US CIO Tony Scott on fixing cybersecurity's talent gap
If you're trying to recruit employees to help defend your organization's computer networks against malicious hackers, good luck. You've got a lot of tough competition.
US government agencies and businesses are scrambling to bolster security operations teams to defend against breaches such as last year's massive data spill at the Office of Personnel Management. US Chief Information Officer Tony Scott revealed on Tuesday that the government will announce the hiring of a Chief Information Security Officer in the next 30 days 鈥 a step toward dealing with that problem.聽
But even though the Obama administration has pledged $62 million to build a more robust聽digital security workforce 鈥撀燼nd private sector companies are promising six-figure salaries to so-called "white hat" hackers 鈥 experts say there still aren't聽enough qualified candidates to go around. In fact, the cybersecurity firm Symantec demand for cybersecurity jobs could fall short by 1.5 million people worldwide by 2019.
On Tuesday, Passcode hosted an event in Baltimore to explore the newest ideas and approaches to close the cybersecurity skills gap that featured Mr. Scott and leading figures in digital security from firms such as CrowdStrike and CyberVista.
Here are some key takeaways from the event:
1. It鈥檚 not just a supply problem
Sure, fixing the cybersecurity workforce has a lot to do with hiring the right people, but employees must constantly adapt to new threats 鈥 from the viruses that maliciously encrypt vulnerable files to massive data breaches 鈥撀爐o stay up to speed.
"It鈥檚 not an area where you can go to school, learn something, and then just sit on your hands for the next 30 years," said Scott. "It鈥檚 kind of an eyes-wide-open field where you have to keep yourself continually educated."
2. Think outside the network
A lot of network defense comes down to keeping the bad guys out. But with US government agencies and companies facing threats from adversaries such as Chinese hackers, Russian cybercriminals, and the Iranian military, that doesn鈥檛 just mean scanning your systems for malicious software. Maybe you could help out by deciphering notes on code written in a foreign language 鈥 or by understanding the cultural motivations behind a hack.
"Cyber is a global problem and we need people that speak every language on the planet," Scott said. "We need people with all kinds of different skills. We need cultural anthropologists. I鈥檓 looking for people who understand biology and cybersecurity. There鈥檚 no area where we鈥檙e full up, we need everything."
3. It's not just about the money聽
Scott knows firsthand that the federal government doesn't pay like the private sector 鈥 he had to take a pay cut to join the White House from the software firm VMWare. But, he said, going to Washington is about more than the money.聽
"Yes, I鈥檇 like to see these roles pay better 鈥 but at some level, these are some of the most challenging and important roles that you can play," he said. "For me, this was the challenge and the opportunity of a lifetime."
Scott said that the US government has cut down the list of candidates for the federal Chief Information Security Officer position to a handful of candidates 鈥 and expects to announce a decision within the next month.
4. Open things up for US government hackers
Want to get more hackers into government service? US government agencies should stay in the loop with private companies, said聽Jason Geffner, CrowdStrike鈥檚 chief security researcher, and let hackers in Washington show their work at聽security gatherings such the RSA Conference or the DEF CON hacker convention.
"There鈥檚 no communication really across the fields,鈥 he said. "People who are in the private sector who aren鈥檛 interested in going into the public sector think it鈥檚 important to speak on a panel, speak on a conference. It makes it much less appealing to pursue that career path."
5. Passion is key
Don鈥檛 know how to write a line of code? That may not matter, said Simone Petrella, chief cyberstrategy officer at the cybersecurity firm CyberVista. Other key ingredients for successful cybersecurity pros are curiosity and passion, she said.
"At the end of the day, the people who succeed don鈥檛 have a degree or a certificate 鈥 they鈥檙e really good at Googling," she said. 鈥淚t鈥檚 just the passion to explore more and gain knowledge, that just happens to be in cybersecurity.鈥
Employers also need to better communicate that cybersecurity positions involve much more than聽sitting in front of a computer all day,聽said Rodney Petersen, leader of National Initiative for Cybersecurity Education at the National Institute of Standards and Technology (NIST).
"In cybersecurity, there鈥檚 probably a stereotype that it鈥檚 a loner, it鈥檚 a hacker, it鈥檚 a person behind a computer screen 鈥撀爓hich is quite frankly maybe not attractive to somebody who wants to interact with a team," said Mr. Petersen.聽"You can volunteer, you can work for your institution, you can do things other than independently hacking."
