The government needs to do a better job showing that it values cybersecurity professionals as it battles to attract and retain a digital workforce, industry professionals told Fifth Domain during a week of information security conferences in Las Vegas, Nevada.
“They have to value these people, and I don’t know that they’re fully valued,” said Greg Conti, current senior security strategist at IronNet, former director of the Army Cyber Institute and a senior cyber warfare adviser to U.S. Cyber Command, in an Aug. 8 interview at Black Hat 2019, held in the Mandalay Bay Resort & Casino.
M.K. Palmore, field chief security officer for the Americas at Palo Alto Networks and a former FBI cyber agent, said that people with technical backgrounds can feel stuck while working for the government, causing them to leave.
“They don’t feel like there’s an opportunity to get into leadership positions or to scale up their careers within those realms and so, ultimately, they end up looking elsewhere,” said Palmore told Fifth Domain Aug. 8.
The cyber workforce shortage is vast. Across the country, there are more than 313,000 open positions, according to CyberSeek, which tracks cybersecurity jobs data. Across the public sector, there are just over 17,000 cybersecurity job openings.
The attraction problem is quite simple: “government can offer experience, whereas industry can offer money,” said Eric Cornelius, CTO at BlackBerry Cylance and a former DHS cybersecurity official. Industry and federal government offer professionals different experiences, which will attract “certain personality types,” said Cornelius in an interview Aug. 7.
“The government has a very unique mission that the private industry might not have,” Cornelius said. “They have access to unique capabilities, tools, technologies that, again, practitioners are not going to be able to access in the private sector.”
Right now, Cornelius said, the government is not doing a sufficient job marketing those opportunities that the government can provide.
“What I think the government needs to do in order to develop its workforce is to get that message out,” Cornelius said. “They need to do a better job of marketing … and get out to people, particularly young people and people in college, that, ‘Hey, the government is both a viable place and a fun place to come do this art.’”
Palmore said that it’s easy to point to pay disparities between the private and public sector cyber jobs, but he noted that the money is not the driving force for people to join the federal government. He said that when one works for the federal government, “you’re not working because you get paid a great salary.”
“You’re working there because you believe in the mission and you feel like you're contributing to something that is for the betterment of the overall country,” Palmore said. “And so increasing the reward systems for being a part of the apparatus that’s protecting the cybersecurity infrastructure of the country should be acknowledged in a way that shows it’s important.”
The shortage is particularly high among upper-level cybersecurity positions, according to a 2014 report from the RAND Corporation, which cited lower pay as a part of the difficulty in hiring upper-level cyber employees. One of the solutions, Palmore said, is that the government should rely on developing current employees.
“Part of what the federal government can do is … lean a little bit more heavily on the folks that they’re bringing up the line, that they’re training. Government invests a tremendous amount of money on cybersecurity skills and training though DoD and some of the investigative agencies,” Palmore said.
But, Palmore added, “once you've made that investment the government likely needs to come up with more inventive ways to ensure that they keep that workforce engaged and make sure there’s a career path for those folks.” He cited different compensation packages and “identifying career paths” as potential paths to retaining the workforce.
Access to the already sparse cybersecurity workforce is further hindered by the security clearance process, said Casey Ellis, founder and CTO of Bugcrowd, a white hat hacker company. The government needs to be “more flexible” in how it accesses the cyber workforce, he said.
“The idea of clearances, the vetting process and all of these different things ... are trust hurdles to do pretty much anything in the federal government in a lot of different areas,” Ellis told Fifth Domain Aug. 5. “Those things come at a cost of an already constrained skills market.”
Conti said that he thinks the government should invest in a cyber academy.
“We have the United States Naval Academy, United States Air Force Academy,” Conti said. “I’d like to see the United States Cyber Academy that’s focused on cybersecurity that grows graduates that can go into any of the services.”
Palmore, a former Marine himself, said that cybersecurity employees need to be treated as equal to military personnel given the changing nature of the threat the United States faces today.
“Someone who signs up to be a cybersecurity warrior is just as important as someone who’s on the frontlines as battle because the nature of the challenges we face as a country are certainly leaning toward the cyber realm,” Palmore said.