The pros and cons of government cybersecurity work

Cybersecurity is a growth industry, with rapidly increasing demand for qualified professionals in government and industry and a growing number of schools offering courses and degrees. But a couple of security bloggers warn that cybersecurity jobs in large enterprises, especially government, are likely to be frustrating.

Mike Subelsky, who describes himself as a hacker and entrepreneur who has worked in cybersecurity for eight years in the military, as a government civilian and as a contractor, describes the work as uncreative, bureaucratic and restrictive.

“In classified settings, you are severely restricted in the sources and kinds of technologies you use,” he writes. “You won't have admin permissions on the machine you're working on. Forget installing Chrome with the latest extensions, you'll be lucky to get Version 2 of Firefox!  Or you might not have access to the Internet at all!”

Related stories:

Cybersecurity is hot on campus

Cybersecurity boot camps are a start toward a skilled workforce

A like-minded blogger identified as NetSecGuy wrote that “the government leads in cyber-boring.” Not only is the technology outdated, but management has no clue and information is seen as something to be hoarded rather than shared.

All of this probably is true. Many government workers I’ve known, although they tend to stay in their jobs because of the security, make similar complaints regardless of their job descriptions. Most of these drawbacks have little to do with cybersecurity per se, but are endemic to large, buttoned-down organizations, not just government. But there also are upsides to cybersecurity work in government that should be considered.

Although there are regulations restricting the types of information technology that can be used and defining their configuration, the government does have power users. Science-oriented organizations such as NASA, the National Oceanic and Atmospheric Administration and the Energy Department’s national labs often are at the cutting edge of science and technology, and at least a few lucky people have some great toys to play with. A security worker who gets into the right position could end up protecting and using some pretty cool tools.

The systems and data being protected at other agencies also are important. Although every agency has its routine back-office business systems, there also is a wealth of sensitive and critical data to protect. State secrets. Military plans. Things that spies from other nations are dying to get their hands on. These stakes add some interest to the game.

Finally, you’ll be going up against the best. Well-funded foreign espionage programs and sophisticated criminals are targeting government IT systems. If you can detect and keep them out, you’ll be at the top of the game.

Unfortunately, this does not change the likelihood that the rank-and-file of government cybersecurity workers probably will be doing routine administrative chores rather than playing high-tech games of spy vs. spy, and they will be able to expect little gratitude from their country or coworkers.

“In many of these jobs, you're going to find yourself acting as an enforcer, a mere gatekeeper,” Subelsky writes. “You'll be telling the creative people in your organization all the things they can't do or aren't allowed to have.”

But there is something to be said for being dependable. As one reader responded on the blog, “There is something attractive about a high-paying position with job security. I want one of those. Yeah I might work on something boring, and may have to sell my soul. But at least I can pay my mortgage, right?”

The current generation of cybersecurity professionals tends to be zealots; people who are passionate about computers, coding and hacking, who started out as teenagers spending hours in the basement playing with gadgets, educating themselves to the point that they are co-opted by organizations where they find themselves bored. The next generation will be young professionals who choose cybersecurity as a career path and enter the field with a different set of expectations.

We’ll lose something along with the passion, but they’ll be able to pay the mortgage and we’ll have the minds and hands we need to keep watch on our cyber defenses.