Federal IT security workforce could double in 5 years*
*If budget crisis goes away, enough security pros are available, and execs get everything they need
- By William Jackson
- May 09, 2011
Based on a recent survey of federal C-level executives, a white paper from Frost & Sullivan predicts that the federal IT security workforce will more than double by 2015, from 27,000 workers in fiscal 2010 to 61,299 by 2015.
That really is more of a wish than a prediction, however.
“This is their assessment of what they would need,” said W. Hord Tipton, executive director of the International Information Systems Security Certification Consortium, which commissioned the study. “You never get what you ask for.”
That is, unless there is a catastrophe of some kind that breaks all of the rules and loosens the purse strings, said Tipton, a former Interior Department CIO.
Survey: IT management challenges persist for years
Cybersecurity is hot on campus
This raises a couple of questions: Barring a catastrophe, where are all of these new security people going to come from, and how is the government going to pay for them? There is a shortage both of trained professionals to perform the increasingly demanding and vital job of protecting IT networks, systems and the data they contain, and of budget dollars to pay them.
Agency CIOs and chief information security officers had better invest heavily in technology to automate as many security tasks as possible, because the manpower crunch is not likely to end soon.
The survey questioned 145 U.S. government C-level officials as part of a larger Global Information Security Workforce Study and broke out the government information in a separate report. It concluded that the concerns of the government sector no longer are as distinct as they once were.
“As corporate entities have been forced to adhere to tighter regulatory requirements and more attacks, the issues facing both government and commercial C-level employees have merged,” the report states. At the same time, government is adopting the same tools and technologies that are being used in the private sector, such as cloud computing, social media and mobile networked devices.
A benefit of this convergence is that it commoditizes IT, making it more affordable and creating standardized platforms that should be easier to manage. On the downside, it creates a standardized target surface that could be easier for attackers to exploit and puts the government in the position of competing more directly with the private sector for its workforce.
A number of efforts — from high school contests to college cybersecurity curriculums — are under way to identify and encourage students who might be interested in IT careers and to increase educational opportunities for them. But it takes a while for these programs to begin producing sizable numbers of graduates, and Tipton says “we still haven’t developed a career path” for these graduates once they enter the federal workplace.
He also complains that although colleges can teach the broad basics of cybersecurity, they do not provide the hands-on expertise needed in the workplace. He said (ISC)2 has begun working with schools to provide the classroom expertise that will enable graduates to “hit the ground running.” It has made its Common Body of Knowledge available as teaching materials for schools, and “we’re starting to get some takers on this,” Tipton said.
At the same time, the government is “putting its money where its mouth is” in recruiting skilled workers, Tipton said.
“Salaries in the U.S. federal sector bucked the myth that government jobs pay less than private-sector jobs,” the report concluded. “The U.S. federal C-suite reported very competitive salaries when compared to private-sector CXOs.”
But how long this will last in the current budget crisis environment on Capitol Hill, and how those salaries will translate to the bottom ranks where new workers are being recruited, is anybody’s guess.
It would be a good bet that, for the foreseeable future, government IT security jobs will continue to include long hours and large responsibilities, but at least they should have the satisfaction of knowing they are needed.
William Jackson is freelance writer and the author of the CyberEye blog.