TrendU.S. government encounters shortage of skilled cyber-security workers

Last month’s RSA Conference, an annual gathering of thousands of cyber-security professionals held in San Francisco, both FBI director Robert Mueller and DHS secretary Janet Napolitano made sure to use a few seconds of their keynote speeches to make the that pitch that their respective agencies were looking to fill jobs the chief responsibilities of which were preserving the nation’s freedoms and securing the homeland. “We might be trying to recruit some of you right now,” Napolitano said. “We need it. It’s a huge (matter of) public interest for our country. We need the best minds to meet the challenge.”

San Francisco Chronicle’s Alejandro Martínez-Cabrera writes that several federal agencies are redoubling their hiring of security specialists as high-level security breaches, successful takedowns of government Web sites, and discouraging military simulations of coordinated cyberattacks have underscored the nation’s digital vulnerabilities.

President Obama set the tone for the current hiring drive by announcing last May the creation of a cyber-security coordinator position, which he filled in December by nominating former Bush administration cyber-adviser and Microsoft chief security officer Howard Schmidt to the job.

San Francisco’s Market Research Media estimates that the federal government will spend $55 billion in cyber-security investments in the next five years, including the recruitment of thousands of security professionals (“U.S. Cybersecurity Spending to Rise,” 31 March 2010 HSNW).

In October, DHS acquired authority to recruit and hire up to 1,000 new cyber-security specialists over the next three years (“DHS to Hire 1,000 Cyber Experts,” 2 October 2009 HSNW). An agency spokeswoman said they have extended official job offers to about 200 candidates since then.

Martínez-Cabrera writes that the agencies’ effort to build ideal teams of cyber-warriors has not been going smoothly. In a recent survey of 175 government security managers, the International Information Systems Security Certification Consortium found that more than half of the respondents planned on making new hires this year, but almost 80 percent said it was very or somewhat difficult to find good candidates.

The main reason is that the pool of truly skilled security professionals is a small one, and the government is only the latest suitor vying for their talents. “We’re all fighting for the same resources. We don’t have thousands of unemployed security professionals,” said Patricia Titus, chief information security officer for information technology firm Unisys and former CISO at the Transportation Security Administration. “Good IT professionals are still employed and trying to entice them from private sector into the government is going to be difficult.”

Indeed, the need for cyber-security specialists is growing exponentially and there simply are not enough professionals to meet the demand. As things stand right now, Titus said, the government’s hiring efforts run the risk of removing security experts from areas where they are currently needed.

“Eighty percent of our critical infrastructure is owned by the private sector,” she said, adding that if the government hires people away from these companies, “we won’t solve the problem, (we’ll) just create another hole in our professional workforce.”

Experts agree the shortage underlines the need to promote educational programs that will help train the cyber-defenders of tomorrow. The federal government is already experimenting with some initiatives such as DHS and National Security Agency-sponsored academic grants and programs, and the United States Cyber Challenge, a set of competitions intended to find thousands of skilled young people to further train and recruit.

“I feel very optimistic about what the military is going to do with the massive recruitment of young people, but I’m very uncomfortable about what DHS is going to do, because they’re trying to hire people off the market and they’re just not there,” said Alan Paller, director of research at the SANS Institute, a cyber-security educational and training organization.

David Ulevitch, chief executive of San Francisco security firm OpenDNS, told Martínez-Cabrera he feels confident the strain in the demand for cyber-security experts will naturally lead to an increase in the supply. “There’s never going to be a shortage of people in the workforce,” he said. “If we start seeing a hole in the security field, more people will learn the skills and join the industry, and the safer we’ll be.”