In 1916, James Montgomery Flagg painted an image that would soon become the most famous poster of all time: A stern, patriotic Uncle Sam pointing at the viewer and proclaiming “I want YOU for the U.S. Army.”
Nearly a century later it’s time for an update, only this time Uncle Sam would be holding a bunch of wires, cables and a keyboard while calling out “I want YOU to work in government cybersecurity.”
Just as the U.S. military needed soldiers at the start of World War I, now the U.S. government requires an army for a new war, one fought not with bullets and bombs but with zeros and ones. By all accounts federal, state and local government agencies needs tens of thousands of cybersecurity employees just to fill existing job slots. And that’s just the beginning: attacks like the recent hack against the U.S. Office of Personnel Management and a contractor working for the Army National Guard indicate that even more personnel are required to safeguard both private data and national security.
But even with the promise of fast-track hiring, one major question remains: where will all of these new employees come from? “Unemployment in the IT field is less than 3 percent,” notes Jerry Irvine, a member of the National Cyber Security Partnership and CIO of Prescient Solutions in Chicago. It’s even smaller in cybersecurity. How small? Try zero percent in the Washington, DC metropolitan area. “There are a lot of competing organizations out there looking for people with this level of expertise,” Irvine says.
That leaves government cybersecurity operations with some pretty notable gaps. It also creates opportunities for people interested in working in the field, not the least of which is the high salary that comes in any field with too much need and too few potential employees.
Opportunities and Challenges
“You have a great opportunity, no matter what your skill set is, to work and have a career in cybersecurity,” says Montana Williams, senior manager of cybersecurity practices at ISACA. He points out that one of the biggest opportunities in government cybersecurity comes for younger professionals who are perhaps just coming out of school. “It’s a great way to build your career and gain experience,” he says. At this point especially, government salaries are competitive compared to corporate salaries, he says.
Working in government also fulfills a need for people who want to serve their country. “It lets you do things you wouldn’t be able to do anywhere else,” Williams says. “You’re right there on the front lines.”
Of course, that means getting a security clearance, something only available to U.S. citizens, a situation that further limits the federal employee pool. Getting clearance is a complex, moderately expensive prospect that comes after you have been offered a job, something that can extend the hiring process by months.
Some people say they avoid government work because of the security requirements. “Maintaining a clearance can mean adherence to a rather strict personal lifestyle,” says Mike Meikle, a partner at the security consulting firm SecureHIM. “Depending on clearance level, individuals will have to report who they speak to, when and where they travel, management of finances and debt as well as a host of other factors that could jeopardize their clearance. If an individual loses clearance due to bankruptcy or family issues then they will also lose their employment.” That may be more than some people want to deal with on an ongoing basis.
Security work also comes with a lot of pressure, especially in government work, where there are still so many open positions. “They’re constantly being worked 24/7 because they have the skills but they don’t have a lot of people around them to help take some of that work load off,” Williams says. “I’ve seen many of the most skilled people leave the federal government because they’re just tired.”
“There’s a lot of turnover,” admits Homer Minnick III, director of the Center for Cybersecurity at UMBC Training Centers and a 20-year veteran of the U.S. Army. However, he says there’s another reason for it besides burnout: “They pull in a lot of people at low grades. They stick around a few years. Then they leave.” Most of these people go into corporate work, improve their skillsets and then come back to government work five years later demanding a higher salary.
This points to the biggest problem that government agencies face in filling their cybersecurity needs: There are a lot of people with low-level, basic skillsets but relatively few with real-world experience. Indeed, a recent ISACA report found that less than a quarter of cybersecurity job applicants had the necessary skills and experience.
“Security generally requires someone with higher levels of experience,” says Irvine. “The people you’re looking for are more tenured, more seasoned and have more job offers. You’re really looking for a needle in a haystack.” He says there may be a lot of openings for people right out of school, but hiring them is a tough call. “Do you really want to pay the kind of rate that you’re paying for today and have somebody who may be book-smart but has no real-world experience?”
Williams says it’s time to build up our pool of experienced cybersecurity pros and break them out much the way the military does. “You’ve got your cybersecurity practitioners, who are the Army so to speak,” he says. The people with more experience, the advanced practitioners or “cyber ninjas,” then become the equivalent of Special Forces.
Getting there may mean tapping people who didn’t start as “security” employees. Irvine suggests that people who have already been in IT for three to five years-doing things like patch management, antivirus application and firewall configuration-may be ready for the next step. “You meet the guys who are implementing these things and you teach them the policies, processes and standards,” he says. “Now you have a security person.”
President Obama’s administration definitely appears to be taking its cybersecurity needs seriously, although neither the White House nor the Department of Homeland Security agreed to comment for this article. The White House did recently publish a fact sheet about cybersecurity, outlining efforts to work with the private sector, enhance federal cybersecurity, and develop new capabilities. It also has programs such as Scholarship for Service to enlist new practitioners, but that doesn’t do much to address the issue of experience.
All of the experts that I spoke with suggested that it is definitely time for people-and for organizations and government agencies-to consider cybersecurity careers and to grow the pool of people with hands-on skills. “There’s a big demand for people, tens of thousands of unfilled positions,” Minnick says. Filling them all may take years, but it’s a process that has to start now.
John R. Platt is a freelance writer and entrepreneur, as well as a frequent contributor to IEEE-USA InSight, Scientific American, TakePart and other publications.