Cyber talent hunt: the search starts at home

People are the key to government cybersecurity woes

The government faces one glaring problem as it tries to bolster the security of its computers: humans. The government urgently needs to hire highly skilled people to plug computer security holes. But before agencies can hire the staff they need, they have to make it easier for people to understand what they’re looking for.

The Defense Department is racing to staff its new Cyber Command, the Homeland Security Department is exercising its authority to hire as many as 1,000 computer security professionals, and intelligence agencies are expanding the attention they pay to cyberspace. But so far, there is no agreed-upon definition of what it means to be a government cybersecurity professional.

Furthermore, the pool of potential employees with high-end technical talent is a shallow one.

“Everybody is after the same people, and there’s no source,” said Alan Paller, director of research at the SANS Institute.

Karen Evans, former administrator of e-government and information technology at the Office of Management and Budget, agreed. “There’s a finite set of [people with the needed skills], and everybody’s going after that same group of people,” she said.

Given the high demand and low supply, agencies are forced to compete with one another and the private sector to entice the talent that’s out there. So if you’re a cyberecurity professional with highly technical skills, you’re likely feeling more optimistic about the economy than most Americans are. But you might not find it easy to match your skills to agencies’ job descriptions.

Different parts of government talk about cybersecurity professionals in different ways, said Evans, who is now national director of the U.S. Cyber Challenge. The goal of that program is to identify 10,000 young people to be the next generation of cybersecurity professionals.

To meet current and future demands for such employees, agencies must work together to define the precise skill sets that different types of cybersecurity professionals need to have.

However, a quick search on the USAJobs Web site suggests that is not happening. The number of job openings varies depending on whether you type in “computer security,” “cybersecurity” or “information security” — terms government officials often use interchangeably.

“When you say ‘cybersecurity,’ it means different things to different organizations,” said John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, an independent, nonprofit research institute. He said the government needs to come up with a standard language for pitching those jobs.

“Not only don’t the numbers add up, but the terms don’t add up,” Bumgarner said.

Sorting out expectations for cybersecurity professionals is a problem because jobs can run the gamut from highly technical to policy-focused. Paller said the government already has a glut of the latter.

“This is a huge issue for the [chief information officers] because they’re uncomfortable, but they don’t see a path through the maze,” Paller said. “The reason they don’t see a path through the maze is because the highly skilled people are so rare and so concentrated in a few spots that they’ve never seen any of them so they don’t know that the people that they have aren’t what they’re looking for.”

Paller estimates that the public and private sectors will need a combined 20,000 highly technical cybersecurity specialists in the next seven to eight years.

A search on the USAJobs site suggests that agencies — particularly civilian ones — aren’t on the hunt for candidates who have the commercial certifications used to validate those technical skills.

A search for "Certified Secure Software Lifecycle Professional" didn’t bring up any jobs, while "SSCP," for Systems Security Certified Practitioner, turned up five job openings, all at the Army.

The keyword “GIAC” — the SANS Institute’s information security certification — found eight jobs, while a search for “GIAC Reverse Engineering Malware” or “GREM” certification didn’t have a single match.

Paller said technical skills are in particularly high demand at banks and aerospace companies. Government IT security professionals can earn well — upwards of $100,000 a year or more — but banks and large corporations pay even better.

Fortunately, money isn’t the reason many people decide to seek government work. “There are a couple of reasons why you are going into a public-sector job: one is for stability and the other one is because you want to make a difference,” Evans said.

To attract cybersecurity professionals, agencies needs to establish clear governmentwide terminology and requirements because it’s going to take some highly skilled people to secure the machines.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Mon, Aug 2, 2010 J.D.Bailey

Would anyone be interested? If someone could proved an atypical... asymmetric... intern recruiting model for internally developing a self-sustaining community for government cybersecurity professionals (~33% always under the age of 30yo). Test with 100, prove with 1000, then proceed.

Fri, Jul 30, 2010 J.D.Bailey

The standard language should always be common current academia and commercial market with a little street as spice for nice folks. Identify 10,000 young people to be the next generation of cybersecurity professionals, AGE DISCRIMINATION, I am 58yo. The whole .Gov/.Mil "Knowledge Management" executives need to find another job and quit blame-storming the work-force and contractors. Reader comments have a tone of consensus, what the .Mil/.Gov wants is a well educated head-nodding contract manager. .Mil/.Gov does not appear to want respected reputation and skills. So, maybe .Mil/.Gov should contract out core-security requirements, because that would be easier to manage and you can blame-storm the contractors for failures.

Thu, Jul 29, 2010 Cal Wyoming

Rob from Colorado hit it on the head. The Federal Government is stuck in the days of when a bachelors degree actually meant something (before you complain about me claiming bachelors degrees are meaningless, ask yourself why Bill wrote what he did). The real talent has picked up a few college courses here and there, taught themselves the rest, and bagged some certifications on an as-needed basis. The result is the real talent will never make it pass the first cut because the first cut are those without college degrees. Not that much of the real talent would *want* a government job. Going from a dress code where you only have to be presentable to a dress code which requires slacks, long-sleeve button-down shirt, and tie as a minimum is not a transition easily made.

Thu, Jul 29, 2010 Al Los Angeles

So DoD 8570.01-M isn't clear enough? No guidance is perfect but you do need a starting point.

Thu, Jul 29, 2010 Jeffrey A. Williams Frisco Texas

In my 30 years in IT security and Network Data Processing the vast majority of 'Certifications' are not worth the paper they are written on. Some are simply 'For Sale' and have absolutely no meaning. Experiance is and always has been the best teacher. So if you are looking for GOOD IT security folks, look for those with at least 5 or more years of expericance.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above