Overwrought CISOs, take heart: You may be short-staffed now, but the best seeds for solving the shortage may have already been planted, and now we just need to wait for them to bear fruit.
This is one of the findings of "Hackers Wanted: An Examination of the Cybersecurity Labor Market," a new study by the RAND Corporation. The study also shows that, while the world waits for the next generation of security professionals to mature, industry is using creative ways to identify people with an aptitude for information security within the workforce. The authors further suggest that, instead of just increasing the supply of infosec professionals, we should try reducing demand for them.
Martin C. Libicki, senior management scientist at RAND and one of the authors of the report, is not surprised that the skills gap is taking time to close. "It takes a while for someone to get proficient," he says. "You might dangle a carrot in front of someone in 2010, but they won't be able to chew it until 2015."
However, Libicki was surprised by the ability of large organizations to cope with the short-term limits by using "systematic ways of going through their workforce" to find talent.
Being that all organizations must conduct security awareness training sessions anyway, some are wrapping some personality and aptitude testing into the awareness training. They look for people who have dismantled their home computer for fun -- those who like solving puzzles, finding out how things work, and learning how things could be made to fail. These diamonds in the rough (who might have degrees in English, not computer science) may be encouraged to take infosec training and consider a career change.
The trouble with training employees, of course, is that people will happily take that training and then take their newly minted skills elsewhere.
Libicki says that this is a common problem -- not unique to cybersecurity -- for most organizations, outside of the military. (As he says, knowing how to operate an aircraft carrier isn't likely to be transferable in the private sector.) However, training and retaining security professionals is a significant problem within other sectors of the government. One of the limiting factors is the government's strict pay grades.
"The average infosec person earns about $100K. The government can play in that space," Libicki says. However, the most skillful, top-tier pros are few and therefore come at a premium -- between $200,000 to $250,000. The US government might be able to afford up to $150,000 and might be able to toss on some non-monetary benefits past that, but when the price goes above $200,000, the government cannot compete with private industry. This inability to retain the very best talent can put national security at risk.
The study does muse on the idea of boosting national cybersecurity at times when the threat is highest by drawing on reserve forces, like the National Guard and the Army Reserves, that become available when there is a crisis, but the authors think that this is a flawed idea. From the report:
- Unfortunately for most cybersecurity tasks (forensics conspicuously aside), effective cybersecurity defense requires familiarity with the systems being attacked -- something that part-time exposure does not provide very well.
Libicki adds that, if a security pro at a bank is called into service for the government, the bank is suddenly left unprotected.
So there is still a need for a higher quantity of warm bodies in infosec jobs. The RAND study states that there will be higher numbers a few years from now, because schools and universities have responded to the demand.
Nevertheless, the demand might increase.
Libicki says that, instead of just increasing the supply of security professionals, the industry should work on reducing demand. "$70 billion is spent on cybersecurity globally. If we could shift some of our money to making sure our software had fewer holes in it," instead of plugging those holes later, enterprises and national security could be better managed by fewer people.
Yet the secure development lifecycle is not the only thing in the bag of tricks, he says. Secure architecture is just as important as software. He points to how the closed environment of Apple products keeps them safer than the openness of Android products and how sandboxing makes Google Chrome more secure than Firefox.
"I would make a wild guess that one out of every 10 people who could be a great cybersecurity professional are already doing cybersecurity," Libicki says. "Maybe we need to get 15% of them instead of 10%, but I don't want to get to the point that all 10 of them are doing cybersecurity. We need those smart people doing other things, too."
Other recommendations made by RAND include:
- More active waiving of civil service rules that impede hiring talented cybersecurity professionals, maintaining government hiring of cybersecurity professionals even through adverse events such as sequestrations, funding software licenses and related equipment for educational programs, refining tests to identify candidates likely to succeed in cybersecurity careers, and, in the longer run, developing methods to attract women into the cybersecurity profession.
But, in general, we support the use of market forces (and preexisting government programs) to address the strong demand for cybersecurity professionals in the longer run.
The full report can be found at rand.org.