The real cybersecurity workforce challenge: Hiring the ‘best of the best’ hackers
Few would disagree that there is far greater demand for talented cybersecurity professionals than there are qualified people to fill those positions. But a new study released today suggests the real cybersecurity workforce challenge is hiring and retaining the top 1 percent of the talent pool — the “best of the best” hackers out there.
According to the study, “H4cker5 Wanted: An Examination of the Cybersecurity Labor Market,” produced by the Rand Corp., the shortage of cybersecurity professionals is a significant threat to national security, but it’s predominantly a problem at the highest capability levels.
“These are the people capable of detecting the presence of advanced persistent threats, or, conversely, finding the hidden vulnerabilities in software and systems that allow advanced persistent threats to take hold of targeted systems,” the report states.
Researchers at Rand interviewed experts from five federal agencies, five educational institutions, two major security firms, one defense contractor and one independent expert.
Upper-tier cybersecurity professionals — those who are qualified to do forensics, write code or conduct red-teaming — are the hardest to hire in today’s labor market, according to the study. But government agencies face additional challenges “above and beyond those faced by private-sector firms” when it comes to hiring cybersecurity professionals.
“Perhaps most important are employee pay bands, which are most likely to be binding for upper-tier professionals,” the report states. It notes that the top 1-5 percent of hackers can often command salaries of up to $300,000 a year and are often more experienced business professionals. The average salary for a government cybersecurity professional is $80,000 per year.
“Thus, government employers may find it difficult to hire enough upper-tier professionals, even when the private sector does not,” the report states.
Members of the top 1 percent of hackers are typically in their 30s (not 20s or younger, as conventional wisdom would suggest) and bring to the table “the ability to manage groups of heterogeneous individuals, market the importance of security to others, and/or meld security considerations into the complex and multifaceted world of government decisionmaking.”
While it is virtually impossible for the federal government to compete with the private sector once a top-tier cybersecurity professional reaches the highest salary range, one agency that does a surprisingly good job at attracting and retaining some of the world’s top hacker talent is the National Security Agency.
Less than 1 percent of NSA’s positions are vacant at any given time, according to the Rand study. And very few cybersecurity professionals quit their jobs at NSA. According to the Rand researchers, NSA’s success is partly the result of the amount of effort it puts into employee development and training.
“Our interview suggests that the NSA makes rather than buys cybersecurity professionals,” the report states. And while 80 percent of NSA’s new hires are entry-level employees with bachelor’s degrees, the agency has one of the most intensive training programs in the world. For some, that training lasts for up to three years.
“Only one organization can be the most prestigious place to work, and for this line of work…NSA is hard to beat,” the report states. The agency, according to the Rand study, consistently absorbs one-third of all Scholarship for Service Graduates because of its reputation for hiring the best hackers.
NSA also has 80 people dedicated to recruitment, with another 300 who have recruitment as a secondary duty. Another 1,500 employees are involved in some way in the entire recruitment and employment process, according to Rand.
“All told, that is a great deal of effort—suggesting, from our perspective, that the difficulties of finding enough cybersecurity professionals can be largely met if sufficient energy is devoted to the task,” the report states.