Is there a cybersecurity workforce crisis?
- By Amber Corrin
- Oct 15, 2013
The numbers are startling: The U.S. Cyber Command seeks 5,000 cybersecurity pros. The federal government will need 10,000 cybersecurity experts in the near future. Even the Department of Homeland Security's comparatively small yet urgent demand for 600 new cybersecurity employees is dizzying once the logistics are considered.
Where are agencies going to find all those people?
For years, headlines decrying the dearth of cybersecurity professionals have dominated the IT security landscape. In the wake of massive leaks from insiders such as Bradley Manning and Edward Snowden, a flurry of high-profile cyberattacks and calls for action from Congress, the demand is as intense as ever.
It turns out, though, that striking the right balance in the federal cybersecurity workforce is more complicated than simply recruiting and hiring new employees.
Competing budget priorities, a narrow pipeline of prospects, training shortfalls, ambiguous skill-set requirements and a tug of war between the public and private sectors all add complexity to the process. Myriad programs for developing talented cybersecurity professionals exist, but they are often too small, still evolving or not comprehensive enough.
Overall, a sense of disorganization and worry hangs over the state of the cybersecurity workforce. But many experts hope that significant efforts underway in government and industry will start to bridge the chasm between needs and capabilities.
"Do we have enough? Probably not today, based on what we've forecasted for the demand tomorrow," said Air Force CIO Lt. Gen. Michael Basla. "Do we have some sights in mind, some forecasts and people interested? Yes. We're now going through an exercise looking at a composition of the Air Force contribution to the U.S. Cyber Command requirements. It's a big job in front of us with a lot of attention on it right now."
The Defense Department is ahead of much of the rest of the government in terms of developing its digital workforce. Each Pentagon component has its own expansive cybersecurity training programs whose participants range from entry-level enlistees to highly specialized officers.
Although DOD might have the greatest need in terms of the number of positions to fill, it has the advantage of a built-in workforce trained to its specifications. The greater concern is civilian personnel in the rest of the federal government.
"On the civilian side, you really have to have a program almost from the cradle to the grave," said Gil Vega, who was chief information security officer at the Energy Department before stepping down in August. "We need to be more formalized in how we recruit, train and develop. We haven't yet seen the answer to that problem. We face it at DOE, and my colleagues at other Cabinet-level agencies are facing it as well."
Educate early and often
Increasingly, programs that target students from elementary school to college are promoting science, technology, engineering and math (STEM) education.
The National Institute of Standards and Technology is home to the National Initiative for Cybersecurity Education, whose four components focus on different levels of education and are supported by numerous federal agencies. Among them are the Education Department and National Science Foundation's formal cybersecurity education component, which is aimed at students as young as kindergarten and up to 12th grade.
In addition, DHS' National Initiative for Cybersecurity Careers and Studies hosts a number of training and education programs, and its website includes a comprehensive list of degree programs, scholarships, internships, competitions, camps and career guidance resources.
Those efforts are just a few of the programs focused on growing the next crop of cybersecurity employees, and along with maintaining the cycle of ongoing, career-long training and education, they are a critical piece of the solution to the workforce problem.
"The government should be fostering partnerships with high schools, colleges and universities to groom tomorrow's cybersecurity workforce," said Evan Lesser, managing director of ClearanceJobs.com. "The government is woefully underprepared with its cybersecurity workforce. The fact is, government and contractor computer networks are under attack 24/7/365. Additionally, with the fields of cybersecurity, cyber response and cyberattacks changing rapidly, any workforce the government does have must be regularly trained so their skills are updated."
Building the workforce of today — and tomorrow
One of the most critical reasons for gaps in the cybersecurity ranks is the lack of clearly defined roles. "Cybersecurity" covers a wide range of job functions, from analysts to hardware technicians.
"One of the first things at the high level is actually defining what it is you want this person to do because it's not as broad as it's sometimes made out to be when you just say 'cybersecurity career field,'" said Howard Schmidt, formerly White House cybersecurity coordinator and now executive director of SAFECode and a partner at Ridge-Schmidt Cyber. "Part of that is requirements management: What exactly do you need to serve your mission, and also [what are] the skill sets to make sure your business processes can be implemented?"
Government agencies are making progress in that regard. In a joint effort, the White House's Office of Science and Technology Policy, the Chief Human Capital Officers Council, the CIO Council and the Office of Personnel Management are creating a database of statistical information related to existing and future cybersecurity positions. It is due by the end of fiscal 2014.
"The new databank will enable agencies to identify and address their needs for cybersecurity skill sets to meet their missions," a July 8 OPM memo states. "This particular work function has extensively changed over the last decade, and these revisions provide consistency and a common language in describing the skill sets needed to perform the work successfully."
Still, even after those missions and requirements are defined, agencies will likely face an uphill battle when it comes to attracting talent. Top officials freely admit that the government cannot compete with private-sector pay at either the entry level or the top end of the scale. And one of the primary advantages of federal employment — the relative security of government jobs — has been called into question by pay freezes, budget cuts, and the inability of Congress and the president to agree on fiscal 2014 funding. The uncertainty could steer some potential stars away from a career in the public sector.
"Our students have always been willing to make the trade-off in terms of starting salary, but it's difficult to take an additional risk of [not] knowing if you're going to be paid at all," said Don Kettl, dean of the University of Maryland's School of Public Policy.
But many experts say salary is not the chief motivator for the next-generation cybersecurity workforce.
According to a recent survey by SemperSecure, a public/private cybersecurity initiative by the state of Virginia, just one in four of today's cybersecurity professionals cite salary and benefits as a top interest. More than half said they seek interesting, challenging work, and 44 percent want "important and meaningful work."
Numerous sources agreed that appealing to a prospective employee's sense of duty and country is the key to federal recruiting.
"It's not just compensation, but also a sense of contribution and ownership," Schmidt said. "The government has no endless supply of incentives, but...people enjoy doing something where they have a sense of ownership."
Lesser agreed, adding that agencies should also highlight the benefits of government employment and play to candidates' love of technology — an interest cited by 39 percent of respondents to the SemperSecure survey.
The increased emphasis on STEM education is aimed in part at creating a cybersecurity farm system that will produce benefits over the coming decades. However, to meet shorter-term needs, government could attract and retain cybersecurity talent by embracing nontraditional approaches to hiring, which often means moving away from overly bureaucratic hiring processes and personnel policies.
The government might be unlikely to offer the kind of flexibility many of today's young candidates prefer — which include loosened requirements for college degrees, accreditation and clearances, not to mention Google-esque benefits such as sleep pods or the option of bringing your dog to work. But flexibility of a different type, such as the ability to more easily move between departments and specialties, are appealing perks for the modern workforce.
"If you want to grow a cybersecurity workforce and you want those cross-functional skills, you have to allow people to move more freely within the organization and allow for changing career paths," said Eddie Schwartz, chief information security officer at RSA, the security division of government contractor EMC. "At EMC, we have this idea of a 'career subway' — the idea that you can move from one skill set to another — and that's a welcome thing. To be effective, you want to encourage people to cross over if they have that interest. Those skills that they bring from different areas — whether it's business analysis, data science, programming — could be valuable in the security department."
Although it takes much greater effort than just a few years ago to find the right people and the right mix of civilian, military and contract employees to tackle next-generation security, the changes are necessary to fully address the growing threat. The urgency has been underscored over and over again by those in the highest echelons of government.
"It's going to get worse, and we have to get a number of things done to protect this country," said Gen. Keith Alexander, commander of Cyber Command and director of the National Security Agency, in late September. "The best in the world: That's what the American people expect...and that's what we're doing. Why? In this area, technical skills really matter. [We're] coming up with the operational concepts, and the command and control is absolutely vital to the future."
OPM's push to inventory cybersecurity jobs
As part of an effort to create a database of information on existing and future cybersecurity positions in the government, the Office of Personnel Management issued a memo in July telling agencies how to measure their cybersecurity workforce. The memo includes quarterly milestones for monitoring the initiative's progress with the goal of completing the database by the end of fiscal 2014.
To minimize cumbersome reporting requirements, OPM plans to monitor the information agencies are adding to the database and regularly discuss with agency officials how well their progress is aligning with key timeline requirements. Here are some of the key deadlines:
By the end of fiscal 2013: Agencies that are represented on the Chief Human Capital Officers Council were required to review and code cybersecurity positions, including the incorporation in the IT management 2200 series and computer specialist 0334 series positions. Discussions with agencies have confirmed that action plans are under implementation.
March 31, 2014: Agencies must code at least 60 percent of federal positions in the relevant series. Discussions and a database review must illustrate that plans are on track for completion by end of fiscal 2014.
Sept. 30, 2014: The database must show that agencies have coded at least 90 percent of cybersecurity positions. Discussions and a database review must confirm that the project is completed.