The sophistication of techniques and tactics employed by cyber criminals have ascended to a point where U.S. government and private industry must participate in a cyber “arms race” in order to protect their assets from malefactors. This arms race requires the talents of thousands of cyber security professionals to keep national information assets safe. Unfortunately, there is a dearth of talent available in the marketplace to meet this demand. As a result of this shortage, national cyber-defense capabilities are not growing to keep pace with both the number and the sophistication of these attacks on the United State’s strategic information assets. In addition, current security professionals are feeling stressed by staff shortages, which can also lead to a drop in security effectiveness.
The Center for Strategic and International Studies (CSIS) is a bipartisan think tank headquartered in Washington D.C. that focuses on defense and security policies. In their report titled “A Human Capital Crisis in Cyber Security”, they highlight a “desperate shortage” of people with the skills to “design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts” (Evans & Reader, 2013, pg. 4). Furthermore, according to the CIA’s Clandestine Information Technology Office, there are currently one thousand security specialists in the United States who have the specialized skills to operate effectively in cyberspace; however, the United States needs about ten to thirty thousand such individuals. (Evans & Reader, 2013)
Competent cyber security specialists are needed on two fronts; the first front deals with the operating and maintaining of defense systems and tools that are already in place. The second front pertains to a need for creators and designers who establish new solutions that prevent, detect and mitigate attacks. With respect to those cyber professionals who can contribute on either of these two fronts, organizations wrestle with the questions of “Where do we recruit these individuals and how do we retain them?” Right now the Executive Branch has formulated a “Comprehensive National Cybersecurity Initiative”, where one of its aims is to expand cyber education. The initiative states, “we must develop a technologically-skilled and cyber-savvy workforce and an effective pipeline of future employees. It will take a national strategy, similar to the effort to upgrade science and mathematics education in the 1950’s, to meet this challenge” (National Security Council, 2013, pg.4).
CSIS also offers four elements of a strategy that aims to fill the cyber talent pipeline. These elements are paraphrased and listed below as offered by Evans & Reader (2013, pg. 3):
- Promote and fund the development of more rigorous curricula in our schools:
- Several U.S. colleges, funded under the Scholarship for Service program, have been graduating security experts with advanced technical skills. The Scholarship for Service program is offered by the National Science Foundation and provides scholarships to students in cyber security under the condition that they work for the government for a period equal to the duration of the scholarship. Unfortunately, the total number of new graduates with very deep technical skills is around 200 per year.
- Support the development and adoption of technically rigorous professional certifications that include a tough educational component and a monitored practical component:
- Emphasize hard technical skills. Do not rely solely on written examinations as an indicator of competence.
- Use a combination of the hiring process, the acquisition process, and training resources to raise the level of technical competence of those who build, operate, and defend governmental systems:
- Ensure that those who are hired have the necessary skill sets to be effective. Help those that are currently employed in the security field obtain the necessary knowledge and credentials.
- Assure there is a career path as with other disciplines, like engineering or medicine, and reward and retain those with high-level technical skills, both in the civilian workforce and in the uniformed services.
Recruiting cyber professionals with highly in-demand skills and certifications also requires special considerations and challenges. Competition for this talent creates a bidding war that may prove costly to companies. Bureaucracies and resistance to change mentalities of typical corporations need to be adjusted to consider the higher than average compensation that in-demand cyber security professionals expect. The same organizational bureaucracy presents a challenge when trying to on-board candidates quickly. Federal agencies are known to have long hiring processes as individuals wait to pass security clearances. Individuals in high demand can often times take a position at another more efficient organization during a protracted wait.
In addition, true superstars may have limited credentialing to demonstrate their expertise as self taught hackers. Other “reformed” players from cyber security’s “dark side” may be the best prospects (Barr, J., 2012 b, pg. 3).
Barr, J. G. (a) (November 2012). Recruiting Cyber Security Professionals. Faulkner Information Services.
Evans, K., & Reeder, F. (2013). “A Human Capital Crisis in Cybersecurity Technical Proficiency Matters” A Report of the CSIS Commission on Cybersecurity for the 44th Presidency. Retrieved April 15, 2013 from http://csis.org/files/publication/101111_Evans_HumanCapital_Web.pdf
National Security Council. (2013). The Comprehensive National Cybersecurity Initiative. Retrieved April 15, 2013 http://www.whitehouse.gov/sites/default/files/cybersecurity.pdf
Image courtesy of cjgphotography / 123RF Stock Photo