Is there a cybersecurity workforce crisis?

The federal government will need 10,000 cybersecurity experts in the near future. But striking the right balance is more complicated than simply recruiting and hiring new employees.

stylized professionals

The numbers are startling: The U.S. Cyber Command seeks 5,000 cybersecurity pros. The federal government will need 10,000 cybersecurity experts in the near future. Even the Department of Homeland Security's comparatively small yet urgent demand for 600 new cybersecurity employees is dizzying once the logistics are considered.

Where are agencies going to find all those people?

For years, headlines decrying the dearth of cybersecurity professionals have dominated the IT security landscape. In the wake of massive leaks from insiders such as Bradley Manning and Edward Snowden, a flurry of high-profile cyberattacks and calls for action from Congress, the demand is as intense as ever.

It turns out, though, that striking the right balance in the federal cybersecurity workforce is more complicated than simply recruiting and hiring new employees.

Competing budget priorities, a narrow pipeline of prospects, training shortfalls, ambiguous skill-set requirements and a tug of war between the public and private sectors all add complexity to the process. Myriad programs for developing talented cybersecurity professionals exist, but they are often too small, still evolving or not comprehensive enough.

Overall, a sense of disorganization and worry hangs over the state of the cybersecurity workforce. But many experts hope that significant efforts underway in government and industry will start to bridge the chasm between needs and capabilities.

"Do we have enough? Probably not today, based on what we've forecasted for the demand tomorrow," said Air Force CIO Lt. Gen. Michael Basla. "Do we have some sights in mind, some forecasts and people interested? Yes. We're now going through an exercise looking at a composition of the Air Force contribution to the U.S. Cyber Command requirements. It's a big job in front of us with a lot of attention on it right now."

The Defense Department is ahead of much of the rest of the government in terms of developing its digital workforce. Each Pentagon component has its own expansive cybersecurity training programs whose participants range from entry-level enlistees to highly specialized officers.

Although DOD might have the greatest need in terms of the number of positions to fill, it has the advantage of a built-in workforce trained to its specifications. The greater concern is civilian personnel in the rest of the federal government.

Reaping the Benefits

Given that a significant portion of the up-and-coming workforce is less concerned about pay than other things, here's a list of some of the most outrageous and awesome benefits that some IT companies offer. The government probably can't match most of them, but a good federal job can mean a solid foothold in industry later, and plentiful cyber pros with broad experience can benefit both the public and private sectors.

* Cisco Systems: An on-site health care center offers a full suite of medical services that include primary care, physical therapy, a pharmacy and more. Child-care services are also available.

* Google: Well-known as the big kahuna of perks, Google offers free food, bocce courts, bowling alleys, gyms, an organic kitchen, on-site vehicle maintenance services and an indoor slide, among other benefits.

* Microsoft: Employees enjoy generous paid maternity and paternity leave, with up to 10 weeks for new moms. The Redmond, Wash., headquarters has an organic spa on site, and mentoring programs are available as well.

* Yahoo: Despite a recent ban on telework, employees still enjoy discounts at ski resorts and California theme parks, and up to 16 weeks of paid maternity leave and eight weeks of paid paternity leave.

* Boeing: In addition to 12 paid holidays, employees also enjoy a winter recess between Christmas and New Year's Day.

"On the civilian side, you really have to have a program almost from the cradle to the grave," said Gil Vega, who was chief information security officer at the Energy Department before stepping down in August. "We need to be more formalized in how we recruit, train and develop. We haven't yet seen the answer to that problem. We face it at DOE, and my colleagues at other Cabinet-level agencies are facing it as well."

Educate early and often

Increasingly, programs that target students from elementary school to college are promoting science, technology, engineering and math (STEM) education.

The National Institute of Standards and Technology is home to the National Initiative for Cybersecurity Education, whose four components focus on different levels of education and are supported by numerous federal agencies. Among them are the Education Department and National Science Foundation's formal cybersecurity education component, which is aimed at students as young as kindergarten and up to 12th grade.

In addition, DHS' National Initiative for Cybersecurity Careers and Studies hosts a number of training and education programs, and its website includes a comprehensive list of degree programs, scholarships, internships, competitions, camps and career guidance resources.

Those efforts are just a few of the programs focused on growing the next crop of cybersecurity employees, and along with maintaining the cycle of ongoing, career-long training and education, they are a critical piece of the solution to the workforce problem.

"The government should be fostering partnerships with high schools, colleges and universities to groom tomorrow's cybersecurity workforce," said Evan Lesser, managing director of ClearanceJobs.com. "The government is woefully underprepared with its cybersecurity workforce. The fact is, government and contractor computer networks are under attack 24/7/365. Additionally, with the fields of cybersecurity, cyber response and cyberattacks changing rapidly, any workforce the government does have must be regularly trained so their skills are updated."

Building the workforce of today — and tomorrow

One of the most critical reasons for gaps in the cybersecurity ranks is the lack of clearly defined roles. "Cybersecurity" covers a wide range of job functions, from analysts to hardware technicians.

"One of the first things at the high level is actually defining what it is you want this person to do because it's not as broad as it's sometimes made out to be when you just say 'cybersecurity career field,'" said Howard Schmidt, formerly White House cybersecurity coordinator and now executive director of SAFECode and a partner at Ridge-Schmidt Cyber. "Part of that is requirements management: What exactly do you need to serve your mission, and also [what are] the skill sets to make sure your business processes can be implemented?"

Government agencies are making progress in that regard. In a joint effort, the White House's Office of Science and Technology Policy, the Chief Human Capital Officers Council, the CIO Council and the Office of Personnel Management are creating a database of statistical information related to existing and future cybersecurity positions. It is due by the end of fiscal 2014.

"The new databank will enable agencies to identify and address their needs for cybersecurity skill sets to meet their missions," a July 8 OPM memo states. "This particular work function has extensively changed over the last decade, and these revisions provide consistency and a common language in describing the skill sets needed to perform the work successfully."

Still, even after those missions and requirements are defined, agencies will likely face an uphill battle when it comes to attracting talent. Top officials freely admit that the government cannot compete with private-sector pay at either the entry level or the top end of the scale. And one of the primary advantages of federal employment — the relative security of government jobs — has been called into question by pay freezes, budget cuts, and the inability of Congress and the president to agree on fiscal 2014 funding. The uncertainty could steer some potential stars away from a career in the public sector.

"Our students have always been willing to make the trade-off in terms of starting salary, but it's difficult to take an additional risk of [not] knowing if you're going to be paid at all," said Don Kettl, dean of the University of Maryland's School of Public Policy.

But many experts say salary is not the chief motivator for the next-generation cybersecurity workforce.

According to a recent survey by SemperSecure, a public/private cybersecurity initiative by the state of Virginia, just one in four of today's cybersecurity professionals cite salary and benefits as a top interest. More than half said they seek interesting, challenging work, and 44 percent want "important and meaningful work."

Numerous sources agreed that appealing to a prospective employee's sense of duty and country is the key to federal recruiting.

"It's not just compensation, but also a sense of contribution and ownership," Schmidt said. "The government has no endless supply of incentives, but...people enjoy doing something where they have a sense of ownership."

Lesser agreed, adding that agencies should also highlight the benefits of government employment and play to candidates' love of technology — an interest cited by 39 percent of respondents to the SemperSecure survey.

The increased emphasis on STEM education is aimed in part at creating a cybersecurity farm system that will produce benefits over the coming decades. However, to meet shorter-term needs, government could attract and retain cybersecurity talent by embracing nontraditional approaches to hiring, which often means moving away from overly bureaucratic hiring processes and personnel policies.

The government might be unlikely to offer the kind of flexibility many of today's young candidates prefer — which include loosened requirements for college degrees, accreditation and clearances, not to mention Google-esque benefits such as sleep pods or the option of bringing your dog to work. But flexibility of a different type, such as the ability to more easily move between departments and specialties, are appealing perks for the modern workforce.

"If you want to grow a cybersecurity workforce and you want those cross-functional skills, you have to allow people to move more freely within the organization and allow for changing career paths," said Eddie Schwartz, chief information security officer at RSA, the security division of government contractor EMC. "At EMC, we have this idea of a 'career subway' — the idea that you can move from one skill set to another — and that's a welcome thing. To be effective, you want to encourage people to cross over if they have that interest. Those skills that they bring from different areas — whether it's business analysis, data science, programming — could be valuable in the security department."

Although it takes much greater effort than just a few years ago to find the right people and the right mix of civilian, military and contract employees to tackle next-generation security, the changes are necessary to fully address the growing threat. The urgency has been underscored over and over again by those in the highest echelons of government.

"It's going to get worse, and we have to get a number of things done to protect this country," said Gen. Keith Alexander, commander of Cyber Command and director of the National Security Agency, in late September. "The best in the world: That's what the American people expect...and that's what we're doing. Why? In this area, technical skills really matter. [We're] coming up with the operational concepts, and the command and control is absolutely vital to the future."

OPM's push to inventory cybersecurity jobs

As part of an effort to create a database of information on existing and future cybersecurity positions in the government, the Office of Personnel Management issued a memo in July telling agencies how to measure their cybersecurity workforce. The memo includes quarterly milestones for monitoring the initiative's progress with the goal of completing the database by the end of fiscal 2014.

To minimize cumbersome reporting requirements, OPM plans to monitor the information agencies are adding to the database and regularly discuss with agency officials how well their progress is aligning with key timeline requirements. Here are some of the key deadlines:

By the end of fiscal 2013: Agencies that are represented on the Chief Human Capital Officers Council were required to review and code cybersecurity positions, including the incorporation in the IT management 2200 series and computer specialist 0334 series positions. Discussions with agencies have confirmed that action plans are under implementation.

March 31, 2014: Agencies must code at least 60 percent of federal positions in the relevant series. Discussions and a database review must illustrate that plans are on track for completion by end of fiscal 2014.

Sept. 30, 2014: The database must show that agencies have coded at least 90 percent of cybersecurity positions. Discussions and a database review must confirm that the project is completed.

NEXT STORY: Dissension in the ranks?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.