Agencies hard hit by shortage of cybersecurity pros

New recruiting, training programs can help, but government needs to change hiring process, panelists say

The Homeland Security Department is focused on recruiting and hiring cybersecurity personnel. It tripled the number of professionals working in the National Cybersecurity Division in fiscal 2009 and doubled it again last year.

But that still brings the number of cybersecurity professionals working in the division to only 220.

“We just don’t have enough people yet,” Philip Reitinger, deputy undersecretary in the National Protection and Programs Directorate, said Thursday at a forum on workforce development hosted in Washington by Deloitte. “This is going to be a continuing challenge for us.”

DHS has been recruiting from other agencies as well as from the private sector, but Reitinger called that a “zero sum game,” because there are not enough trained professionals coming into the field to meet demand. “There are not enough people to go around.”

The problem has been recognized for several years and a number of public-private initiatives are under way to identify students with the proper interests and abilities in high school or even earlier, and to provide them with educational opportunities and career paths.


Related stories:

Cybersecurity boot camps are a start toward a skilled workforce

Deadline looms for CyberPatriot competition


Several high school and collegiate cybersecurity competitions are flourishing, and the University of Maryland University College has established three cybersecurity degree programs to help fill the demand for tens of thousands of professionals in Maryland, which is home not only to the National Security Agency but also to the Pentagon’s new Cyber Command.

It will be two to 12 years or even more before these new pipelines begin supplying significant numbers of new workers, however. In the meantime, the federal government is at a disadvantage in this market because of its recruiting and hiring practices.

“The current federal process is a disincentive to come in” to government work, said James Lewis, director of the technology and public policy program  at the Center for Strategic and International Studies. He said the problem was not limited to cybersecurity. “It’s a larger workforce problem.”

Reitinger agreed. “Hiring in the federal government has to be modernized across the board,” he said.

DHS has obtained waivers from the Office of Personnel Management to use greater flexibility in its hiring process and has experimented with techniques, such as a virtual job fair conducted online. But this cannot make up for the lack of a trained workforce produced by strong science, technology, engineering and mathematics (STEM) programs.

“This is a glaring weakness here in the United States,” said Jake Olcott, counsel to the Senate Commerce, Science and Transportation Committee. “Our STEM educational system is not working well right now.”

Colleges and universities have offered computer science programs since the days of punch cards, but the integration of computer science with security, law, law enforcement, government policy and all things cyber is only just getting under way.

“Professionalization” is key to developing a cyber workforce, Lewis said. “We need a more disciplined approach.”

There are plenty of training and certification programs available, but Lewis said there is no correlation between certification and job performance. Better ways are needed to assess competence and performance.

“We need to move cyber more toward science,” Reitinger said, in order to replace the guesswork and blind assumptions that dominate much of the field today with documented, quantifiable and testable knowledge.

One of the leaders in this effort is the UMUC, where three bachelor’s and master’s degree programs are being offered for the first time this fall.

“We have taken it on as a critical priority,” said UMUC President Susan C. Aldridge. The programs were announced earlier this year in response to efforts to establish Maryland as a cybersecurity hub.

One of the drivers for the program is the school’s work with the Defense Department, providing educational programs for military personnel.

The degree programs were created with input from industry to provide practical and theoretical training. The bachelor’s degree in cybersecurity will require 120 credits, including 33 credits of coursework in the major, and is being offered both completely online or in a combination of online study and on-site instruction. Master's degrees are being offered in cybersecurity and cybersecurity policy, each of which will require 36 credits of coursework offered in six six-credit online courses. Students also must complete internship programs.

The University of Maryland also announced this week the creation of the Maryland Cybersecurity Center, a multi-disciplinary educational and research and development center. Educators from engineering and computer sciences, as well as from non-technical disciplines, including business, public policy and economics, will work with the private sector to produce technology and services that can be commercialized.

Aldridge said UMUC’s cybersecurity programs are not waiting for students to arrive through the usual educational pipeline. “We can’t just take traditional students,” she said. The average age of students enrolled in the program is 32.

The Navy, which recently stood up its 10th Fleet as a cyber command, is not waiting on college programs to recruit personnel, said Kevin C. Cooley, the fleet command’s information officer.

“We’re trying to attract young men and women who have just finished high school,” he said. Recruiting tech-savvy youngsters takes some innovation. Cooley said he and others experienced an “old person’s revelation” when it dawned on them they would have to go outside the usual channels to attract the people they needed. The Navy is relying more on its digital presence, using tools such as Facebook and other social media to communicate.

Reitinger said government has one advantage in recruiting critical technical skills. Many government workers accept the lower pay and lack of flexibility because they see the work as a public service in a mission critical area, he said.

Featured

Reader comments

Thu, Oct 28, 2010 From WI Mid West

Boy, the government cannot win, people complain about taxes!!! Yet no one wants to work for the government, because the wages are not competitive. Sounds to me, like another case of wanting your cake and eating too. You want the government to provide all the services, such as protection from crime, terrorists and services, yet you want it for free!! No, I do not work for the government either, it is just plain common sense, nothing is free!! To quote a a gentleman I work with, "There is nothing common, about common sense". I am sure there are a lot of people who have been out of work and looking for a job, would be thankful to have a pay check.

Thu, Oct 28, 2010

This is one of the things that happens when you don't create career paths. There are people already employed by the federal government with technical skills but no idea what kinds of cerfications and trainings they need to take them to the next level. I worked for a bank before becoming a fed and I knew exactly what classes/certifications I needed to advance to other positions.

Thu, Oct 28, 2010 Jeffrey A. Williams Frisco Texas

The problem with the USG finding good IT security talent as commented here by other commenters is largely correct. The hiring practices for these positions seems very poor at best, and the other not mentioned reason I can think of is that a significant number of IT security folks that I works with and have for many years just plain don't trust government administration managers or the D.C. political atmosphere in which most of these positions are located.

Tue, Oct 26, 2010 Zelig Eastern Sea board

The USG Cyber Security efforts has the same problem that US National Soccer has - the best players do not play for the home team. What prevents the US NATL Soccer team from fielding the best team is that rising to national team ranks is based upon who can afford the personal and professional costs, and more importantly who they are connected to; the best US soccer players remain undiscovered because the process excludes them. The USG GSA contract and hiring process is gamed for large DIB who provide "computing securely cheaply" (which is openly debatable). Why would an Intel or Security pro take a 15K to 50K paycut to sit in endless meetings and read tea leaves for feckless round-shouldered beetle-like bureaucrats, instead of being on the tip of the spear. As a result, you don't get the best in GOV computer security, just like US soccer - the best team never surfaces.

Tue, Oct 26, 2010 AnonFed

"Frankly the pay sucks. I was offered a fed position as a contractor, but I would of had to take a pay cut, then my pay would of been capped, except for the cost of living raise." But but but Rush Limbaugh says we're all overpaid!!! Hardly, if unemployed IT pros are turning their noses up at Federal jobs.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above