New Federal Cybersecurity Strategy Aims to Reverse Growing Work Force Shortage
Government must boost salaries, change motivational messaging and seek eccentric talent, expert says.
As government and businesses struggle to hire and retain highly qualified cybersecurity experts, it just might be time for the people sporting purple mohawks to receive consideration for the coveted jobs, some experts say.
The White House released this month the first-ever Federal Cybersecurity Workforce Strategy that sets in motion aggressive plans to recruit and retain cyber talent, and the Defense Department seeks to loosen for cyber personnel some of its hiring constraints within the civil service system.
“Every day, federal departments and agencies face sophisticated and persistent cyberthreats that pose strategic, economic and security challenges to our nation,” says a portion of a memo issued by the Office of Management and Budget (OMB) in launching the work force initiative. Ever-evolving cyberthreats forced the government’s hand for a “bold reassessment of the way we approach security in the digital age and a significant investment in critical security tools and our cybersecurity work force,” reads a White House blog on the issue penned by several high-ranking administration staff. Cybersecurity work force shortcomings—which affect the government as much as the private sector—rose to prominence last year following OMB’s 30-day Cybersecurity Sprint.
The federal initiative itself is a good start because it focuses on educating, training, recruiting and retaining talent, says Don Maclean, chief cybersecurity technologist at DLT Solutions. What might be lacking, however, is the correct messaging. “We need to portray this as a winnable war. Yes, we’ve been rocked back on our heels. Yes, the bad guys have got the jump on us. But if we keep presenting cybersecurity as this overwhelmingly negative endeavor, people are not going to want to join the losing team,” he says.
Already, U.S. businesses and the government face a shortage of talent as well as predictions that the environment could worsen. By 2020, for example, U.S. workers will fill less than 29 percent of 1.4 million jobs in computer science technology, according to the U.S. Bureau of Labor Statistics. Women will make up only 3 percent of that figure.
The government is confronted by a “cybersecurity work force shortage due to persistent recruitment, hiring and retention challenges and increasing competition with private-sector companies for top talent,” according to OMB’s memo. “The federal government must take immediate and broad-sweeping actions to address the growing work force shortage and establish a pipeline of well-qualified cybersecurity talent.”
A good place to begin is with salaries, Maclean says. “It’s clear there is a big gap and a lot of empty positions that need to be filled. A lot of times, the positions are filled by people who may not be fully qualified, but we had to get somebody. One of the issues is a heavy emphasis in government on compliance, and the positions that involve assessment of compliance are better paid than positions that require hard-core, nitty-gritty security engineering talent and expertise,” he says.
Companies and agencies also confront problems with harnessing motivation to perform, Maclean says. “If your motivation is to make money, the good guys simply can’t match the bad guys. If you have no morals, we’re not going to lure you away from the dark side. But we can motivate people with a sense to duty to their country, by a sense of satisfaction in doing a good job,” he continues. “Increasing the pay will certainly help. We’re not going to keep people from the bad side with higher pay, but we can lure them away from other fields.”
And perhaps leaders might want to start thinking of ways to attract nontraditional talent—the kind with a mohawk and a nose ring.
“[W]hy do the best hackers on the planet not work for the FBI?” software company founder John McAfee asked in an essay following the legal brouhaha that erupted when the bureau tried to force Apple to unlock the iPhone of one of the San Bernardino shooters who killed 14 people and injured 22 in December.
“Because the FBI will not hire anyone with a 24-inch purple mohawk, 10-gauge ear piercings and a tattooed face who demands to smoke weed while working and won’t work for less than a half-million dollars a year,” McAfee wrote, in answer to his own question. “But you bet your ass that the Chinese and Russians are hiring similar people with similar demands and have been for many years. It’s why we are decades behind in the cyber race.”
McAfee might have a point, says Maclean, but cautions that government can’t lower standards for security clearances to attract talent.
“The market grew because of small, aggressive companies making inroads in the field,” he shares. “Those kinds of companies appeal to the sort of people who are … creative, who maybe have a few blemishes on their record, so to speak, but are nonetheless brilliant and creative and innovative. There is a lot room in these small, aggressive and innovative companies for people like that. As far as the government is concerned, and for a position that requires a security clearance, well, you still need to be very careful. I wouldn’t want to play fast and loose with that.”
That said, the Defense Department is massaging regulations for greater flexibility to hire, fire and pay a new civilian cyber work force. After receiving approval from Congress, the department began modifying rules on how it hires employees, sets probationary periods and allots incentive pay.
Maclean says he would like to see the government achieve more parity in pay between compliance-based cyber jobs and those requiring technical expertise. Compliance personnel earn 15 percent to 25 percent more than their technical security colleagues, he says. “As far as retaining current talent, what I would do is move away from the compliance efforts, which are at the moment well-paid, but not really the focus of where security ought to be—which is the hard-core engineering and technical talent we need,” he offers. “I would increase pay for the technical folks to at least match the compliance folks … and make sure that the purple mohawk people, to the extent that we can without compromising issues of background clearance, work on the most interesting challenges.”
There is much to be gained, too, by diversifying the work force, Maclean adds. “You need the technical whizbangs, but you also need people with a broad repertoire of knowledge and experience,” he says. For example, hospitals might want to hire security experts with backgrounds in both cyber and health care. “You need to have an understanding not just of the technical tools that might be brought to bear in that realm, but also to understand something about the culture that surrounds hospitals. What makes hospitals tick that is different from other cultures?”
Cybersecurity ultimately is a people issue, he adds. “Technology comes to our assistance, but in the long run, it’s a people issue, and it’s a broad scope of talents and abilities that are needed to be a good cybersecurity professional,” Maclean says.