Since President Donald Trump returned to the White House in January 2025, the administration has focused less on cybersecurity concerns facing the U.S. compared to other issues, including tariffs, tax cuts through the “One Big Beautiful Bill” Act and international conflicts.
The Trump administration, however, has made substantial changes to the scope and staff of the U.S. Cybersecurity and Infrastructure Security Agency. The White House has also signaled that it plans to take a more hands-off approach to cybersecurity, including shifting security burdens to state agencies and reducing regulations and oversight of businesses.
Now, the administration has laid out its national cybersecurity vision that will guide its priorities for the next two and a half years. The National Cyber Strategy, officially released March 7, offers six “pillars” that the Trump administration will focus on. These include:
Shape Adversary Behavior: This section outlines how the Trump administration plans to use a combination of defensive and offensive operations to disrupt nation-state operations as well as cybercriminal activity. The strategy also states that the administration will “unleash” the private sector to disrupt security threats.
Promote Common-Sense Regulation: The Trump administration is seeking to further streamline cybersecurity regulations for private businesses.
Modernize and Secure Federal Government Networks: As with previous administrations, the Trump White House is looking to modernize federal infrastructure and deploy modern approaches, such as zero trust, to better defend government networks and data.
Secure Critical Infrastructure: The administration will emphasize protecting U.S. critical infrastructure such as energy grids, financial and telecommunications systems, data centers, water utilities and hospitals.
Sustain Superiority in Critical and Emerging Technologies: While cryptocurrencies and blockchain are mentioned, this section specifically calls out the development and deployment of artificial intelligence (AI) tools, which the Trump administration has made a priority since last January.
Build Talent and Capacity: The Trump administration is looking to eliminate barriers to hiring talented cyber professionals to work throughout the federal government and the private sector.
The seven-page document lacks details on how the Trump administration plans to execute these six priorities. By comparison, former President Joe Biden’s administration released a 35-page cybersecurity strategy in 2023 that included additional materials detailing that administration’s implementation and budget strategies.
Rep. Bennie G. Thompson (D-Miss.), the ranking member of the House Committee on Homeland Security, criticized the plan as a “mishmash of vague platitudes” and said the administration needs a better plan to recruit and encourage cybersecurity talent.
“Completely lacking is even the most basic blueprint for how the administration will go about achieving any of its cybersecurity goals — an objective possibly hamstrung by the hemorrhage in cyber talent across all federal agencies since Trump took office,” Thompson added in a statement.
Despite the lack of specifics, experts note that the strategy at least puts the issue of cybersecurity back into the national security conversation.
“The hard work begins now, and that’s translating the vision into ambitious yet achievable operational outcomes,” said Matthew Hartman, chief strategy officer at Merlin Group. “Consequence-based prioritization will be essential to ensure finite federal and private-sector resources are focused on the systems where disruption would have the greatest national impact. At the same time, this is an opportunity to clarify how government and industry divide responsibility for defining and delivering shared security and resilience outcomes.”
For cybersecurity professionals, the Trump administration’s cybersecurity strategy offers new ways to think about career development and the skills needed to meet emerging priorities, whether in the private sector or government work.
Best Offense Is a Good Defense
One area of the new cybersecurity strategy that stands out is the emphasis the document places on offensive operations and allowing private firms to more actively counter cyber threats.
Does this mean the administration’s strategy will create a market for offensive-minded cybersecurity talent? Experts note that it is unlikely to happen, but cyber pros should work to understand offensive operations to improve their organization’s defensive strategies.
“Recent national cyber strategies across multiple administrations have emphasized both strengthening domestic cyber defense and disrupting adversaries’ infrastructure and operations,” Merlin Group’s Hartman told Dice. “That doesn’t mean every defender needs offensive skills, but understanding adversary tradecraft can help defenders engineer more effective detections, anticipate attacker behavior and design defenses that are harder for real-world threats to bypass.”
The way the cybersecurity strategy is written now means that many cybersecurity professionals could be tasked with becoming offense-informed defenders, and that will require changes to hiring requirements across government and critical infrastructure, said Collin Hogue-Spears, senior director of solution management at security firm Black Duck.
“In workforce terms, employers will increasingly require defenders who can demonstrate offensive literacy — understanding how attackers escalate privileges, persist and move laterally so that defensive controls target real operator behavior rather than compliance abstractions,” Hogue-Spears told Dice. “None of this means every SOC analyst needs a red team certification. It means the floor has moved. The hiring filter is no longer ‘Do you hold the right compliance credential?’ It is: ‘Can you explain how an attacker would bypass the control you just implemented?’”
Over the last several years, the lines between offensive and defensive strategies have blurred, and the Trump cybersecurity strategy now reflects those changes, said Bugcrowd CEO Dave Gerry.
“Offensive skills are becoming table stakes for defenders. While this isn’t a newly valuable skillset, the emphasis on offense is becoming increasingly important as organizations aim to anticipate attacks rather than react after they occur,” Gerry told Dice. “The traditional model of defense is also changing by encouraging red-teaming, AI tooling and threat hunting as standard practice.”
AI and Cybersecurity
The Trump cybersecurity strategy reinforces what experts have said for months: Cybersecurity professionals who understand and demonstrate AI skills are increasingly valuable to employers. The document also makes clear that as threat actors use AI, the speed of attacks will increase, said Marcus Fowler, CEO of Darktrace Federal.
“As adversaries increasingly leverage automation and artificial intelligence to scale their operations, defending critical infrastructure and federal networks will require equally advanced capabilities,” Fowler told Dice. “AI-powered cybersecurity solutions must become a core component of our national defense posture. Just as importantly, government procurement pathways must continue to evolve to make it easier for agencies to adopt best-in-class defensive technologies, ensuring innovative capabilities can move from the private sector into mission environments without unnecessary delay.”
While AI is likely to automate entry-level cybersecurity functions such as security operations, triaging alerts and reviewing logs, the ability cyber professionals have to leverage AI to expand their skills, scale their output and enable them to perform at machine speed will become increasingly differentiated, said Bugcrowd’s Gerry. “The need for human ingenuity alongside AI is only growing, not shrinking.”
Even before the Trump administration published the document, Hogue-Spears had seen the federal government advertise positions that require AI knowledge and skills, and these will only become more critical as time passes.
“Federal agencies posted positions in February and March for agent security research engineers and AI offense evaluation teams using direct-hire authority citing a ‘severe shortage of candidates,’” Hogue-Spears added. “Those postings predate or coincide with the strategy’s release, which means the demand preceded the policy. ‘AI security’ has split from ‘cybersecurity’ the same way ‘cloud security’ split a decade ago.”
Less Regulation Does Not Mean Less Work
The Trump cybersecurity outline differs most from previous strategies in its approach to regulation. The administration has made no secret of wanting less oversight.
At the same time, governance, risk and compliance (GRC) positions have increased as organizations confront a myriad of issues, from data privacy to AI use. Despite the strategy outlined by the White House, experts see a continued need for skilled professionals in these positions.
“Governance, risk and compliance roles remain essential even as policy discussions evolve around regulation,” Hartman noted. “In large enterprises and critical infrastructure environments especially, organizations need professionals who can translate strategic risk into operational security decisions and ensure security investments actually improve security and resilience. Ultimately, the goal should be measurable security outcomes: reducing real-world risk rather than compliance for the sake of compliance.”
Others agree that in an increasingly complex world, cyber professionals who understand risk remain valuable.
“Regardless of the regulatory environment and reduction in checklist compliance efforts, the risks facing organizations are growing in complexity, not shrinking,” Gerry said. “The ability of GRC staff to shift to ‘risk analyst’ from ‘compliance auditor’ is going to be the key. These individuals need to shift from meeting the bare minimum required by the regulation to focusing on outcome-based security practices.”
