Cybersecurity Talent Shortfall Threatens Everyone
WASHINGTON -- Official pronouncements from economists that the recession is officially over may have done little to lift the national mood while unemployment remains perilously high. But in one field, cybersecurity, the supply-demand imbalance of the broader labor market is upside down, with government agencies and private-sector firms aggressively recruiting and hiring experts in the field faster than universities can churn them out.
But at an event hosted by consulting firm Deloitte, a panel of experts agreed that the talent shortfall in cybersecurity, particularly in the government sector, is much broader than just technical expertise.
"This is important for right brains and left brains," said Jake Olcott, a policy counsel for Senate Commerce Committee Chairman John Rockefeller (D-WV), the sponsor of one of numerous cybersecurity reform bills pending in the Senate.
Olcott, who by his own admission is no technical wizard, argued that cybersecurity touches on a host of other disciplines and skill sets, particularly at the policy level. While the need for top technical talent may be more real and pressing than ever, the collective response to digital threats also demands experts in education, law enforcement, legal authorities and other fields, he said.
Rounding out the policy and technical sides of the cybersecurity response will be a hallmark of the maturation of the field, and bring with it a much-needed "professionalization," said James Lewis, a senior fellow at the Center for Strategic and International Studies.
Lewis, whose group authored a cybersecurity blueprint ahead of President Obama's inauguration, described the current cybersecurity landscape, in both technical training and in federal policy, as fragmented and incoherent.
"When you ask CISOs or CIOs how well does the current training correlate to performance, what they'll tell you is there is no correlation between training and performance. Doesn't that frighten you?" Lewis said. "I want a more disciplined approach here on both the policy and technical side."
Progress on the policy front has been hobbled by turf wars among various agencies in the executive, and in Congress, where members spar over giving military or civilian agencies the leading role in protecting critical government and private-sector systems. The administration took a significant step in its efforts to bridge that gap earlier this month, when the departments of Defense and Homeland Security jointly announced a cybersecurity partnership by which they will share equipment, intelligence and personnel.
But in a policy realm that draws in nearly every agency and committee in one respect or another, collaboration remains elusive.
"When you talk to the people who do this," Lewis said, "there's a lot of agreement on what the problem is," adding that government officials and experts are equally adept at shooting down ideas that won't work.
"When you get to that third category -- what do we do -- that's where things fall apart," he said.
At the moment, departments and agencies across the federal government, both civilian and military, are aggressively recruiting cybersecurity experts to fill out their ranks. DHS, for instance, has doubled its staff of dedicated cyber experts this fiscal year, after having tripled its ranks the previous year.
But that still only leaves the department with about 220 staffers working in the field, according to Phil Reitinger, DHS' deputy undersecretary who heads the department's National Protection and Programs Directorate. Reitinger explained that the federal government is competing with the private sector in its efforts to recruit members of a shallow talent pool.
"Where we are right now, that's a zero-sum game. There aren't enough people to go around," he said.
For recent graduates, the private sector can be a more attractive career path, both for the higher salaries those positions offer and for the comparative speed of the hiring process.
But Reitinger, himself a former senior executive with Microsoft (NASDAQ: MSFT), takes the long view, and regards the rotations of cybersecurity experts back and forth between the public and private sectors as a necessary condition for building a bridge between the two spheres, in the process creating a "mature profession" strengthened by a "shared experience."