Before agencies can hire the cybersecurity professionals they need, they should make it easier for people to understand what they’re looking for.
The government faces one glaring problem as it tries to bolster the security of its computers: humans. The government urgently needs to hire highly skilled people to plug computer security holes. But before agencies can hire the staff they need, they have to make it easier for people to understand what they’re looking for.
The Defense Department is racing to staff its new Cyber Command, the Homeland Security Department is exercising its authority to hire as many as 1,000 computer security professionals, and intelligence agencies are expanding the attention they pay to cyberspace. But so far, there is no agreed-upon definition of what it means to be a government cybersecurity professional.
Furthermore, the pool of potential employees with high-end technical talent is a shallow one.
“Everybody is after the same people, and there’s no source,” said Alan Paller, director of research at the SANS Institute.
Karen Evans, former administrator of e-government and information technology at the Office of Management and Budget, agreed. “There’s a finite set of [people with the needed skills], and everybody’s going after that same group of people,” she said.
Given the high demand and low supply, agencies are forced to compete with one another and the private sector to entice the talent that’s out there. So if you’re a cyberecurity professional with highly technical skills, you’re likely feeling more optimistic about the economy than most Americans are. But you might not find it easy to match your skills to agencies’ job descriptions.
Different parts of government talk about cybersecurity professionals in different ways, said Evans, who is now national director of the U.S. Cyber Challenge. The goal of that program is to identify 10,000 young people to be the next generation of cybersecurity professionals.
To meet current and future demands for such employees, agencies must work together to define the precise skill sets that different types of cybersecurity professionals need to have.
However, a quick search on the USAJobs Web site suggests that is not happening. The number of job openings varies depending on whether you type in “computer security,” “cybersecurity” or “information security” — terms government officials often use interchangeably.
“When you say ‘cybersecurity,’ it means different things to different organizations,” said John Bumgarner, research director for security technology at the U.S. Cyber Consequences Unit, an independent, nonprofit research institute. He said the government needs to come up with a standard language for pitching those jobs.
“Not only don’t the numbers add up, but the terms don’t add up,” Bumgarner said.
Sorting out expectations for cybersecurity professionals is a problem because jobs can run the gamut from highly technical to policy-focused. Paller said the government already has a glut of the latter.
“This is a huge issue for the [chief information officers] because they’re uncomfortable, but they don’t see a path through the maze,” Paller said. “The reason they don’t see a path through the maze is because the highly skilled people are so rare and so concentrated in a few spots that they’ve never seen any of them so they don’t know that the people that they have aren’t what they’re looking for.”
Paller estimates that the public and private sectors will need a combined 20,000 highly technical cybersecurity specialists in the next seven to eight years.
A search on the USAJobs site suggests that agencies — particularly civilian ones — aren’t on the hunt for candidates who have the commercial certifications used to validate those technical skills.
A search for "Certified Secure Software Lifecycle Professional" didn’t bring up any jobs, while "SSCP," for Systems Security Certified Practitioner, turned up five job openings, all at the Army.
The keyword “GIAC” — the SANS Institute’s information security certification — found eight jobs, while a search for “GIAC Reverse Engineering Malware” or “GREM” certification didn’t have a single match.
Paller said technical skills are in particularly high demand at banks and aerospace companies. Government IT security professionals can earn well — upwards of $100,000 a year or more — but banks and large corporations pay even better.
Fortunately, money isn’t the reason many people decide to seek government work. “There are a couple of reasons why you are going into a public-sector job: one is for stability and the other one is because you want to make a difference,” Evans said.
To attract cybersecurity professionals, agencies needs to establish clear governmentwide terminology and requirements because it’s going to take some highly skilled people to secure the machines.