- Everyone wants "cyber" security but who are you going to hire to provide it?
- How many people are actually technically qualified for what you need?
- How many can you possibly afford to hire?
- How many are willing to move to the locale where you need them?
The issues I have above apply to everyone who wants their IT infrastructure secured whether they are private businesses, public corporations, or a even government agency. The Government however has a few more hurdles to jump through:
- Once someone meets all of the above criteria can they get the right clearance level?
- Once the can get a clearance does the government have the pay structure in place to actually pay these rarefied folk what the market says they are worth?
- How many computer/network/web security specialists who meet all these criteria are out there who actually want to work for you?
These last requirements are proving to a real problem both for the government and the private sector. there is a massive labor shortage in the IT security area and it won't be going away soon.
While labor alone didn't cause the Air Force Cybercommand freeze it has certainly contributed to it. At one point this effort was attempting to recruit Network Security Team Leads with TS/SCI clearance with a Lifestyle Polygraph addendum in the Washington D.C. area (not New York expensive but also not Sierra Vista cheap) for ~$65K/year. My response to the recruiter was: "Good luck with that, maybe you should just try hanging out in front of ITT tech to see if you can get takers."
The core of the issue is that the demand for cleared, qualified, and available security personnel is vastly outrunning the supply. This drives wages up for those few that exist into areas that the government simply can't pay.
A quick rundown of orgs looking to hire:
- The Army : The Army has a very large world-wide organization devoted to IT security employing tens of thousands of IT folk. 90% of these jobs require clearances and IT certifications.
- The Pentagon: Has a similar but smaller organization with higher security requirements.
- The Navy : Again a smaller mirror to the Army organization
- The Air Force : Already has the Army analog but wanted to dramatically expand and centralize with the now-frozen CyberCommand.
- Department of Homeland Security : Is attempting to stand-up a mirror of the Army's org.
- Border Patrol : The "Virtual Fence" project alone is gigantic in scope for IT let alone the BP's normal IT stuff.
- The FBI has a very large IT security/forensics operation.
The private sector will also be competing for the same people who are qualified to hold these jobs. The labor pool to fill all of these position simply doesn't exist. As a quick example here is a listing of all the folks holding the GISF certification: All 758 of them. How many of those have clearances or can't/won't work for the government?
We can't just wave a magic wand and get enough skilled, experienced, and willing security folks. Bottom line is : Get your security certs and your livelihood is essentially guaranteed.