Information Security Pro Shortage Creates RisksReport Finds NSA, However, Successfully Recruits
Scathing headlines about the National Security Agency monitoring the online and telephone communications of global leaders and common citizens apparently haven't hurt the NSA's efforts to recruit cybersecurity talent.
Many other organizations, however, continue to struggle to attract IT security talent to help defend the United States from cyberattacks, according to a new report from the Rand Corp., the not-for-profit think tank. And, Rand says, that creates risks for national and homeland security.
Still, Rand analysts say the difficulty in finding qualified cybersecurity candidates won't last forever. As the supply of cybersecurity professionals in the educational pipeline increases, the Rand analysts see the market reaching a stable, long-term equilibrium.
"It's largely a supply-and-demand problem," says the lead author of the study, Martin Libicki, a Rand senior management scientist. "As cyber-attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cybersecurity professionals takes time."
Defending American Interests
Rand studied the current labor market of cybersecurity professionals with an emphasis on those employed to defend the United States.
Libicki says the demand for cybersecurity professionals began to overtake supply in 2007, mostly because of increased reports of large-scale hacking, including the leakage of credit card data, attacks on Internet connectivity and the discovery of advanced persistence threats.
The Rand analysis says the cybersecurity skills shortage is mostly at the high end of the capability scale - those commanding salaries of more than $200,000 to $250,000. The government pays less, according to the federal government pay scale, known as GS, however.
Annual Pay for Federal Cybersecurity Professionals, by Grade
High pay isn't the only way to attract and keep on staff IT security expertise. Libicki says many large organizations have identified ways to deal with the shortage through internal promotion and education efforts. That's what the NSA, the nation's largest employer of cybersecurity talent, is doing.
NSA has a very intensive internal schooling system, lasting as long as three years for some, an approach Rand says other organizations would find difficult to replicate. "The NSA makes rather than buys cybersecurity professionals," the report says.
But officials at the NSA, the Defense Department's e-intelligence agency, tell Rand researchers they're doing quite well in recruiting cybersecurity specialists. Nearly every cybersecurity position at the NSA is filled, with a vacancy rate of less than 1 percent, Rand reports.
The NSA has only 80 staff members assigned full time to recruit IT security specialists but another 300 employees have recruitment as an additional duty. Another 1,500 NSA employees are involved in the recruitment and employment process. "All told, that is a great deal of effort - suggesting, from our perspective, that the difficulties of finding enough cybersecurity professionals can be largely met if sufficient energy is devoted to the task," the Rand report says.
To help increase the roster of cybersecurity professionals, the Rand analysts recommends the following steps:
- Waive civil service and other rules that prevent government agencies from hiring talented cybersecurity professionals should be waived for such hires.
- Earmark a modest amount of money for cybersecurity education programs to allow organizations to buy the necessary software licenses and computing and network equipment for their students.
- Refine testing to identify candidates likely to succeed in cybersecurity careers by investing in research to assess an innate ability to learn and understand the cyber domain and the nuances of information manipulation or protection.
- Develop methods for all organizations to attract women into the profession, which could increase the long-term supply of cybersecurity experts (see How Can Women Advance? Let Them Fail).
The study says market forces should be able to address the strong demand for cybersecurity professionals in the long run. But it cautions not to over-recruit to the profession.
"Cybersecurity professionals take time to reach their potential; drastic steps taken today to increase their quantity and quality would not bear fruit for another five to 10 years," the report says. "By then, the current concern over cybersecurity could easily abate, driven by new technology and more secure architectures. Pushing too many people into the profession now could leave an overabundance of highly trained and narrowly skilled individuals who could better be serving national needs in other vocations."