Should security pros get special H-1B visa consideration?

New U.S. Attorney General Jeff Sessions may disagree about whether there is a shortage of skilled IT workers in America, as he has asserted at hearings over the past two years, but talk to most CISOs and they will confirm that when it comes to cybersecurity talent in particular, the skills shortage is very real.

"There's no doubt about it," says John Masserini, CISO at equity derivatives marketMIAX Options in Princeton, N.J. "We've had two positions open for three months now," a security operations center analyst and a security engineer position. The company's location between two major metro areas - New York City and Philadelphia - makes the competition for cybersecurity talent especially tough, he says. Meanwhile, the firm's security workload keeps growing. "I already know that by the end of this year I'm going to have a couple more openings," he says.

The cybersecurity unemployment rate dropped to zero in September, according to research firm Cybersecurity Ventures. The global demand for cybersecurity workers is expected to reach 6 million by 2019, with a projected shortfall of 1.5 million qualified security pros. More than half (57 percent) of organizations today say that finding and recruiting talented IT security staff with the right skill sets is a "significant" or "major" challenge, according to a survey by Osterman Research for Trustwave. The new White House administration could make finding cybersecurity talent even tougher.

The Trump administration intends to bolster the nation's cybersecurity, but at the same time it's looking to revamp the country's H-1B visa program, a huge source for bringing specialized IT talent to the U.S. The administration has floated the idea of replacing the current lottery system for issuing H-1B visas with a merit system, in an effort to recruit only the "best and brightest" talent for the most in-demand IT skills and to keep well-paying IT jobs in American hands.

The skills, education and experience that would garner additional merit have not been discussed publicly, but some cybersecurity leaders and industry-watchers say that special consideration should be given to H-1B visa applicants with cybersecurity skills to help fill critical positions.

"U.S. businesses are thriving. In this hyper-expansion mode, you can't get everything perfect. You need people to plug those security holes," says Chris Schueler, senior vice president of managed security services at Trustwave. "We need to tap into those skills where they exist, and a lot of them don't exist in the U.S."

Today, few H-1B visas are used for IT security positions. Visas for information security analysts, for instance, made up .3 percent of all H-1B visas issued for IT jobs, with a mean salary of $99,708, according to data from the U.S. Citizenship and Immigration Service and analysis by Janco Associates. Network and computer systems administrators, who account for 1.9 percent of H-1B visa holders in IT jobs, also bring some security skills, "and may also fill some security analyst positions," says M. Victor Janulaitis, CEO of Janco. Those H-1B admins earn a mean salary of $76,233, according to the Janco report.

In general, all H-1B visas are meant to be merit-based, but if cybersecurity talent were given a higher priority than other IT jobs, it wouldn't be the first time an occupation received special treatment, says Rosanna Berardi, managing partner and U.S. immigration lawyer at Berardi Immigration Law in Buffalo, N.Y. "Currently, there's a shortcut to getting a green card for certain occupations that the government has designated to be in short supply and are critical to the U.S. economy," Berardi says. "Most of them right now are related to medical skills."

Federal legislation, such as the Nursing Relief for Disadvantaged Areas Act of 1999, created a special visa classification to encourage more foreign-born nurses to come to the U.S. to deliver care in rural communities.

"If there is truly that volume of need, then perhaps the tech industry could flex some muscle and get cybersecurity on that list," Berardi says.

Not for everyone

Not every U.S. company would welcome H-1B security professionals, says Janulaitis. "Many C-Level executives do not feel comfortable with security being done by non-U.S. workers who are not on shore or are outsourced," he says. "When they have a choice, the idea that an H-1B is responsible for security is not one they relish unless there is some assurance that they will remain with the company."

Some leaders believe that using an H-1B employee who is a contractor gives them less control and agility when responding quickly to cyber attacks, Janulaitis says. "On the other hand, companies like Microsoft and Apple offer real opportunities for security specialist and are hiring for the long term." Both companies have a long-term view for their visa employees and have good internal training programs in place "with real career paths for the best-of-breed technologist that they hire with H-1Bs," he says.

Too early for some to weigh in

Meanwhile, several cybersecurity industry organizations that could potentially play a role in advocating for more cybersecurity workers in the H-1B visa program remain tight-lipped. (ISC)², a global, non-profit with 123,000 members, specializing in educating and certifying information security, declined to discuss the program. The Center for Internet Security, which focused on enhancing the cybersecurity readiness and response of public and private sector entities, also declined comment, as did the Information Systems Security Association (ISSA) a community of international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure.

They'll have plenty of time to make their case, as this year's rules are already in place. U.S. Citizenship and Immigration Services will begin accepting new H-1B applications on April 1, and the new H-1B visa recipients can't start working until Oct. 1, 2017.

A renewed push for cyber education

Regardless of whether cybersecurity skills get special treatment in the H-1B visa program, one of the potential benefits from this renewed push for cybersecurity and the attention brought to the cybersecurity skills deficit may be greater investment in U.S. education.

"It's evident that we're not investing as a country in these [cybersecurity] skills... but there really has never been a push to fill our needs domestically. Now there is motivation," Schueler says. "There will be a lot of short-term pains," but Schueler believes the result will be more funding for university cybersecurity programs. Janulaitis hopes he's right.

"We need an educated population of college graduates who focus on both math and the science," Janulaitis says. "It is much easier to grow our skill base if we have the professors who can teach those subjects. China, for example, is graduating more students from it universities in robotics on an annual basis than we have in total."

U.S. students should also occupy more of the advance degree slots at U.S. universities than H-1B visa holders do, he adds. "It is not the U.S.'s role to educate the world," Janulaitis says.