1,000 Cybersecurity Experts

Yesterday, DHS Secretary Janet Napolitano said that the U.S. needed to hire 1,000 cybersecurity experts over the next three years. Bob Cringley doubts that there even are 1,000 cybersecurity experts out there to hire.

I suppose it depends on what she meant by "expert."

Posted on October 9, 2009 at 11:33 AM • 50 Comments

Comments

ShaneOctober 9, 2009 11:44 AM

Well, if they're anything like the rest of the country, they won't have any misgivings about hiring recent graduates of the 2-year Real Estate Flipper/Network Security Specialist mail-order training programs.

HJohnOctober 9, 2009 11:49 AM

@I suppose it depends on what she meant by "expert."
___________

And also what she meant by "cybersecurity," perhaps moreso.

In "cybersecurity expert" there are two words that mean different things, or different levels, to different people.

HJohnOctober 9, 2009 11:53 AM

@Mark J.: "Ooh, cushy Fed job? I volunteer. Do I have to move to DC, though?"
__________

If there were ever a job that should have a telecommute policy...

jmOctober 9, 2009 12:07 PM

So.. if we couldn't get a security clearance before, you think now they'd be willing to overlook stupid youthful... transgressions of the electronic type?

CraigOctober 9, 2009 12:23 PM

I could probably quality as an "expert" in comparison to some of the people they will actually hire. After all, I've been reading Bruce's blog for years.

timOctober 9, 2009 12:35 PM

I receive at least two offers a week from the DC area all looking for highly qualified experience security 'experts' but pay the equivalent of a high school intern. I always wonder who takes those gigs...

AviatrixOctober 9, 2009 12:36 PM

Could I become a cybersecurity expert in three years? I've got a computer, and hardly any of my passwords are "password." What else do I need?

EponymousOctober 9, 2009 12:41 PM

As someone who makes his living providing personal bodyguard detail and entourage services to high profile cyborgs, I resent the synonymous use of "cybersecurity" and "internet security."

rbtrojOctober 9, 2009 12:59 PM

If it's only 1000 openings then they will all be filled by nephews, nieces, and children of golfing buddies.

PaulOctober 9, 2009 1:02 PM

Let's say they can in fact 1000 'true' cybersecurity experts. My guess is only a fraction of them will last the government imposed bureaucracy and paper security rules they will have to endure.

In my experience what an organization needs to have a chance at securing their infrastructure is a core group of people who really care about just that and have very senior management behind their efforts to accomplish their goals.

Trevor StoneOctober 9, 2009 1:24 PM

I wonder if they consider hackers cybersecurity experts. I also wonder if they'd hire people with a history of hacking, or if said individuals would want to work for the government.

Although I suppose the U.S. has been doing some very high-profile top-level recruiting on this guy from England...

Frank BreszOctober 9, 2009 1:33 PM

There are plenty of people out there claiming to be cyber-security experts, the challenge of course is that while the population of security experts continues to increase - sum total security IQ remains essentially stable.

Trevor StoneOctober 9, 2009 1:33 PM

Word counts:
1 cyberanalysts
1 cyberczar
1 cyberexperts
1 cybernetworks
1 cyberorganization
5 cybersecurity
1 cyberthreats
1 cyberwarfare
That's the most buzz-prefix heavy article I've read in quite some time. It's like the government realized that putting the letter "e" before a word to make it Internet-related is passé, and putting "i" before everything makes it sound like you work for Apple.

Time to get back to looking for a cyberjob in the cyberrecovering cybereconomy...

RHOctober 9, 2009 1:41 PM

@Trevor: or adding é to every silent E to make a McDonalds commercial.

(I just had to. As an average American, I can't even find the key to put the accent on "passé," I had to cut/paste from yours =) )

NotAsmoOctober 9, 2009 2:19 PM

Its like Y2K all over again.. That lovely smell of fear, government bureaucracy and easy money.. God I love capitalism. If history repeats itself we should have another 'bubble' too..

dmcOctober 9, 2009 2:43 PM

I find all of the flap about this story a bit puzzling.

I don't know what exactly they have in mind as "experts", but I'm kind of more interested in knowing what they want these experts to do. If we're talking about a bunch of people to do risk assessments, vulnerability analyses, secure coding practice education, liaising with/leaning on various corporations on security standards for critical or ubiquitous software packages/system (e.g. Office, Windows, Linux, Oracle, etc.),
etc. on Federal systems, then yes, I think they could find and would probably need more than 1000 such experts. If they're looking for people to design a secure national infrastructure, then no, I don't think they're going to find 1000 experts, and don't need them, either.

AguirreOctober 9, 2009 3:02 PM

When listening to announcements about cybersecurity be sure to process using a Wiener filter.

VincentOctober 9, 2009 8:26 PM

Will these 1000 experts be hired to replace 1000 among the hundreds of thousands of non-experts currently using government terminals to play pirated copies of Half-Life? Because that's the only way I can see this making even a dent.

Bruce SchneierOctober 10, 2009 7:52 AM

"Have they started cloning bruce yet?"

My mother didn't raise me to be a clone army.

John CampbellOctober 10, 2009 8:02 AM

Cloning?

What is scary is running across people who look more like me than I do... and, believe me, there's a surprising number, some older, some younger, so I am not one of the first to be stamped out.

The only problem I see with this kind of cloning is that the skills/talents are not likely to have been cloned.

RicOctober 10, 2009 11:27 AM

Bob Cringely is Robert X. Cringely. "He" is not a "she", although only the airport scanner knows for sure ;)

Bruce SchneierOctober 10, 2009 12:32 PM

"'He' is not a 'she', although only the airport scanner knows for sure ;)"

Janet Napolitano is a she, however, so the sentence stands.

bf skinnerOctober 10, 2009 6:33 PM

@tim

is right...the pay for "experts" is below market.

If you are a firewall administrator with 3-5 years of network (preferably CISCO), incident response manager, policy development expert, 2-3 years of forensics, and 5 years of software development you can expect to be offered ... people (TSA) think they can hire for

Michael LynnOctober 10, 2009 9:35 PM

There are two somewhat loaded terms in use here, the first is expert. Of course with any expert its a matter of relative knowledge. To me the guy who fixes my car when it breaks is an expert on cars. To the mechanical engineer that designed the car, not so much. I suspect they're going to want people closer to the mechanic in this analogy. If thats the case, then I'm sure they're out there.

The second word that tends to confuse (at least in terms of what makes you an expert) is security. I've worked in security for over 10 years now, in that time I've given presentations at all the major conferences, written substantial parts of a number of commercial IDS/IPS products, worked doing pen-tests and code audits, etc etc...I'm definitely an expert in something, but the more I think about it I wouldn't really say that something is security. Although I work to improve security I think what I'm really an expert in is insecurity. The difference being that a security expert has to be an expert in all ways to defend, and insecurity expert has to be an expert in as little as a narrow area of how to attack. Often this is enough, and most working security professionals, even those with lots of talent are probably experts of insecurity rather than security. If that is good enough for DHS then they should be able to find them, if not, then good luck with that.

ytOctober 11, 2009 2:52 AM

"Probably she meant 'anybody who is CISSP certified' by 'expert'". - Rochus

I have to admit that I had regarded the CISSP certification with awe and reverence until I started helping my partner review for the exam. To my surprise, *I* knew the answers to most of the review questions, and I'm a technical writer!

AndrewOctober 11, 2009 10:50 PM

Cringely has become a bit...eccentric now that he no longer has editors to hold him in check. There are plenty of computer security experts out there. The NSA alone probably has 10000.

AlbatrossOctober 11, 2009 10:53 PM

Well speaking as an ACTUAL "cybersecurity expert" who has been out of work for six weeks, I certainly could use one of those jobs. Meanwhile, my prior contract position has been reposted - at half the rate they had been paying me.

During economic hard times, everybody likes to jump on the "drive down the contracting rates" bandwagon, but nobody jumps on the "drive down the cost of tuition for my two kids in college" bandwagon.

dot tilde dotOctober 12, 2009 5:36 AM

i guess "expert" in a context like this does only mean "considered to be qualified by the people trying to sell their point to you".

nothing more.

.~.

AdrianOctober 12, 2009 7:49 AM

Expert:

Ex is a has-been. Someone who used to be good.

(s)pert is a drip under pressure.

Enough said.

TomOctober 12, 2009 9:58 AM

All you need to do is read a book and voila, you too are an expert! Reminds me of days past when you were considered a programmer if you could spell "C".

J without the JOctober 12, 2009 2:05 PM

My education and experience qualify me fairly high up the food chain in the field of information assurance. (I can't stand the "cyber" moniker.)

I've seriously looked into the U.S. federal jobs offered, in my sort of old-fashioned notion that it might help serve my country.

I'd have to take a pay cut, move my family to one of the congested areas of the country from which I moved away, and get so entangled in federal government red tape that I couldn't perform my job.

Choices. Choices. Choices.

Kevin GetsOctober 16, 2009 1:04 AM

What is the "Metric" used to define a cyber expert? This is the problem with politicians.... they have no metrics, just needs.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..