Archer

The deadline looms for federal agencies to figure out just how many cybersecurity job openings they have. And the numbers aren’t looking good.

On this New Year’s Eve, you may be celebrating the year to come, or reflecting back on the highlights of 2015. If you’re in charge of hiring at a federal agency, you may be spending the evening agonizing over numbers that just don’t add up.

Agencies have to turn in their map of the cybersecurity workforce landscape on December 31. But many of these jobs, crucial for defense of the country, the White House says, are going unfilled.

“…The vast majority of Federal agencies cite a lack of cyber and IT talent as a major resource constraint that impacts their ability to protect information and assets,” said President Barack Obama in a letter to federal agencies.

How many job openings?

The estimate is 10,000 of these openings in federal agencies, according to U.S. Chief Information Officer Tony Scott, as reported by Politico.

The FBI tried to hire 134 computer scientists last year, but could only get 82, leaving the rest of the jobs—almost 40%—unfilled, reported Nextgov.

And the unemployment rate for for cybersecurity professionals in Washington, D.C. is at zero percent, wrote Darren Guccione of Keeper Security in a Nextgov blog post.

The current situation is like the winter of 1942, Guccione said, with the U.S. in dire need of boosting the number of soldiers and production of war machines.

“We are at a similar moment and if we are to beat the enemy, we need to recognize that nothing less than our national security is at stake,” he added.

Where are they?

Some of the problems begin with education, cybersecurity experts say.

“Part of the reason that the government (and the private sector) is having problems filling cybersecurity positions is that few schools actually turn out cybersecurity professionals,” said Patrick Coyle of Chemical Facility Security News. 

“These are usually school-trained IT people that have had to learn security on the job,” he said. “That on-the-job training is time consuming, and when they tire of the job where they were trained, they can, if they have an established reputation, take their pick of jobs.”

And those jobs may be outside of government.

In the last two years, the U.S. has been losing ground, losing more cybersecurity professionals than it has hired, reported Politico.

More specialists needed

The need for cybersecurity professionals with specializations will increase, too. One of those specializations will be industrial control systems, or ICS, said Coyle.

“As the federal government begins to realize that their building environmental control systems, access control systems and video surveillance systems all share control system characteristics, they are going to start to find an increasing need for ICS security experts as well,” he said.

Private versus public

The FBI, for example, has trouble competing with cybersecurity salaries in the private sector, according to a U.S. Department of Justice audit, as reported by Nextgov.

Job candidates may not like the long hiring process and stricter job requirements, Nextgov reported.

“More onerous background investigations could also be keeping potential candidates away, officials told the IG (Inspector General),” reported Nextgov. “FBI employees must be U.S. citizens and are barred from having used marijuana in the last three years or any other illegal drug in the past 10 years.”

Confusion

The shortage is nationwide, even worldwide, with one report saying there will be a undersupply of 1.5 million cybersecurity professionals by 2020.

A cybersecurity expert says there is confusion over hiring, saying some companies post entry-level jobs with tough requirements.

“Having looked at jobs relatively recently, it was not uncommon to see entry-level jobs posted that wanted a certification that requires five years experience in the field in order to get,” said Brandon Workentin of EnergySec. 

Workentin suggested that companies try a different tack.

“The best way to deal with it is to understand that you can find people who may not have all the technical skills you want, but that are dedicated, curious people who want to learn,” he said. “If they have that work ethic and desire to learn, they can quickly get up-to-speed on the technical areas they’re missing.”

“Yes, some of them may end up leaving and going to other companies,” Workentin said. “But your organization will become known as a place where employees can come in, get support, and grow in their skills, and that will pay dividends in the long run.”

Other cybersecurity experts agree.

 “What if you train them and they leave? What if you don’t and they stay?” said Patrick C. Miller of Archer Security Group. “The good thing about training, whether they leave or not, is that it elevates the overall knowledge base for the sector/industry/agency.”

“This has the effect of raising the bar everywhere,” he added. “A rising tide lifts all boats.”

Solutions

There are multiple ideas on the table for resolving the government cybersecurity professional deficit, from making hiring easier, to paying cybersecurity employees higher salaries, to offering job benefits like those in the private sector—like flexible work hours and gyms on-site.

“The FBI has said it will encourage increased mobility between the public and private sector, refocus a student loan repayment program for targeted positions and establish high school recruiting programs,” reported Nextgov.

Other ideas: more cybersecurity education in schools, fast-track hiring, better security training for all government employees, increasing interactions between the government and schools, and even a better marketing campaign for Uncle Sam.

“Folks know, obviously, how easy it is to run for the money in the private sector,” said Trevor Rudolph, head of the cybersecurity unit of the Office of Management and Budget, in a Nextgov article, “But I think we actually have a brand that is quite appealing here in the federal government that we can sell interested candidates on.” 

The new year

Once the potentially bad news comes in on December 31, tallied in black and white, the government will have to decide which of these solutions—or others—to put into action.

Uncle Sam may be ready.

“This has been a long-neglected area where… we’ve got to focus on some new, innovative ideas on how to recruit and retain in this space,” said Rudolph in the Nextgov article.