, though cybersecurity had more FTE positions budgeted for the current fiscal year, more new positions created, and saw the most outsourced services, compared to the privacy domain.
• Many respondents (57%) feel that it is important to have remote/hybrid options for working. It appears that institutions have heard and understand this need: 68% of respondents reported that they currently do have remote/hybrid options for work.
• A significant number of respondents indicated that they are likely to apply for other positions both within higher education (56%) and outside higher education (55%) within the next 12 months, and this likelihood to apply for other positions correlates negatively with job satisfaction.
• A number of respondents felt that they should be reporting to leadership outside IT due to a misalignment in goals and conflicts of interest between IT and cybersecurity or privacy.
• A majority of respondents said that their current workload is somewhat or very excessive. The job functions that saw the largest increase in time demands in the past 12 months were compliance and regulations, monitoring and detection, and incident response and threat hunting.
• The job functions that saw the greatest decline in time demands in the past 12 months were offensive operations, specialized offensive operations, and threat intel and forensics.
• Technical skills and knowledge of AI was identified as being an important competency area for the future. And, in general, respondents indicated that they need more support for professional development, especially buy-in from leadership and time to pursue development opportunities.
• Cybersecurity and privacy roles are evolving. Privacy is becoming an increasingly important and growing area, and the two areas are also becoming more intertwined and quickly expanding far beyond traditional IT services.