DHS aims to hire 600 cybersecurity pros -- if it can find them
Experts say Department of Homeland Security recruitment suffers from lack of understanding of talent pool
November 13, 2012 — CSO — The Obama administration is hoping to make good on its promise to create new jobs -- in this case, 600 of them in cybersecurity.
Department of Homeland Security (DHS) Secretary Janet Napolitano, acting on the recommendation of the Homeland Security Advisory Council's Task Force on Cyberskills, said at a Washington Post cybersecurity forum that DHS wants to hire at least 600 cyber experts, analysts, IT specialists and people who are familiar with coding.
As a number of cyber experts have noted, however, while this may be a new initiative, it is not a new goal. James Lewis, senior fellow and program director at the Center for Strategic and International Studies, said on a different panel at the same forum that similar hiring efforts have been under way for several years, with limited success.
Federal News Radio's Jason Miller reported that the Government Accountability Office (GAO) "found in November 2011 that nearly every agency experienced difficulty in defining and hiring cyber workers."
There are several reasons for the difficulty, experts say, but none of them have to do with a lack of supply. They say there are talented candidates out there, but DHS has not learned how to attract them. One problem is that DHS still hasn't been able to define the skills needed and job descriptions clearly.
U.S. Army Maj. Gen. John Davis, senior military adviser for cyber to the undersecretary of defense, said recently at the Center for Strategic and International Studies (CSIS) in Washington, "We don't have all the capacity and the right sets of skills that we need to do all that's required. In the department we are still struggling to fully define and empower the cyber workforce."
Beyond that, experts say DHS is likely to continue to have problems recruiting the best and the brightest in cybersecurity until it learns that many do not fit into the standard bureaucratic hiring profile.
In response to a call from Napolitano several weeks ago to begin training the next generation of cyber pros in kindergarten, several experts said there is no need to wait 14 years for those kindergarteners to get out of school. But the talent available now would be unlikely to make it past standard government screening.
As the security consultant Winn Schwartau put it recently at the Hacker Halted conference in Miami, human resources departments "frown on conditions such as attention deficit disorder and autism, or obsessive-compulsive personalities, which are typical of computer geeks willing to focus on an issue through the night."
Government also lacks the so-called "cool factor." Paul Rosenzweig, founder of Red Branch Law & Consulting and a former DHS assistant secretary for policy, said at the time, "It is much more interesting and cool to build new stuff in Silicon Valley than it is to toil doing cybersecurity for DHS."
Bill Pennington, chief strategy officer at WhiteHat Security said that while defending the free world from cyber threats may be pretty cool job description, "sadly I am sure there are a thousand regulations that make the government put out descriptions like Security Analyst Level 1."
Pennington added that standard education requirements might be blocking some of the best talent out there. "What they are teaching at some universities is at least two to three years behind the curve. Why would I go to college and spend $100,000 to $200,000 to learn three-year-old technology?" he asked.
So far, DHS is only getting part of that message. One of the recommendations of the Task Force on Cyberskills is to, "make the hiring process smooth and supportive and make mission critical cybersecurity jobs for the federal civilian workforce enticing in every dimension: in mission and service, skills, growth potential, and 'total value proposition.'"
Mark Weatherford, undersecretary of cybersecurity for DHS, said in September that a lack of a college degree shouldn't be a deal-breaker for a job candidate.
Still, the task force believes in the conventional education approach. Another recommendation calls for "[establishing] a two-year, community-college-based program that identifies and trains large numbers of talented men and women to prepare them for mission-critical jobs in cybersecurity."
Not necessary, says Pennington. "Apprenticeship is a concept that fits this area well," he said. "Once you hire based on attitude the aptitude can come quickly with the proper environment and hands-on training."
He said the WhiteHat hiring process involves giving candidates a week to answer questions about cybersecurity. "It is surprising how many people this process weeds out," he said. "Those who pass then come in for interviews, mostly around team chemistry. Our retention rate is about 95% over the past four years."
Read more about security career/staffing in CSOonline's Security Career/Staffing section.
Other stories by Taylor Armerding