If you’re eager for a cybersecurity career, the U.S. government wants you to know it’s hiring.
Over the last month, the leadership of both the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) have let the security community know that their doors are open and recruits are welcome. State and local agencies are also eager to hire more security talent amid increasing attacks such as ransomware.
At the Black Hat 2021 conference in Las Vegas this month, Jen Easterly, who was recently confirmed by the U.S. Senate to lead CISA, not only touted public-private partnerships to improve cybersecurity, but also appealed to security researchers, white hat hackers and others in the audience to join her agency (or another federal department) as the U.S. confronts nation-state attacks and other types of cyberthreats.
Easterly also talked about making the hiring process easier so that a larger group of cybersecurity professionals can join CISA, as well as the need to "think very differently about all of the creative ways we can build the cybersecurity workforce and a very diverse cybersecurity workforce."
Following Easterly’s address, Alejandro Mayorkas, the secretary of Homeland Security, told the same Black Hat audience that his department, which includes CISA, is not only working to hire more cybersecurity professionals, but wants to cut down on the red tape to bring more security talent into the U.S. government. In July, DHS hired nearly 300 cybersecurity workers and extended offers to hundreds more.
Mayorkas touted the Cyber Talent Management System, which will give DHS more flexibility to hire the cyber talent. “It’s taken too long to get here, but we are proud to have gotten this hiring effort over the finish line. Developing a top-tier, diverse cybersecurity workforce will remain a priority for us at DHS and the federal government under the Biden-Harris Administration,” he said.
Despite the appeals, security experts believe that the lure of the private sector, with higher salaries and well-known perks, will continue to draw talent away from the federal, state and local government jobs. However, there are ways to appeal to security professionals to bring them into government work.
“The reality is, the government can’t compete with the private sector on pay for cybersecurity professionals. They can, however, compete in creating a talent pipeline from universities and community colleges into government service,” John Bambenek, a threat intelligence advisor at security firm Netenrich, told Dice. “It is artificially hard to get the first cybersecurity job with some of the expensive requirements for entry-level jobs. The government could use this as a strategic opportunity to train and keep the next generation of professionals via programs such as the scholarship for service. While those professionals will in many cases move on, there are other ways to keep them involved.”
Rethink Recruiting
Specifics about the number of open cybersecurity positions are difficult to come by, but one estimate by Cyber Seek, a job-tracking database developed by the Department of Commerce and CompTIA, puts the number at 465,000 open positions nationwide.
Of that number, there are about 36,000 open cybersecurity positions across federal, state and local government agencies—and the need for additional talent continues to grow.
During an August hearing of the House Homeland Security Committee's Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, committee chair Yvette Clarke (D-N.Y.) cited the number of open cybersecurity positions across both private and public organizations, as well as the serious cyberthtreats that have come to light since January, as reasons why more recruiting of cyber talent is needed.
During that hearing, one stat from the testimony stood out: There are currently 16 times more federal IT workers older than 50 than workers younger than 30. This means government agencies need to make more appeals to younger, college-age talent to join the public sector.
Tony Coulson, executive director at the Cybersecurity Center at California State University in San Bernardino, testified before the hearing that the hiring process for cybersecurity workers is now out-of-date and even college degree requirements might exclude some top talent.
Another witness, Max Stier, president and CEO of the Partnership for Public Service, told the committee that the federal government needs to cut down on the red tape when it comes to hiring. He noted that the government’s insistence on security clearances for workers remains a major obstacle.
The government can also try other ways to keep talent. For instance, after completing their military service, many workers move to careers in the private sector, but there are ways the federal government can continue to stay in touch with talent, Bambenek said.
“While those professionals will in many cases move on, there are other ways to keep them involved,” Bambenek noted. “For instance, U.S. Cyber Command could create that pipeline of talent, but retain access to them as they leave for the private sector by incentivizing those soldiers to serve in the reserves or National Guard units.”
Rethinking Perks
Some security professionals believe that the government offers as many perks as the private sector, even if the pay is not the same. Part of rethinking the process is to put those benefits front-and-center to make them more appealing.
“Free goodies, stock options and all other kinds of teasers offered by the private sector are rather short in their attractiveness. Government job openings in cybersecurity can be appealing when someone looks at it with a long-term perspective,” Dirk Schrader, the global vice president for security research at New Net Technologies, told Dice. “If the government is able to offer a package that has long-lasting effects, like good health insurance coverage after retirement or any post-work package for employees with a years-long employment history, that can be a differentiator.”
Victoria Mosby, a federal sales engineer at security firm Lookout, agrees that the government can provide a wide range of perks for cybersecurity professionals, including tenure in positions, retirement benefits, and locality pay for those moving to another part of the country, as well as union protection for certain types of jobs.
The main issue is that many of these benefits are geared toward those looking for long-term stability and might not appeal to younger workers who are willing to jump from job to job for the early part of their careers.
“When compared to the at-will nature of the private sector, the federal government offers greater long-term stability to workers,” Mosby told Dice. “There are other perks, including government-specific benefits for healthcare cost, 401k options—including low-fee Thrift Savings Plans—free software and discounted services such as mobile plans. These are nothing to scoff at, but when compared to their private sector counterparts, they aren’t always up to par, especially for younger workers who want the ping-pong tables, relaxation rooms and happy hours.”