Cyber talent hunt: the search starts at home

People are the key to government cybersecurity woes

The government faces one glaring problem as it tries to bolster the security of its computers: humans. The government urgently needs to hire highly skilled people to plug computer security holes. But before agencies can hire the staff they need, they have to make it easier for people to understand what they’re looking for.

The Defense Department is racing to staff its new Cyber Command, the Homeland Security Department is exercising its authority to hire as many as 1,000 computer security professionals, and intelligence agencies are expanding the attention they pay to cyberspace. But so far, there is no agreed-upon definition of what it means to be a government cybersecurity professional.

Furthermore, the pool of potential employees with high-end technical talent is a shallow one.

“Everybody is after the same people, and there’s no source,” said Alan Paller, director of research at the SANS Institute.

Karen Evans, former administrator of e-government and information technology at the Office of Management and Budget, agreed. “There’s a finite set of [people with the needed skills], and everybody’s going after that same group of people,” she said.

Given the high demand and low supply, agencies are forced to compete with one another and the private sector to entice the talent that’s out there. So if you’re a cyberecurity professional with highly technical skills, you’re likely feeling more optimistic about the economy than most Americans are. But you might not find it easy to match your skills to agencies’ job descriptions.

Different parts of government talk about cybersecurity professionals in different ways, said Evans, who is now national director of the U.S. Cyber Challenge. The goal of that program is to identify 10,000 young people to be the next generation of cybersecurity professionals.

To meet current and future demands for such employees, agencies must work together to define the precise skill sets that different types of cybersecurity professionals need to have.

However, a quick search on the USAJobs Web site suggests that is not happening. The number of job openings varies depending on whether you type in “computer security,” “cybersecurity” or “information security” — terms government officials often use interchangeably.

“When you say ‘cybersecurity,’ it means different things to different organizations,” said John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, an independent, nonprofit research institute. He said the government needs to come up with a standard language for pitching those jobs.

“Not only don’t the numbers add up, but the terms don’t add up,” Bumgarner said.

Sorting out expectations for cybersecurity professionals is a problem because jobs can run the gamut from highly technical to policy-focused. Paller said the government already has a glut of the latter.

“This is a huge issue for the [chief information officers] because they’re uncomfortable, but they don’t see a path through the maze,” Paller said. “The reason they don’t see a path through the maze is because the highly skilled people are so rare and so concentrated in a few spots that they’ve never seen any of them so they don’t know that the people that they have aren’t what they’re looking for.”

Paller estimates that the public and private sectors will need a combined 20,000 highly technical cybersecurity specialists in the next seven to eight years.

A search on the USAJobs site suggests that agencies — particularly civilian ones — aren’t on the hunt for candidates who have the commercial certifications used to validate those technical skills.

A search for "Certified Secure Software Lifecycle Professional" didn’t bring up any jobs, while "SSCP," for Systems Security Certified Practitioner, turned up five job openings, all at the Army.

The keyword “GIAC” — the SANS Institute’s information security certification — found eight jobs, while a search for “GIAC Reverse Engineering Malware” or “GREM” certification didn’t have a single match.

Paller said technical skills are in particularly high demand at banks and aerospace companies. Government IT security professionals can earn well — upwards of $100,000 a year or more — but banks and large corporations pay even better.

Fortunately, money isn’t the reason many people decide to seek government work. “There are a couple of reasons why you are going into a public-sector job: one is for stability and the other one is because you want to make a difference,” Evans said.

To attract cybersecurity professionals, agencies needs to establish clear governmentwide terminology and requirements because it’s going to take some highly skilled people to secure the machines.

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Mon, Aug 2, 2010 J.D.Bailey

Would anyone be interested? If someone could proved an atypical... asymmetric... intern recruiting model for internally developing a self-sustaining community for government cybersecurity professionals (~33% always under the age of 30yo). Test with 100, prove with 1000, then proceed.

Fri, Jul 30, 2010 J.D.Bailey

The standard language should always be common current academia and commercial market with a little street as spice for nice folks. Identify 10,000 young people to be the next generation of cybersecurity professionals, AGE DISCRIMINATION, I am 58yo. The whole .Gov/.Mil "Knowledge Management" executives need to find another job and quit blame-storming the work-force and contractors. Reader comments have a tone of consensus, what the .Mil/.Gov wants is a well educated head-nodding contract manager. .Mil/.Gov does not appear to want respected reputation and skills. So, maybe .Mil/.Gov should contract out core-security requirements, because that would be easier to manage and you can blame-storm the contractors for failures.

Thu, Jul 29, 2010 Cal Wyoming

Rob from Colorado hit it on the head. The Federal Government is stuck in the days of when a bachelors degree actually meant something (before you complain about me claiming bachelors degrees are meaningless, ask yourself why Bill wrote what he did). The real talent has picked up a few college courses here and there, taught themselves the rest, and bagged some certifications on an as-needed basis. The result is the real talent will never make it pass the first cut because the first cut are those without college degrees. Not that much of the real talent would *want* a government job. Going from a dress code where you only have to be presentable to a dress code which requires slacks, long-sleeve button-down shirt, and tie as a minimum is not a transition easily made.

Thu, Jul 29, 2010 Al Los Angeles

So DoD 8570.01-M isn't clear enough? No guidance is perfect but you do need a starting point.

Thu, Jul 29, 2010 Jeffrey A. Williams Frisco Texas

In my 30 years in IT security and Network Data Processing the vast majority of 'Certifications' are not worth the paper they are written on. Some are simply 'For Sale' and have absolutely no meaning. Experiance is and always has been the best teacher. So if you are looking for GOOD IT security folks, look for those with at least 5 or more years of expericance.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group