While there's a notion that a dearth of cybersecurity professionals the shortage is most acute at the "high end" where $250,000 salaries are not uncommon for those who combine technical and managerial skills.
That's according to the RAND Corp. report today on the topic, which also looked at how well the National Security Agency and other military-focused agencies were recruiting cybersecurity pros.
The "H4CKERS WANTED" report from RAND, the non-profit policy think tank funded by the U.S. government and private endowment, looked at whether cybersecurity jobs are going unfilled, especially in the federal government, and if so, why. Co-authored by Martin Libicki, David Sentry and Julia Pollak, the RAND report reaches the conclusion that in the spectrum of the tasks that cybersecurity professionals might do, two types stand out as hard to find and recruit. In addition to the managerial job often thought of as the "chief information security officer" these days, it's also the talented geeky few who can figure out that highly stealthy attacks are occurring or who can find "the hidden vulnerabilities in software and systems that allow advanced persistent threats to take hold of targeted systems."
+ ALSO ON NETWORK WORLD IT security chiefs make big bucks but are they happy? +
Demand for cybersecurity skills in general began rising within the last five years, the report says, not because hackers are attacking networks more but because the defenders of those networks are far more aware of the hackers and are eager to employ someone who can set up ways to detect and stop them. In addition, the rise of state-sponsored stealthy cyber-espionage--and in some cases, even hard-hitting attacks suggestive of cyberwar--is heightening concerns.
The U.S. federal government, especially the Department of Defense (DoD), has sometimes found it hard to compete with the private sector to hire those cybersecurity professionals. That's not only because DoD salaries are not only often lower than the private sector, but it's hard to flexibly change government salaries because of bureaucratic rules. "Thus, even as many proclaim the advent of cyberwar as a decisive component of modern warfare, others argue that DoD has a difficult time acquiring the people to wage that kind of war," RAND notes.
Even when the U.S. government makes an effort to grant agencies leeway to offer higher salaries and benefits--the report says the DoD's nascent U.S. Cyber Command, through the U.S Air Force, is making direct hires and offering recruits moving expenses and repayment of student loans, for example -- there are still many obstacles: long recruitment, vetting, background checks and security clearance can add months and discourage potential candidates. The report notes outsourcing to private contractors isn't entirely feasible, pointing out at a minimum there are often "legal issues associated with who can do what, many associated with the chain of military command."
In spite of the headlines about NSA secrets leaked by former NSA contractor Edward Snowden, the NSA seems to find no shortage of people wanting to work there. RAND says NSA, "the country's largest and leading employer of cybersecurity professionals," is doing well in hiring, with fewer than 1% of their positions going vacant for any length of time. A mention is made in the RAND report that some federal agencies think they are being outbid for cybersecurity personnel by the NSA, FBI and Department of Homeland Security.
"NSA also has a very low turnover rate (losing no more to voluntary quits than to retirements)," the RAND report states. "One reason is that it pays attention to senior technical development programs to ensure that employees stay current and engaged."
RAND says NSA does devote a lot of time and energy to the task of finding the cybersecurity professionals it needs, having a total of 1,500 involving in the recruiting and employment process, with outreach into many universities, especially those with a "reputation for educating people who go into the military."
Eighty percent of NSA cybersecurity hires are entry level, with most having bachelor's degrees. NSA also has a "very intensive schooling system, lasting as long as three years for some," the report notes, adding, "For the most part, our interview suggests that the NSA makes rather than buys cybersecurity professionals." The NSA today absorbs a third of all Scholarship for Service graduates, the report says, partly because it has the most job openings and "also because it has a reputation for hiring the best hackers."
The Central Intelligence Agency also seeks to "build talent from within" but apparently faces more challenges in finding cybersecurity professionals, the report says.
The DoD's U.S. Cyber Command puts specific emphasis on an ability to work with foreign languages. The intent at USCYBERCOM is to "build teams of Cyber Protection Platoons that will be certified through mission-assistance training." The DoD's move to cloud-based services "could recast the skills required by cybersecurity warriors, from scanning and patching networks to the management of mobile devices and data access controls," the report points out.
The U.S. Air Force has a clearly-defined program for its cybersecurity mission that is working well enough that there is now the equivalent of a cybersecurity "waiting list." But the authors of the RAND report also express some skepticism that the Air Force may be a tad overoptimistic because it's using more civilians and fewer military personnel for cybersecurity than its goals suggest. "The USCYBERCOM guidance to its service components was to strive for a force mix of 80% military and 20% civilian, but the Air Force and other components find themselves running 60% military, 30% civilian and 10% contractors."
The RAND report acknowledges the market for cybersecurity professionals in general is highly diverse, where there's often a line drawn between "good and great hackers--almost to the point where they are different markets--and different people," the report says. And it's shaking up human resources departments because traditional means of finding and vetting the right talent aren't necessarily effective.
It points out the "best of the best" in this are very good at finding vulnerabilities in software for both defense or offensive purposes (such as creating tools that can be used to attack systems). There's the growing recognition that sometimes these hackers are "born and not made," and that there are "naturals well under 18 years old." If hackers have talents that are "innate," the question of training them is secondary to discovering them and convincing them to make "cybersecurity a lifetime's work" with educational opportunities and "requisite ethical norms," the report says.
Human resources staff struggle with pinpointing suitable cybersecurity candidates because, in part, "cybersecurity credentials have proven to be only weakly correlated with competence." HR departments are adjusting to the idea of identifying innate talent through things such as successful participation in hackathons, for example.
But according to the "H4CKERS WANTED" report, the hardest type of cybersecurity professional to find and recruit overall is the individual who combines technical talent with business and organizational experience and management skills. Such people typically are in their 30s, not 20s, the report notes. This "upper-tier" professional can make well over $250,000 per year. While government can find it hard to compete in the $300,000 range, the report says the NSA has been able to "persuade their veterans to stay in the face of very large salary offers (typically double--which then translates to near $300,000 a year)."
Those that leave the NSA at that level often go to the banking sector, for example, or defense firms and other government contractors.
The RAND report, in its recommendations to the government, suggests more focus on "grooming" younger cybersecurity professionals for management. "For instance, if jobs in the greatest demand require managerial experience, more intensive efforts can be made to take promising cybersecurity technicians, so to speak, and run them into management to determine more quickly which of them can achieve the rare combination of technical and managerial skills."