What Will it Take to End the Public Sector’s Cybersecurity Talent Gap?
The difference between the number of open cybersecurity positions and the number of people able to fill those roles has skyrocketed in recent years.
Everything gets more complex over time. That’s true according to the second law of thermodynamics and of the cybersecurity skills gap. A decade ago, the cybersecurity industry suffered a shortage of 10,000 professionals. Today, that number has reached 2.72 million. How did we manage to get to this point?
For one, the approach to solving the cybersecurity talent gap focuses too much on filling experienced positions and not enough on welcoming true entry-level candidates. Nearly 400 cybersecurity programs exist in the U.S. today, but there aren’t enough entry-level positions open within the public sector to meet the demand from graduating students.
The good news is that both the public and private sectors recognize how critical it is that we find a solution to bridging the gap between talent and open positions. In July, the Biden administration held its first National Cyber Workforce and Education Summit at the White House, bringing together leaders from the private sector, public sector and even academia to identify solutions to help fill cybersecurity jobs.
While the discussions during that Summit have yet to be made public, the following offers a few suggestions for what should have been proposed.
Adjust your entry-level expectations
The public sector can be deliberately hard to understand. From the multiple terms and acronyms used to describe programs and agencies, to an incredibly complex technological infrastructure, beginning a career in government can seem daunting. That is compounded when realizing even entry-level roles often require at least five years of experience. Many cybersecurity job descriptions highlight requirements for certifications and achievements, which can only be earned after a certain amount of time in the field.
Instead of having such high expectations for entry-level candidates, which will only continue to leave hundreds of jobs unfilled, government agencies need to update their job descriptions to be truly entry-level and seek out college graduates or individuals who might have just completed a cybersecurity bootcamp or training program—and who have yet to gain any experience.
It would also be beneficial to look at talent that might not come from a STEM field. Candidates with backgrounds in history or English can bring skills like analytical thinking and communication to the table—skills that are often a lot harder to teach than computer science.
Be open to the fact that on-the-job teaching will be required.
Promote from within
Both the private and public sector should aim to promote from within their current organizations. Whether it is someone who has already been working on the IT or security teams or someone who might be interested in transitioning from another department, agencies need to be open to hiring individuals with a diverse set of skills.
Establishing agency-specific cybersecurity apprenticeship programs would enable interested candidates from non-technical backgrounds to receive hands-on training without having to go back to school—and without needing to further delay the ability to fill critical roles quickly and from within.
Promoting from within also helps build loyalty and trust among employees. Giving employees the opportunity to grow within their careers signals that you value their hard work and will make them more willing to stick with the agency, even in tighter and more competitive job markets.
After all, as Jen Easterly aptly shared during a discussion at RSA, “... nobody really comes into the government to make money. They come in, because they are motivated to raise their hand to support and defend the Constitution of the United States and defend their nation and America.”
But the public sector should still seek to close the public-private compensation disparity.
Level the income playing field
Despite suffering from an equally severe cybersecurity talent gap, private organizations often come out ahead because of their ability to offer candidates higher salaries. Recent data from labor market research firm Lightcast.io found cybersecurity professionals in the private sector make 14% more than their public sector counterparts.
To solve the pay disparity between the public and private sectors, government agencies should allocate more of their spend toward talent acquisition. The president’s budget plan for fiscal year 2023 includes $10.9 billion for cybersecurity to “help improve the protection of federal infrastructure and service delivery against sophisticated cyber threats.” One could argue that infrastructure includes talent, and by directing more funds toward an increase in salaries, the public sector could start to see an increase in interested applicants.
But these are only three potential avenues for helping to close the cybersecurity talent gap. Those in the private sector must continue to cooperate and converse with the government and agree to share their ideas, successes and failures, in order to continue to identify long-term solutions. We’ve got a long way to go, but by coming together, we can help pass legislation that will improve existing hiring programs that work, continue to invest in our current cybersecurity workforce and ultimately improve our national security.
Tom Kennedy is the vice president of Axonius Federal Systems, LLC.