US CIO Tony Scott on fixing cybersecurity's talent gap

At a Passcode event Tuesday, the US chief information officer said the federal government wants candidates who know languages, biology, and anthropology to fill cybersecurity roles – and one of its most important hires, the new chief information security officer, will be announced within 30 days.

White House Chief Information Officer Tony Scott (l.) spoke with Passcode on Apr. 12 about fixing the pipeline into the cybersecurity workforce.

Michael Bonfigli/The Christian Science Monitor

April 13, 2016

If you're trying to recruit employees to help defend your organization's computer networks against malicious hackers, good luck. You've got a lot of tough competition.

US government agencies and businesses are scrambling to bolster security operations teams to defend against breaches such as last year's massive data spill at the Office of Personnel Management. US Chief Information Officer Tony Scott revealed on Tuesday that the government will announce the hiring of a Chief Information Security Officer in the next 30 days – a step toward dealing with that problem. 

But even though the Obama administration has pledged $62 million to build a more robust digital security workforce – and private sector companies are promising six-figure salaries to so-called "white hat" hackers – experts say there still aren't enough qualified candidates to go around. In fact, the cybersecurity firm Symantec projects demand for cybersecurity jobs could fall short by 1.5 million people worldwide by 2019.

In nod to Silicon Valley, Pentagon opens door to hackers

On Tuesday, Passcode hosted an event in Baltimore to explore the newest ideas and approaches to close the cybersecurity skills gap that featured Mr. Scott and leading figures in digital security from firms such as CrowdStrike and CyberVista. The full video of the event is available here.

Here are some key takeaways from the event:

1. It’s not just a supply problem

Sure, fixing the cybersecurity workforce has a lot to do with hiring the right people, but employees must constantly adapt to new threats – from the viruses that maliciously encrypt vulnerable files to massive data breaches – to stay up to speed.

"It’s not an area where you can go to school, learn something, and then just sit on your hands for the next 30 years," said Scott. "It’s kind of an eyes-wide-open field where you have to keep yourself continually educated."

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

2. Think outside the network

A lot of network defense comes down to keeping the bad guys out. But with US government agencies and companies facing threats from adversaries such as Chinese hackers, Russian cybercriminals, and the Iranian military, that doesn’t just mean scanning your systems for malicious software. Maybe you could help out by deciphering notes on code written in a foreign language – or by understanding the cultural motivations behind a hack.

"Cyber is a global problem and we need people that speak every language on the planet," Scott said. "We need people with all kinds of different skills. We need cultural anthropologists. I’m looking for people who understand biology and cybersecurity. There’s no area where we’re full up, we need everything."

3. It's not just about the money 

Scott knows firsthand that the federal government doesn't pay like the private sector – he had to take a pay cut to join the White House from the software firm VMWare. But, he said, going to Washington is about more than the money. 

"Yes, I’d like to see these roles pay better – but at some level, these are some of the most challenging and important roles that you can play," he said. "For me, this was the challenge and the opportunity of a lifetime."

Scott said that the US government has cut down the list of candidates for the federal Chief Information Security Officer position to a handful of candidates – and expects to announce a decision within the next month.

4. Open things up for US government hackers

Want to get more hackers into government service? US government agencies should stay in the loop with private companies, said Jason Geffner, CrowdStrike’s chief security researcher, and let hackers in Washington show their work at security gatherings such the RSA Conference or the DEF CON hacker convention.

"There’s no communication really across the fields,” he said. "People who are in the private sector who aren’t interested in going into the public sector think it’s important to speak on a panel, speak on a conference. It makes it much less appealing to pursue that career path."

5. Passion is key

Don’t know how to write a line of code? That may not matter, said Simone Petrella, chief cyberstrategy officer at the cybersecurity firm CyberVista. Other key ingredients for successful cybersecurity pros are curiosity and passion, she said.

"At the end of the day, the people who succeed don’t have a degree or a certificate – they’re really good at Googling," she said. “It’s just the passion to explore more and gain knowledge, that just happens to be in cybersecurity.”

Employers also need to better communicate that cybersecurity positions involve much more than sitting in front of a computer all day, said Rodney Petersen, leader of National Initiative for Cybersecurity Education at the National Institute of Standards and Technology (NIST).

"In cybersecurity, there’s probably a stereotype that it’s a loner, it’s a hacker, it’s a person behind a computer screen – which is quite frankly maybe not attractive to somebody who wants to interact with a team," said Mr. Petersen. "You can volunteer, you can work for your institution, you can do things other than independently hacking."