Cyber Labor Shortage Not What it Seems, Experts Say

Businesses and government agencies are engaged in a dogfight over cyber security talent, or so the conventional thinking goes. The shortage of qualified cyber security personnel continues to cause hand-wringing inside the beltway.

That is mostly still true, but the situation is more nuanced, said Alan Paller, co-founder of the CyberAces nonprofit, who also chaired a Department of Homeland Security task force on cyber job vacancies.  

“There is no shortage of people who can talk and write about cyber security,” he said in an interview. “The shortage is in the people who actually have the hands-on skills to quickly find the infections, get rid of them and do good incident handling. Those skills are very rare.”

U.S. universities are cranking out plenty of graduates with cyber security related degrees, but they have mostly studied policy, he said. Many of those graduates aren’t getting good jobs. Faculty members don’t have real-world skills, so they are not teaching how to perform complicated tasks such as application penetration testing, advanced memory forensics or wireless hacker exploit development.

It’s the difference between sitting in a classroom learning about flying an airplane, and sitting in the cockpit with an instructor actually piloting the aircraft, Paller said.

“The pipeline is putting out way too many people who can talk about cyber security and not enough people that can do it,” Paller said. Only a handful of universities offering cyber security degrees are producing graduates who have “hard skills,” he said.

A recent study by the RAND Corp. took a look at some of the assumptions about the cyber security labor shortage.

In “Hackers Wanted: An Examination of the Cybersecurity Market,” authors Marin C. Libicki, David Senty and Julia Pollak challenged some of the notions.

They found that the real shortage is predominantly in the upper tier of professionals — roughly the 1 to 5 percent of those in the field who can detect advanced persistent threats and find hidden vulnerabilities in software.

These individuals are more likely to be in their 30s rather than recent college graduates in their 20s. They can demand salaries of about $200,000 to $250,000 per year, they said.

That is far more than what the government can pay, which is why some departments such as DHS are having a difficult time attracting talent with hard skills, the report said.

If the universities are failing to provide what corporations and government agencies need, then another solution would be to develop talent from within, the RAND study noted.

The authors said there are real-world factors to take into account when hiring or developing talent.

For example, small companies can identify individuals with aptitude for this kind of work and invest in their training and education. But they risk having a larger organization snatch them away as soon as they reach their potential.

“Smaller organizations … (rightly) fear that those they expensively educate will take their training to other employers,” they wrote.

In the short run, compensation will remain high. Although this normally means attracting more professionals into the field, and thus, softening salaries, there are other factors with the cyber security labor market.

Supply and demand takes time to react. And developing top-tier talent, where most of the shortages lie, is a long-term process.

“Drastic steps taken today to increase their quantity and quality would not bear fruit for another five to 10 years,” the RAND report said.  

Paller said large defense contractors can develop talent from within. The reasons are twofold. First, they have the resources and mentors on hand to train them. Entry level employees will find many in upper management with real-world skills to learn from. And the resources are available because the companies turn around and sell these cyber professionals as services. There is a return on the investment.

Mid- and small-tier companies don’t have these advantages, Paller said.

It is similar for federal departments and agencies. Some have an easier time attracting cyber talent than others.

“If you go to a place like DHS, most of the managers have very weak technical skills. … You don’t have any models, and you don’t have any mentors,” Paller said. “Plus, what you get to do with your skills isn’t nearly as exciting as what you get to do at NSA or the CIA.”

Phyllis Schneck, deputy undersecretary for cyber security at DHS’ national protection and programs directorate, at a Senate Homeland Security and Governmental Affairs Committee hearing, underscored the difficulties DHS was having hiring and keeping cyber talent.

“What government cannot always pay in money, I believe we can offer in mission and the opportunity to solve a giant but exciting problem that involves computers, people, policy and our way of life. I have visited universities with our secretary and spoken at several student events. There is eager talent out there, and it is ours to lose. Once we attract that talent, we need to be able to hire those people and to improve our processes to not foil our recruitment efforts,” she said.

The idea of sacrificing higher pay to perform exciting work in service of the nation is something the top government cyber employers know well, the RAND authors pointed out.

They examined the National Security Agency, which is not only the nation’s largest employer of cyber security experts, but also has a low turnover rate and only about 1 percent of its positions vacant at any time.

The NSA “makes” rather than “buys” cyber security experts, it said.

When it comes to competing for raw talent, other organizations have a hard time matching NSA, they noted. The agency recruits heavily from the top technical schools, and almost 80 percent of their hires are entry level with bachelor’s degree.

Recruits then spend up to three years in intensive training.

“NSA can take advantage not only of its size, but also its low turnover rate. The latter means that it reaps the benefits of its investments in people rather than seeing the benefits accrue to other organizations after NSA has paid the costs of the training,” the report said.

“In all fairness, only one organization can be the most prestigious place to work, and for this line of work (and for this size of organization), NSA is hard to beat,” it noted.

The Central Intelligence Agency is a close second when it comes to attracting talent, the report said. It tends to seek experts with more education, master’s degrees, for example, and recruits at job fairs and hackers conventions, as well as internally at the agency’s own IT department. The authors noted it still had had a hard time filling some highly skilled, esoteric positions.  

The NSA and CIA are agencies that celebrate technical prowess and skills, where that isn’t the case at organizations such as DHS and the departments of Commerce and Health and Humans Services, Paller said.  

In the military, U.S Cyber Command has developed an aptitude test similar to the one that identifies potential linguists in order to find service members who may make good cyber warriors, the RAND report said.

Paller said the Army is currently doing a good job recruiting and training cyber defense personnel, with the Air Force doing the second best job. The Navy is falling down in this regard, he said.

The United States should look to Israel as a model on how to develop cyber talent. Its universities do a better job of teaching the fundamentals, and then graduates enter military service where they hone their skills, Paller said.

The RAND study said the government can attract and retain cyber professionals earning in the $80,000 to $100,000 range, but once employees can command salaries around $250,000, it has a hard time competing.

Those that jump into the private sector may end up working on government contracts, which, of course, costs agencies up to double for their services, it added.

There is no fine dividing line between mid- and upper-tier cyber security professionals. However, they tend to be those who not only have technical knowledge, but also business skills, the report said.

The authors noted that those eye-popping quarter-million dollar salaries are for rarified talents. These are employees who not only have the technical skills, but business and managing acumen — the soft skills — that make a top executive.

In other words: individuals who can market the importance of security to others, and meld security considerations into the complex and multifaceted world of government decision-making, the report said.

Paller said one way to increase the pipeline of talent is to reach out to individuals who have some skills, but didn’t necessarily learn them in formal institutions.

“Many have learned to do these things on their own,” Paller said.

The CyberAces Foundation runs free competitions to identify talented hackers. It recently invited those who did well in its online competitions to participate in a virtual career fair.

About 20 employers participated, ranging from the NSA to private sector companies such as J.P. Morgan.

Participants identified which companies or agencies they were interested in, and if there was a match on the organization’s part, they set up a video or online chat.

There were thousands of interviews over the course of a few days, he said.

Job offers recently went out.

“It was just an experiment, but if you are looking for a pathway so you don’t have to wait for the colleges to come around and teach it, this looks like a possible path through the maze,” Paller said.

The RAND authors said there was nothing wrong with current programs to increase the pipeline of cyber talent, but overall, they concluded that with a hands-off approach, the labor market forces would create equilibrium in the long run.

There have been several reports generated by government agencies and think tanks over the last couple years taking a look at the problem and issuing recommendations for organizations to change management practices to hire or retain government personnel, the authors said.

“It is by no means clear that improvement in management practices would have any more than second-order benefits in the face of what are, for potential employers, difficult labor market fundamentals,” they said.

And the landscape could change, as it often does in labor markets. One solution that isn’t often taken into account is changing the demand. In other words, improving the Internet and software in general to make it less vulnerable to attacks. There is a movement afoot to do that.

“Pushing too many people into the profession now could leave an overabundance of highly trained and narrowly skilled individuals who could be better serving national needs in other vocations,” the authors warned.

Topics: Business Trends, Cyber, Cybersecurity, Research and Development