All star

Cybersecurity staffing—and the industry shortage—is a frequent topic of conversation among security practitioners. In the private sector, companies compete for the best and brightest, often extending attractive benefits including high salaries, the ability to work from home (or other remote locations), flex time to participate in research and industry events, generous paid time off, intra-office competitions for recognition, and more. In the public sector, hiring challenges are no less prevalent, but government agencies face additional obstacles when trying to find, attract, and retain security talent. Lower salaries and perceived rigidity in the workplace contribute to government’s cybersecurity hiring struggles, but as nation state competition heats up, especially as we enter a new era of public administration in the U.S., government and civilian agencies need to develop alternative hiring strategies if the U.S. wants to compete on a global scale.

Get your game on, go play

Earlier this month during the Senate Armed Services Committee hearing on “Foreign Cyber Threats to the United States,” National Security Agency director Admiral Michael Rogers addressed the agency’s challenges in hiring. This is not the first time he’s done so either. Back in November 2014 Admiral Rogers issued testimony almost identical to his more recent comments:

“We are not going to compete on the basis of pay. Where we're going to compete is we will attract people who have - who will be attracted to the ethos and culture, this idea of serving something bigger than yourself. We will attract people who like the idea of service to the nation as a core part of what they do in life. We will attract people who are attracted to the idea of you are doing something that matters to this nation and you are helping to defend this nation.”

The good news for Rogers and other government-based hiring managers looking for talent is that the security community is largely comprised of individuals who feel a sense of duty, a drive to “do good.” Many practitioners started in security as hobbyists, and even though they now have years of employed experience under their belt, continue security as a “hobby” outside of working hours. It’s not uncommon to hear security practitioners talking about or demonstrating their after-hours research and tinkering—building tools, looking through code, attending industry gatherings on weekends to participate in tech talk for fun.

The issue, therefore, doesn’t seem to be about sense of purpose and duty. Salary, however, is absolutely a consideration. The government simply cannot match private sector salaries, and all other things being equal, why would a practitioner take a lower a salary to do a similar job?

Planning 2Get the show on, get paid

Two separate studies substantiate that, while a competitive salary is a consideration for security professionals, it’s not the driving force in choosing a new job or remaining at a current one. A joint study by ISSA International and Enterprise Strategy Group shows that only 32% of respondents say that financial compensation leads to job satisfaction. Security expert, Mike Saurbaugh, who will be speaking at InfoSec World 2017, conducted a survey among college students in IT and security programs and found that other factors were more important to those about to enter the workforce. Respondents to Saurbaugh’s study said that “an opportunity to learn and grow,” and “making a difference (defending against hackers)” were the two most important factors in choosing and/or remaining at a job. The ISSA-ESG study’s respondents replied similarly; “an organizational culture that includes cybersecurity,” “business management’s commitment to cybersecurity,” and “the ability to work with a highly skilled and talented cybersecurity team” were the top three non-salary related responses to the question of job satisfaction.

Given this, the government, if they’re true to Admiral Rogers’s iterated words, should be in a good place. But they’re not. By most accounts, the government is having more difficulty finding, attracting, and retaining security experts than other organizations.

Al that glitters is gold

The government frequently—often by necessity—operates under a veil of secrecy and strict rules. In the security world, this can be interpreted by some as inflexibility and the inability to share work findings. If there’s one thing the private sector security community is good at, it’s sharing stories. In the U.S. alone, over 2,000 security conferences are produced each year. Security practitioners attend to learn from others, share “war stories,” and try to get new ideas about how to better run their security departments. Many security staff report that the best resource for new information is their network, whether they are sharing experiences or hearing about others’.

While government employees attend conferences as audience members, they are rarely permitted to expose details of their work. In fact, for our own security events, MISTI has on several occasions had to backfill speaking spots on our programs when a former private sector employee joins a government entity. When they are permitted to speak, government presentations typically focus on known information—things that have been in the public domain for long periods of time. Non-government employees commonly lament that while government urges cybersecurity and threat information sharing, that sharing isn’t bi-directional; government departments won’t (or can’t because of policy) share.

All of this creates some negative feelings towards and apprehension about the capabilities of government security teams. 

Only shooting stars break the mold

To bolster the workforce, government agencies must position opportunities attractively to job seekers, says Saurbaugh. “People are people,” he said during a telephone interview, “employees are looking for job opportunities that allow them to pursue professional interests and stay stimulated.” To recruit security talent, said Saurbaugh, government “should become more visible at industry events and in academia—to recruit students who are interested in not only security but also in helping the nation.” A duty to one’s nation may not be enough when competing against private sector though. Hiring managers at private companies are willing to go far to hire security talent; government will need to make concerted efforts to show prospective employees that jobs in the public sector can be as fulfilling and stimulating as those offered by private enterprises.

“Companies looking for security experts,” regardless of industry sector, says Saurbaugh, “must be willing to let security staff problem solve creatively; give them flexibility; give them ownership of projects; give them a platform.” This offers a sense of accomplishment and achievement along with a paycheck. When employees feel good about what they are doing, they’ll continue to work hard to make a difference versus merely completing a task. Saurbaugh is quick to mention that “platforms” may be different for government workers. Even within the private sector, some organizations, particularly within financial services, don’t allow security staff to speak publicly about their work, concerned about revealing their technological advantage. It’s just too risky. Within those companies’ departments, though, security teams can present and share internally; recognition and awards are bestowed for problem solving and creativity. The atmosphere, while protected, isn’t so rigid that out of the box thinking is discouraged. One such financial services firm employs a “security innovation” department that allows security staff to experiment with “crazy” ideas to reduce risk and manage the challenges of information security.

You’ll never shine if you don’t glow

Security challenges are ever-increasing in general, resulting in the need for more practitioners. When it comes to the U.S. government’s security capabilities, with the incoming administration threatening to get tougher on our adversaries, we are bound to see more, more frequent, and possibly even more advanced threats. This means the U.S.’s government security departments must be ready and able to handle the security challenges that lie ahead. Without adequate staffing and/or the rotating door on employment, we’re sure to see more breaches like the DNC or Office of Personnel Management hacks. With a spotlight on security, the government has an opportunity to alter its course for recruitment. Only then will it be able to truly compete in the hiring realm with private sector organizations and affect positive outcomes for the security of federal systems, data, and personnel.