The cybersecurity skills shortage has been discussed in many different ways over the recent years, but a successful...
hiring event held by the Department of Homeland Security has some wondering if that event was a sign of optimism or an outlier.
The Department of Homeland Security (DHS) held a two-day hiring event "aimed at filling mission-critical positions to protect our nation's cyberspace" in July. According to a new blog post, that event garnered "over 14,000 applicants and over 2,000 walk-ins" and culminated with more than 800 candidate interviews and "close to 150 tentative job offers."
Angela Bailey, chief human capital officer at the DHS, said in a blog post that the DHS "set out to dispel certain myths regarding cybersecurity hiring," including the ideas that there is a cybersecurity skills shortage and that organizations cannot hire people "on the spot."
"While not all of them were qualified, we continue to this day to hire from the wealth of talent made available as a result of our hiring event," Bailey wrote. "We demonstrated that by having our hiring managers, HR specialists, and personnel security specialists together, we were able to make about 150 job offers within two days. Close to 430 job offers have been made in total, with an original goal of filling around 350 positions."
Gunter Ollmann, CSO at Vectra Networks, said although the event "was pitched under the banner of cybersecurity, it is not clear what types of jobs were actually being filled," and some positions sounded more "like IT roles with an impact on cybersecurity, rather than cybersecurity-specific or even experienced infosec roles."
"Everyone with a newly minted computer science degree is being encouraged to get into cybersecurity, as the lack of candidates is driving up salaries," Ollmann told SearchSecurity. "Government jobs have always been popular with recent graduates that managed to scrape through their education, but would unlikely appear on the radar as interns for larger commercial organizations or research-led businesses."
Chris Sullivan, CISO and CTO at Core Security, agreed that the DHS event may not be indicative of the state of the cybersecurity skills shortage.
"It looks like DHS executed well and had a successful event, but we shouldn't interpret that as a sign that cyberdefender resource problems are over. In fact, every CISO that I speak to has not seen any easing in the availability or cost of experienced resources," Sullivan said. "In addition, the medium to long-term solution requires both formal and on the job training -- college curriculum is coming, but much of it remains immature. We need resources to train the trainers."
Derek Manky, global security strategist at Fortinet, warned about putting too much into just a few hundred positions compared to the potentially hundreds of thousands of cybersecurity jobs left unfilled.
"The DHS numbers are relatively small compared with the overall number of unfilled positions," Manky said. "Part of the solution is to build better technology that requires less human capital to be effective and can evolve to meet shifts in the threat landscape. Additionally, the market needs to better define what skills a cybersecurity professional should hold and use these definitions to focus on efforts that can engage and develop a new generation of cybersecurity talent."
Rob Sadowski, director of marketing at RSA, the Security Division of EMC, said this event might be cause for optimism regarding the cybersecurity skills shortage.
"The experience that DHS shared is encouraging because it shows a groundswell of interest in cybersecurity careers. This interest and enthusiasm needs to continue across the public and private sector if we are to address the still significant gap in cybersecurity talent that is required in today's advanced threat world," Sadowski told SearchSecurity before hedging his bet. "The talent pool in an area such as DC, where many individuals have strong backgrounds in defense or intelligence, security clearances, and public sector agency experience contributes significantly toward building a pool of qualified cybersecurity candidates that may not be present in other parts of the country or the world."
Bailey attributed some of the success of the DHS event to proper planning and preparation.
"Before the event, we carefully evaluated the security clearance requirements for the open positions. We identified many positions that could be performed fully with a 'Secret' rather than a 'Top Secret' clearance to broaden our potential applicant pool," Bailey wrote. "We knew that all too often the security process is where we've lost excellent candidates. By beginning the paperwork at the hiring event, we eliminated one of the more daunting steps and helped the candidates become more invested in the process."
Bailey noted the most important advice in hiring was to not let bureaucracy get in the way.
"The most important lesson learned from our experience is the value of acting collaboratively, quickly and decisively. My best advice is to just do it," Bailey wrote. "Don't spend your precious time deliberating over potential barriers or complications; stop asking Congress for yet another hiring authority or new personnel system, instead capitalize on the existing rules, regulations and hiring authorities available today."
Sadowski said rapid action is a cornerstone of an effective security program, but noted not all organizations may have that option.
"It's great that DHS has the luxury to act decisively in hiring, especially from what they saw as a large, qualified pool," Sadowski said. "However, many private sector organizations may not have this freedom, where qualified potential hires may require significant commitment, investment and training so that they understand how security impacts that particular business, and how to best leverage the technology that is in place."
Learn more about how the cybersecurity skills shortage can be fixed.
Find out how to live with the cybersecurity skills shortages.
Get info on why there is a delay in adopting new tech because of the skills shortage.