The nationwide shortage of cybersecurity professionals — particularly for positions within the federal government — creates risks for national and homeland security, according to a new study from the RAND Corporation.
Demand for trained cybersecurity professionals who work to protect organizations from cybercrime is high nationwide, but the shortage is particularly severe in the federal government, which does not offer salaries as high as the private sector.
“It’s largely a supply-and-demand problem,” a news release quoted Martin Libicki, lead author of the study and senior management scientist at RAND, a nonprofit research organization, as saying. “As cyber attacks have increased and there is increased awareness of vulnerabilities, there is more demand for the professionals who can stop such attacks. But educating, recruiting, training and hiring these cybersecurity professionals takes time.”
The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous.
In order to gain a clearer picture of the labor market for cybersecurity professionals, Libicki and coauthors David Senty and Julia Pollak reviewed previous studies on the topic, examined the economics of particular kinds of skilled labor shortages, conducted interviews with managers and educators of cybersecurity professionals, and examined the kinds of skill sets required for these jobs.
Libicki said the demand for cybersecurity professionals began to overtake supply in 2007, largely due to increased reports of large-scale hacking, including the leakage of credit card data, attacks on Internet connectivity, and the discovery of “advanced persistence threats” — teams of hackers who go after intellectual property by establishing a persistent presence in the networks of U.S. and other technology targets.
The cybersecurity manpower shortage is primarily at the high end of the capability scale, commanding salaries of more than $200,000 to $250,000, Libicki said. However, many large organizations have found ways of dealing with the shortage through internal promotion and education efforts.
The report says whenever rapid demand increases hit a profession with nontrivial skill and/or education requirements, economic theory suggests that rapidly rising compensation packages and strong competition for workers can be expected.
It recommends waiving related rules for such hires that unnecessarily prevent federal agencies from hiring talented cybersecurity professionals. At a minimum, NSA’s ability to waive the rules should be extended to all.
It also calls for a modest infusion of funds (perhaps matching funds) should go to cybersecurity education programs to allow them to buy the necessary software licenses and computing/network equipment for their students.
Other recommendations from the RAND study include maintaining government hiring of professionals through sequestrations, funding software licenses and related equipment for educational programs, refining tests to identify candidates likely to succeed in these careers, and developing methods to attract women into the field.
A longer-term approach entails reducing the demand for cybersecurity professionals in the first place by limiting the use of problematic computer applications or encouraging the development of harder-to-hack operating systems.
In the meantime, Libicki also says government officials should trust that market forces and existing programs will, in time, mitigate the shortage of cybersecurity professionals. In any case, he notes that drastic steps taken today will still take years to produce results.
The study, “Hackers Wanted: An Examination of the Cybersecurity Labor Market” can be found at www.rand.org.
Research for the study was sponsored by a grant from a private foundation and conducted within the Forces and Resources Policy Center of the RAND National Security Research Division. The division conducts research and analysis on defense and national security topics for the U.S. and allied defense, foreign policy, homeland security and intelligence communities and foundations and other nongovernmental organizations.
Cybersecurity has remained a subject of public debate for long amidst increasing concerns about it both at the government and public levels. Federal Communications Commission Chairman Tom Wheeler recently warned communication companies to take cybersecurity more seriously if they wanted to avoid new regulations on their networks.
“The communications sector is at a critical juncture. We know there are threats to the communications networks upon which we all rely. We know those threats are growing. And we have agreed that industry-based solutions are the right approach,” Mr. Wheeler said. “The question is: will this approach work? We are not Pollyannas. We will implement this approach and measure results.”