- Alissa Irei, Senior Writer
A 22-year-old hacker without a degree might not look like a candidate for a six-figure public-sector job, but the Department of Homeland Security's Christopher Krebs wants the federal government to look twice.
Krebs, director of the DHS Cybersecurity and Infrastructure Security Agency, said the longstanding General Schedule pay scale -- which bases federal job requirements and employee salaries on stringent education and experience metrics -- hamstrings the department's cybersecurity hiring practices to disastrous effect. Krebs and his DHS colleagues want flexibility to bring on less conventional hires -- a network administrator with a keen interest in security, say, or a self-taught tech whiz with a decade of informal yet substantive experience.
"By the standards we have in place right now, I can't reward that person and pay them the way they could be paid in the private sector," he recently told the U.S. House of Representatives' appropriations committee.
To help fill the cybersecurity skills gap, Krebs has helped spearhead a new initiative called the Cyber Talent Management System, expected to debut in early 2020, which will allow DHS hiring managers to consider a wider range of candidates for security positions and offer them more competitive, market-aware salaries.
Experts say that organizations across both the public and private sectors need to be more flexible and creative when hiring as employers grapple with an escalating cybersecurity skills gap. The nonprofit (ISC)² counts nearly 3 million open and unfilled positions globally, with 500,000 of those in North America. And among cybersecurity pros the group surveyed, almost 60% said their organizations are at extreme or moderate security risks due to understaffing.
Kayne McGladrey, a member of the IEEE and director of security and IT at Pensar Development, based in Seattle, believes the industry can do its part to reframe and rebrand the cybersecurity field to address the cybersecurity skills gap.
"There's a perception that it is all hands-on-keyboards -- people sitting in a basement somewhere drinking soda," McGladrey said. "That perception, unfortunately, drives a lot of talented individuals who would have made a lot of meaningful contributions to the field to make other career choices."
McGladrey wants security pros to talk to their colleagues, friends and families about the field and its diversity of roles. He also urges organizations to widen their candidate pools to include those with more varied backgrounds and life experiences.
"Right now in cybersecurity, we're doing the same thing over and over and expecting a different result -- the definition of insanity," he said.
To fill the gap, get creative
Joseph Blankenship, a senior analyst for security and risk at Forrester Research, suggested that organizations look inward for current employees who might be well suited for security careers -- then recruit and train them for those new roles.
"In years past, people found their way into security almost by accident," Blankenship said. "Maybe they got some experience using open source hacking tools and said, 'Wow, this is kind of neat. I think I might want to do this as a job.' And then they go out and they try to find the job on their own."
But in today's hiring environment, security leaders can't afford to wait for those candidates to come to them. Instead they need to actively look, both internally and externally. They should focus on temperament, aptitude and skill over traditional education and experience.
"A lot of the best security operators I know don't have a lot of formal education," Blankenship said. "They may have a bachelor's degree but doubtful; they probably don't have a master's degree. A lot of them went to trade schools. A lot of them were very much self-taught."
McGladrey agreed, saying he looks for candidates with a fundamental understanding of security as a discipline, the ability and inclination to learn, and the tenacity to fight uphill against emerging threats.
"Those key attributes aren't embodied in a certification or a diploma," he added.
McGladrey also cautioned security leaders against shopping for candidates with experience using specific technologies tailored to their environments.
"A lot of organizations try that -- not a good idea," he said. "The security technology stack changes every six months to a year, so looking for somebody to help me fight last year's battle isn't really productive."
Both Blankenship and McGladrey urged hiring managers to scrutinize job listings for unrealistic or overly narrow requirements, what Blankenship calls "looking for unicorns."
"We see examples of job descriptions for entry-level people with very low salary ranges and then an incredible amount of requirements -- bachelor's degree, master's degree, five to seven years of experience," he said. "Those people don't actually exist, and if they did, they would not be affordable."
According to McGladrey, HR's fear of bringing in the wrong person -- and indirectly causing a breach -- often drives such postings. That, in turn, fuels the perception that there's an insurmountable shortage of security candidates, he said, when, in fact, a broad spectrum of diverse, talented individuals exists if organizations are willing to find and train them.
But security leaders need to make the case to HR for hiring people based on aptitude and skill, even if they aren't "a certified ethical hacker since 2000, with 10 years of experience with Kali Linux and a Purple Heart."
"Flexibility is really important" to successfully fill the cybersecurity skills gap, McGladrey said.
Money matters … but it isn't everything
Blankenship said security leaders must also convince the business side to offer competitive salaries that reflect the broader marketplace.
"Supply and demand is at play here, and the shortage of cybersecurity talent is definitely driving higher salaries," he said. "If we don't have salary bands in line with workers' expectations, then we've got an issue."
Blankenship added that for some workers, however, compensation might be less important than factors like professional growth and engagement.
Nicholas DavisCISO, University of Wisconsin System
McGladrey agreed, saying some workers also decide that meaning outweighs money. A federal cybersecurity pro combatting election interference, for example, might choose not to pursue much higher paying roles in the private sector.
"It goes to the individual's sense of contributing to society and the greater good," he said. "A certain type of person is going to look at that work and say, 'I'm serving the country.'"
But to tap into a sense of purpose, McGladrey added that organizations must articulate their missions effectively -- to both prospective and current employees.
"If you frame it just as dollars and cents and don't put value behind it, you're really limiting the conversation as an organization," he said.
Nicholas Davis, CISO for the University of Wisconsin System, agreed that money isn't everything.
"You need to figure out a unique angle that other companies and industries don't have," he said, adding that his organization boasts a great work-life balance, exceptional benefits, institutional stability, opportunities for long-term growth and a clear career development path.
"You have to outshine the competition in some unique way," Davis said. "Not everybody is motivated by the highest possible salary."
According to Blankenship, compensation often comes into play in situations where an employee is unhappy for other reasons.
"No one is going to stay in a bad position for below-average compensation," he said, noting that factors like boredom, managerial issues, poor benefits and lack of training opportunities all hurt employee retention. "That's when you start saying, 'Am I making enough money here to justify dealing with this situation that is not ideal?'"
Blankenship added that security leaders must have a robust strategy for retaining employees, not just hiring them.
"It's about evaluating a security professional and figuring out what really makes them tick," he said. "That requires that we put on our thinking hats and have career planning for everyone on the team."
Dig Deeper on Information security certifications, training and jobs
For insider threat programs, HR should provide checks and balances
Better HR security could help thwart Iranian cyberattack
ICS security challenges and how to overcome them
Tanium Converge 2019: keynote notes, quotes & anecdotes