Modern field guide to security and privacy

US CIO Tony Scott on fixing cybersecurity's talent gap

At a Passcode event Tuesday, the US chief information officer said the federal government wants candidates who know languages, biology, and anthropology to fill cybersecurity roles – and one of its most important hires, the new chief information security officer, will be announced within 30 days.

Michael Bonfigli/The Christian Science Monitor
White House Chief Information Officer Tony Scott (l.) spoke with Passcode on Apr. 12 about fixing the pipeline into the cybersecurity workforce.

If you're trying to recruit employees to help defend your organization's computer networks against malicious hackers, good luck. You've got a lot of tough competition.

US government agencies and businesses are scrambling to bolster security operations teams to defend against breaches such as last year's massive data spill at the Office of Personnel Management. US Chief Information Officer Tony Scott revealed on Tuesday that the government will announce the hiring of a Chief Information Security Officer in the next 30 days – a step toward dealing with that problem. 

But even though the Obama administration has pledged $62 million to build a more robust digital security workforce – and private sector companies are promising six-figure salaries to so-called "white hat" hackers – experts say there still aren't enough qualified candidates to go around. In fact, the cybersecurity firm Symantec projects demand for cybersecurity jobs could fall short by 1.5 million people worldwide by 2019.

On Tuesday, Passcode hosted an event in Baltimore to explore the newest ideas and approaches to close the cybersecurity skills gap that featured Mr. Scott and leading figures in digital security from firms such as CrowdStrike and CyberVista. The full video of the event is available here.

Here are some key takeaways from the event:

1. It’s not just a supply problem

Sure, fixing the cybersecurity workforce has a lot to do with hiring the right people, but employees must constantly adapt to new threats – from the viruses that maliciously encrypt vulnerable files to massive data breaches – to stay up to speed.

"It’s not an area where you can go to school, learn something, and then just sit on your hands for the next 30 years," said Scott. "It’s kind of an eyes-wide-open field where you have to keep yourself continually educated."

2. Think outside the network

A lot of network defense comes down to keeping the bad guys out. But with US government agencies and companies facing threats from adversaries such as Chinese hackers, Russian cybercriminals, and the Iranian military, that doesn’t just mean scanning your systems for malicious software. Maybe you could help out by deciphering notes on code written in a foreign language – or by understanding the cultural motivations behind a hack.

"Cyber is a global problem and we need people that speak every language on the planet," Scott said. "We need people with all kinds of different skills. We need cultural anthropologists. I’m looking for people who understand biology and cybersecurity. There’s no area where we’re full up, we need everything."

3. It's not just about the money 

Scott knows firsthand that the federal government doesn't pay like the private sector – he had to take a pay cut to join the White House from the software firm VMWare. But, he said, going to Washington is about more than the money. 

"Yes, I’d like to see these roles pay better – but at some level, these are some of the most challenging and important roles that you can play," he said. "For me, this was the challenge and the opportunity of a lifetime."

Scott said that the US government has cut down the list of candidates for the federal Chief Information Security Officer position to a handful of candidates – and expects to announce a decision within the next month.

4. Open things up for US government hackers

Want to get more hackers into government service? US government agencies should stay in the loop with private companies, said Jason Geffner, CrowdStrike’s chief security researcher, and let hackers in Washington show their work at security gatherings such the RSA Conference or the DEF CON hacker convention.

"There’s no communication really across the fields,” he said. "People who are in the private sector who aren’t interested in going into the public sector think it’s important to speak on a panel, speak on a conference. It makes it much less appealing to pursue that career path."

5. Passion is key

Don’t know how to write a line of code? That may not matter, said Simone Petrella, chief cyberstrategy officer at the cybersecurity firm CyberVista. Other key ingredients for successful cybersecurity pros are curiosity and passion, she said.

"At the end of the day, the people who succeed don’t have a degree or a certificate – they’re really good at Googling," she said. “It’s just the passion to explore more and gain knowledge, that just happens to be in cybersecurity.”

Employers also need to better communicate that cybersecurity positions involve much more than sitting in front of a computer all day, said Rodney Petersen, leader of National Initiative for Cybersecurity Education at the National Institute of Standards and Technology (NIST).

"In cybersecurity, there’s probably a stereotype that it’s a loner, it’s a hacker, it’s a person behind a computer screen – which is quite frankly maybe not attractive to somebody who wants to interact with a team," said Mr. Petersen. "You can volunteer, you can work for your institution, you can do things other than independently hacking."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to