Feds Desperate to Hire Information Security Pros

by Mathew Schwartz

You’ve probably heard the government is facing a shortage of information security – or as the Feds always say, "cybersecurity" – talent, leaving the nation vulnerable to online attacks. Here’s some details.

"There are about 1,000 security people in the U.S. who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000," says Jim Gosler, a fellow at Sandia National Laboratories who was the founding director of the CIA’s clandestine information technology office. 

Part of the problem is the dearth of truly technical security certifications. For example, a cybersecurity study from the Center for Strategic and International Studies found that "the current professional certification regime is not merely inadequate; It creates a dangerously false sense of security" because many certifications emphasize complying with checklists, rather than directly safeguarding networks or knowing how to rip apart malware and build better defenses. 

Hence the clear and present government job opportunity: To be one of these in-demand technical security experts. But whether you’re mid-career or just starting out, how do you get the advanced technical skills required while navigating the "black hole" of government hiring, to land one of these cybersecurity positions?

Hobnob with a TLA 

Provided you’re a U.S. citizen, perhaps the most direct route to landing a cybersecurity job, especially at a TLA (three-letter acronym) agency – CIA, DHS, NSA – is to get either an undergraduate or graduate-level information security degree. Consider attending a program at a university on the National Science Foundation’s federally funded research and development center list, since out of the gate, they’ve got government ties and will regularly draw government recruiters. 

Trade a Free Ride for Two Years’ Work 

Likewise, 29 institutions – some also on the FFRDC list – participate in the NSF’s Scholarship For Service grant program.

First, you work in security for the federal, state or local government, or at Lincoln Laboratory (part of MIT), MITRE Corp. or Sandia – all of which offer private-sector-level pay – for two years. Then you complete a one-month (paid) government summer internship after your first year of graduate school. SFS provides full tuition reimbursement, a generous monthly stipend and a fast-track to government employment. 

Furthermore, most SFS participants have a job offer in hand by the fall of their second year, which means that if they ace their background check – getting a "top secret" clearance, required for most Pentagon cybersecurity work, which can take six to nine months – they start work upon graduation. 

"Those students, obviously, don’t have a very difficult time getting a federal job, because one, they have to, and two, there are a lot of mechanisms in place, such as job fairs," says Jennifer Burkett, director of career services and external relations at Carnegie Mellon University in Pittsburgh, which offers a master’s degree in information security and is part of the SFS grant program. 

Degree programs aside, what else can give you an edge? Burkett recommends networking as much as possible, perhaps with college alumni, so you’re not just firing resumes into the ether. Government internships help, too. 

Jobs with Benefits 

Must government cybersecurity job holders swap higher pay for prestige, personal satisfaction or patriotism? In fact, the pay can be relatively good – generally within $5,000 to $10,000 of what private-sector companies pay, reports Burkett.

The benefits are also good, including the workday. "I guarantee that if you work for the government, you’re not working as many hours as on Wall Street, or professional services," says Lee Kushner, president of LJ Kushner & Associates, an information security recruitment firm in Freehold, N.J., that conducts an annual salary survey

Cracking the Government Code

But landing a government cybersecurity job can be a daunting process. "There are a lot of young people or people with these (required) skills who would like to work with the government, but their resumes go into a black hole," says Kushner. Aside from a form e-mail, they may never hear back. 

But with the current cybersecurity worker shortfall, expect to see changes, and soon. 

"Everyone knows their machines are being attacked constantly at the federal and commercial level, and they realize they need to bump up the resources, and they realize that’s going to take real money, not happy talk," says Phil Lieberman, CEO of Lieberman Software in Los Angles. He’s been participating in the current congressional efforts to craft a new cybersecurity bill, which may pass as soon as September. 

Interestingly, "the evolving cybersecurity bills have language to provide more flexible incentives to recruit more people to this field," says Lieberman. That’s because when it come to what the government must do next to improve national cybersecurity, there’s no mystery.

"Hiring smart and adaptable people will always be the best cybersecurity defense," he says.

Mathew Schwartz is a freelance writer based in Pennsylvania.

11 Responses to “Feds Desperate to Hire Information Security Pros”

  1. Tom Brown

    I have already built a Reactor Control System for Sandia Labs(Computer Controlled) for fission reactor. This took place back in late 1980’s when I worked for Gamma Metrics in San Diego,CA. I pass all the audits(NRC,Sandia Labs, and in house). Have over 30 years worked in fields for companies with contracts by DoD(ex-Navy), FCC,FDA and NRC, because of age and two associates in computers and electronics I never get called back to interview for high tech companies now. Experience use to be everything along with a little college to get most any high tech job. Not any more! Still trying to find some company that really cares. Single and willing to do what ever it takes Tom Brown(moonshadow323@yahoo.com)

  2. Richard Quinn

    I am 61 yrs old have an associates in applied science, computer information systems, work with the Univ of Ky now for 34 yrs, 10 of which in wide area computer networking. but because of budget cuts an loosing this position. I don’t have the CCNA yet but am studying for it. Would love to find another position to take retirement, but cannot afford to leave here without another job, or a source of income, I make $30K now, which is barely enough. Would love to relocate but only to the deep deep south of Florida or where its hot. Any possibility I could get into this program?

    If possible please contact me as early as possible to discuss it.

    Richard Quinn

    207 Hickory Hill Drive
    Nicholasville, Ky. 40356
    ph 859-553-2269


    All this rhetorical babble is fine, as long as you are young (with college debts) and NOT told you are “OVER-QUALIFIED” at everything. Now, The U.S.Congress even denies life for anyone except the rich. I just want employment to pay my cost of living expenses …nothing fancy.

  4. Richard Parrott

    In general, I disagree with Mathew’s report on how to get a federal job in cybersecurity. It is my experience that the people with the Information Assurance (IA) jobs (2210 series jobs, found on usajobs.gov) are usually prior active duty military who were ‘groomed’ for these positions. Their training was application specific for the command they retired from. Their certifications came after the fact.

    If you want to know what the federal government wants, check out International Information Systems Security Certification Consortium, Inc., (ISC)² web site on DoD Directive 8570.1 (https://www.isc2.org/dodmandate/default.aspx ), or just Google DoD Directive 8570.1.

    Bottom line: Get either CompTia Security + or CISSP, either Microsoft or Unix certifications or both.
    It doesn’t matter if you have a Ph.D., certifications are king.

  5. If you just want to get training and certification in information security, check out the SANS Institute. Learn the relevant skills faster than a degree program for less money, lots of different programs and delivery methods available. You also retain the freedom to change jobs once you’re certified, not tied to a two-year contract.

  6. Garry Hurley

    I currently have a B.S. in Information Technology – Applications Development Concentration, with a Math Minor. I am also working on an MS in Information Systems Management. To the gentleman who says that only young people have student debt, I reply that I started my BS at 32 and finished at 36, and still owe about $35 k on that score. I was a few days short of 40 when I started my MS in October of last year. When I finish my MS in May of 2011, I estimate I will have over $100,000 in student loans. My budget for paying them off shows I should finish paying for my education sometime after my 70th birthday if I continue to pay at the current rate. My mortgage should be paid off when I am 68, and my current car loan should be paid off when I reach 45. If I don’t buy a new car, or get myself into credit hell before then, that is. Tell me, what part of this sounds “young” to you?

    To the guy who asked what certificates will help him get into the market without a degree – don’t be lazy. No offense intended, but if I could get my BS in my 30’s and my MS in my 40’s, why can’t you? Believe it or not, most IT managers look at certificates as a joke. All they do is get you the interview. Experience gets you the job. A manager I know just interviewed a Red Hat Certified Linux Administrator who built his own router and wrote his own router software, but he did not know which ports common services used. Certificates involve passing a single test. Degrees actually help to round out your education by offering you a chance to deal with people. I suggest you at least try for an AS degree. If they pass the law today, it won’t take effect for another year at least, and then it will take up to two more for agencies to take advantage of the hiring boom. You have time.

  7. If there is a shortage, why federal government agencies grab a ton of thousands students major in computer looking for job? Thirty years ago, many undergraduate computer students got a job offer before they are graduate.

    Government can train the veteran, the unemployment people or any one willing to learn a new thing.

  8. Alan Rosen

    These jobs will invariably require a security clearance and acquiring one is a very costly and time consuming process. Almost no one, either government nor private industry is willing to invest this much on new untried employees. Unless you already have at least a security clearance, there is no chance in hell you are going to get such a job. There are way too many unemployed technical people and employers are well to believe they have their pick and can just hire people with all the requirements so they can start working from day one! These days, degrees are meaningless and certifications will just get you in the door for consideration. Fortunately, these jobs require US citizenship and cannot be filled with foreign workers.

  9. zbtcseipai

    40 years ago, the military and government agencies took people with aptitudes for data processing and continuously trained their people until they acquired the skills necessary to perform at high levels of expertise. Today, no one trains. Instead, you are expected to be trained and knowledgeable in all of the areas that an employer requires. In addition, there is the perception that you must be aged 18 – 30 years and have all sorts of degrees and certifications in order to understand computer concepts in today’s global environment.

  10. I’m a operating systems security evaluation experienced INFOSEC / COMPUSEC type and I’ve lost security positions because I lack the right certifications. I’ve worked under three difference evaluation regimes on three or four O/S releases.

    There’s more to security than the ability to point and click on a router configuration page or tell everyone to run a virus scanner on their PC — which seems to be just about all any employers looking for a “security engineer” look for.

    Ten years ago I could flash my NSA letters and other goodies and people knew I knew my stuff. Now I have to have certification du jour that covers “which command do you use to change the password on XYZ operating system.”

    Feh. When companies get tired of being hacked, that’s when certification alphabet soup will stop being what they use to make hiring decisions.