Yesterday, DHS Secretary Janet Napolitano said that the U.S. needed to hire 1,000 cybersecurity experts over the next three years. Bob Cringley doubts that there even are 1,000 cybersecurity experts out there to hire.
I suppose it depends on what she meant by “expert.”
HJohn • October 9, 2009 11:49 AM
@I suppose it depends on what she meant by “expert.”
And also what she meant by “cybersecurity,” perhaps moreso.
In “cybersecurity expert” there are two words that mean different things, or different levels, to different people.
Mark J. • October 9, 2009 11:51 AM
Ooh, cushy Fed job? I volunteer. Do I have to move to DC, though?
HJohn • October 9, 2009 11:53 AM
@Mark J.: “Ooh, cushy Fed job? I volunteer. Do I have to move to DC, though?”
If there were ever a job that should have a telecommute policy…
So.. if we couldn’t get a security clearance before, you think now they’d be willing to overlook stupid youthful… transgressions of the electronic type?
Craig • October 9, 2009 12:23 PM
I could probably quality as an “expert” in comparison to some of the people they will actually hire. After all, I’ve been reading Bruce’s blog for years.
Rochus • October 9, 2009 12:29 PM
Probably she meant “anybody who is CISSP certified” by “expert”.
tim • October 9, 2009 12:35 PM
I receive at least two offers a week from the DC area all looking for highly qualified experience security ‘experts’ but pay the equivalent of a high school intern. I always wonder who takes those gigs…
Aviatrix • October 9, 2009 12:36 PM
Could I become a cybersecurity expert in three years? I’ve got a computer, and hardly any of my passwords are “password.” What else do I need?
Carl Bussjaeger • October 9, 2009 12:37 PM
I know better than to fall for a phishing scam. I figure that makes at least more of an expert than the FBI’s boss.
http://www.theregister.co.uk/2009/10/08/fbi_robert_mueller_commonwealth_club_speech/
Not that the Fed can print enough money for me to go work for DHS.
Dave • October 9, 2009 12:38 PM
“cringly” wants to be cringely
Arron • October 9, 2009 12:40 PM
If(CISSP == EXPERT) { die “Were all doomed!!!”; }
Eponymous • October 9, 2009 12:41 PM
As someone who makes his living providing personal bodyguard detail and entourage services to high profile cyborgs, I resent the synonymous use of “cybersecurity” and “internet security.”
rbtroj • October 9, 2009 12:59 PM
If it’s only 1000 openings then they will all be filled by nephews, nieces, and children of golfing buddies.
Paul • October 9, 2009 1:02 PM
Let’s say they can in fact 1000 ‘true’ cybersecurity experts. My guess is only a fraction of them will last the government imposed bureaucracy and paper security rules they will have to endure.
In my experience what an organization needs to have a chance at securing their infrastructure is a core group of people who really care about just that and have very senior management behind their efforts to accomplish their goals.
Miles Baska • October 9, 2009 1:11 PM
Expert. Take the word apart.
Ex. a has-been
Spurt. drip under pressure
squid scoop • October 9, 2009 1:20 PM
No Friday squid blogging? Here’s a little help:
http://www.reuters.com/article/newsOne/idUSTRE58K4OF20090921
Trevor Stone • October 9, 2009 1:24 PM
I wonder if they consider hackers cybersecurity experts. I also wonder if they’d hire people with a history of hacking, or if said individuals would want to work for the government.
Although I suppose the U.S. has been doing some very high-profile top-level recruiting on this guy from England…
Frank Bresz • October 9, 2009 1:33 PM
There are plenty of people out there claiming to be cyber-security experts, the challenge of course is that while the population of security experts continues to increase – sum total security IQ remains essentially stable.
Trevor Stone • October 9, 2009 1:33 PM
Word counts:
1 cyberanalysts
1 cyberczar
1 cyberexperts
1 cybernetworks
1 cyberorganization
5 cybersecurity
1 cyberthreats
1 cyberwarfare
That’s the most buzz-prefix heavy article I’ve read in quite some time. It’s like the government realized that putting the letter “e” before a word to make it Internet-related is passé, and putting “i” before everything makes it sound like you work for Apple.
Time to get back to looking for a cyberjob in the cyberrecovering cybereconomy…
@Trevor: or adding é to every silent E to make a McDonalds commercial.
(I just had to. As an average American, I can’t even find the key to put the accent on “passé,” I had to cut/paste from yours =) )
NotAsmo • October 9, 2009 2:19 PM
Its like Y2K all over again.. That lovely smell of fear, government bureaucracy and easy money.. God I love capitalism. If history repeats itself we should have another ‘bubble’ too..
Eric • October 9, 2009 2:24 PM
Have they started cloning bruce yet?
Chris • October 9, 2009 2:28 PM
@Trevor
It makes for a hell of a drinking game.
“She said “cyber”! -shot-. “
Brent Longborough • October 9, 2009 2:36 PM
“Cybersecurity” is the new Java (is the new COBOL)
dmc • October 9, 2009 2:43 PM
I find all of the flap about this story a bit puzzling.
I don’t know what exactly they have in mind as “experts”, but I’m kind of more interested in knowing what they want these experts to do. If we’re talking about a bunch of people to do risk assessments, vulnerability analyses, secure coding practice education, liaising with/leaning on various corporations on security standards for critical or ubiquitous software packages/system (e.g. Office, Windows, Linux, Oracle, etc.),
etc. on Federal systems, then yes, I think they could find and would probably need more than 1000 such experts. If they’re looking for people to design a secure national infrastructure, then no, I don’t think they’re going to find 1000 experts, and don’t need them, either.
karrde • October 9, 2009 2:49 PM
I suppose the technicians and managers who were helping the FBI do their computer upgrade in 2001-2006 will be certified a cybersecurity experts by middle of next year.
They’ve had a couple of years to work on the certification, after all.
http://www.washingtonpost.com/wp-dyn/content/article/2006/08/17/AR2006081701485.html
Aguirre • October 9, 2009 3:02 PM
When listening to announcements about cybersecurity be sure to process using a Wiener filter.
Moderator • October 9, 2009 4:38 PM
Trichinosis USA, please don’t do that again.
Vincent • October 9, 2009 8:26 PM
Will these 1000 experts be hired to replace 1000 among the hundreds of thousands of non-experts currently using government terminals to play pirated copies of Half-Life? Because that’s the only way I can see this making even a dent.
Bruce Schneier • October 10, 2009 7:52 AM
“Have they started cloning bruce yet?”
My mother didn’t raise me to be a clone army.
John Campbell • October 10, 2009 8:02 AM
Cloning?
What is scary is running across people who look more like me than I do… and, believe me, there’s a surprising number, some older, some younger, so I am not one of the first to be stamped out.
The only problem I see with this kind of cloning is that the skills/talents are not likely to have been cloned.
Ric • October 10, 2009 11:27 AM
Bob Cringely is Robert X. Cringely. “He” is not a “she”, although only the airport scanner knows for sure 😉
Bruce Schneier • October 10, 2009 12:32 PM
“‘He’ is not a ‘she’, although only the airport scanner knows for sure ;)”
Janet Napolitano is a she, however, so the sentence stands.
bf skinner • October 10, 2009 6:33 PM
@tim
is right…the pay for “experts” is below market.
If you are a firewall administrator with 3-5 years of network (preferably CISCO), incident response manager, policy development expert, 2-3 years of forensics, and 5 years of software development you can expect to be offered … people (TSA) think they can hire for < 70k a year.
Michael Lynn • October 10, 2009 9:35 PM
There are two somewhat loaded terms in use here, the first is expert. Of course with any expert its a matter of relative knowledge. To me the guy who fixes my car when it breaks is an expert on cars. To the mechanical engineer that designed the car, not so much. I suspect they’re going to want people closer to the mechanic in this analogy. If thats the case, then I’m sure they’re out there.
The second word that tends to confuse (at least in terms of what makes you an expert) is security. I’ve worked in security for over 10 years now, in that time I’ve given presentations at all the major conferences, written substantial parts of a number of commercial IDS/IPS products, worked doing pen-tests and code audits, etc etc…I’m definitely an expert in something, but the more I think about it I wouldn’t really say that something is security. Although I work to improve security I think what I’m really an expert in is insecurity. The difference being that a security expert has to be an expert in all ways to defend, and insecurity expert has to be an expert in as little as a narrow area of how to attack. Often this is enough, and most working security professionals, even those with lots of talent are probably experts of insecurity rather than security. If that is good enough for DHS then they should be able to find them, if not, then good luck with that.
“Probably she meant ‘anybody who is CISSP certified’ by ‘expert'”. – Rochus
I have to admit that I had regarded the CISSP certification with awe and reverence until I started helping my partner review for the exam. To my surprise, I knew the answers to most of the review questions, and I’m a technical writer!
n3td3v • October 11, 2009 8:07 AM
No need for 10000 experts. I nominate myself to solve all of their problems
anonymous • October 11, 2009 1:29 PM
They could hire some of those British pigs…
http://www.schneier.com/blog/archives/2009/10/pigs_defeating.html
anonymous farm • October 11, 2009 1:49 PM
All cybersecurity experts are equal, but some cybersecurity experts are more equal than others.
Andrew • October 11, 2009 10:50 PM
Cringely has become a bit…eccentric now that he no longer has editors to hold him in check. There are plenty of computer security experts out there. The NSA alone probably has 10000.
Albatross • October 11, 2009 10:53 PM
Well speaking as an ACTUAL “cybersecurity expert” who has been out of work for six weeks, I certainly could use one of those jobs. Meanwhile, my prior contract position has been reposted – at half the rate they had been paying me.
During economic hard times, everybody likes to jump on the “drive down the contracting rates” bandwagon, but nobody jumps on the “drive down the cost of tuition for my two kids in college” bandwagon.
dot tilde dot • October 12, 2009 5:36 AM
i guess “expert” in a context like this does only mean “considered to be qualified by the people trying to sell their point to you”.
nothing more.
.~.
Adrian • October 12, 2009 7:49 AM
Expert:
Ex is a has-been. Someone who used to be good.
(s)pert is a drip under pressure.
Enough said.
Tom • October 12, 2009 9:58 AM
All you need to do is read a book and voila, you too are an expert! Reminds me of days past when you were considered a programmer if you could spell “C”.
J without the J • October 12, 2009 2:05 PM
My education and experience qualify me fairly high up the food chain in the field of information assurance. (I can’t stand the “cyber” moniker.)
I’ve seriously looked into the U.S. federal jobs offered, in my sort of old-fashioned notion that it might help serve my country.
I’d have to take a pay cut, move my family to one of the congested areas of the country from which I moved away, and get so entangled in federal government red tape that I couldn’t perform my job.
Choices. Choices. Choices.
bf skinner • October 12, 2009 5:34 PM
@J without the J
Everyone has needs…
now many of us have mission?
Kevin Gets • October 16, 2009 1:04 AM
What is the “Metric” used to define a cyber expert? This is the problem with politicians…. they have no metrics, just needs.
anonymous • October 20, 2009 1:17 PM
I just applied, hope they hire me 😛
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Shane • October 9, 2009 11:44 AM
Well, if they’re anything like the rest of the country, they won’t have any misgivings about hiring recent graduates of the 2-year Real Estate Flipper/Network Security Specialist mail-order training programs.