Martin C. Libicki - Hackers Wanted: An Examination of the Cybersecurity Labor Market

H4CKER5
WANTED

An Examination of the Cybersecurity Labor Market

MARTIN C. LIBICKI
DAVID SENTY
JULIA POLLAK

This research was sponsored by a private foundation and conducted within the Forces and Resources Policy Center of the RAND National Security Research Division (NSRD). NSRD conducts research and analysis on defense and national security topics for the U.S. and allied defense, foreign policy, homeland security, and intelligence communities and foundations and other nongovernmental organizations that support defense and national security analysis.

Library of Congress Cataloging-in-Publication Data

Libicki, Martin C., author.

Hackers wanted : an examination of the cybersecurity labor market / Martin C. Libicki, David Senty, Julia Pollak.

1 online resource.

Includes bibliographical references.

Description based on print version record and CIP data provided by publisher; resource not viewed.

ISBN 978-0-8330-8501-6 (epub) -- ISBN 978-0-8330-8502-3 (prc) -- ISBN 978-0-8330-8503-0 ( ebook PDF) -- ISBN (invalid) 978-0-8330-8500-91. Military assistance, AmericanEvaluation. 2. Security sectorInternational coo1. Computer crimesPrevention. 2. Cyber intelligence (Computer security) 3. CyberspaceSecurity measures, 4. ProfessionsSupply and demand. 5. Computer hackers. I. Senty, David, author. II. Pollak, Julia, author. III. Title.
HV6773

331.7610058dc23 2014023419

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RANDs publications do not necessarily reflect the opinions of its research clients and sponsors.

Support RANDmake a tax-deductible charitable contribution at www.rand.org/giving/contribute.html

RAND is a registered trademark

Cover design by Dori Walker

Copyright 2014 RAND Corporation

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of RAND documents to a non-RAND website is prohibited. RAND documents are protected under copyright law. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of our research documents for commercial use. For information on reprint and linking permissions, please see the RAND permissions page (www.rand.org/pubs/permissions.html).

RAND OFFICES
SANTA MONICA, CA WASHINGTON, DC
PITTSBURGH, PA NEW ORLEANS, LA JACKSON, MS BOSTON, MA
CAMBRIDGE, UK BRUSSELS, BE
www.rand.org

There is general agreement that jobs for cybersecurity professionals are going unfilled within the United States (and the world), particularly within the federal government, notably those working on national and homeland security as well as intelligence. Such unfilled positions complicate securing the nations networks and may leave the United States ill-prepared to carry out conflict in cyberspace. RAND undertook to understand the nature and source of this challenge, how national security entities (including the private sector) are responding to labor market conditions, the policies that have been implemented or referenced to help increase the supply of cybersecurity professionals, and the requirement for further policies as needed to meet the needs of the national security establishment.

This research was sponsored by a private foundation and conducted within the Forces and Resources Policy Center of the RAND National Security Research Division (NSRD). NSRD conducts research and analysis on defense and national security topics for the U.S. and allied defense, foreign policy, homeland security, and intelligence communities and foundations and other nongovernmental organizations that support defense and national security analysis.

For more information on the RAND Forces and Resources Policy Center, see www.rand.org/nsrd/ndri/centers/frp.html or contact the director (contact information is provided on the web page).

Figures

Table

There is a general perception that there is a shortage of cybersecurity professionals within the United States (indeed, in the world), and a particular shortage of these professionals within the federal government, notably those working on national and homeland security as well as intelligence. Shortages of this nature complicate securing the nations networks and may leave the United States ill-prepared to carry out conflict in cyberspace.

In response, RAND undertook to examine the current status of the labor market for cybersecurity professionalswith an emphasis on their being employed to defend the United States. We carried out this effort in three parts: first, a review of the literature; second, a set of semi-structured interviews with managers and educators of cybersecurity professionals, supplemented by reportage as appropriate; and third, an examination of what the economic literature suggests about labor markets for cybersecurity professionals. RAND also looked within the broad definition of cybersecurity professionals to unearth skills differentiation as relevant to this study.

There have been several excellent reports on the difficulty of meeting cybersecurity manpower needs; those by Booz Allen Hamilton, the Center for Strategic and International Studies, and the Department of Homeland Securitys Homeland Security Advisory Council have been among the most comprehensive. Their underlying message is the same: A shortage exists, it is worst for the federal government, and it potentially undermines the nations cybersecurity. Such reports mention the many steps that the government has already taken to increase security, notably the establishment of scholarships, the more sophisticated definition of skill requirements, and the encouragement of hacker competitions (to publicize the field, motivate those looking for careers, and prescreen for talented individuals). All of these reports recommend more careful and painstaking management of the supply-demand balance for cybersecurity workers. None of them recommends steps to reduce the demand for such individuals.

We carried out semi-structured interviews with representatives of five U.S. government organizations, five education institutions, two security companies, one defense firm, and one outside expert. Our key findings follow.

The cybersecurity manpower shortagemore accurately, the rising difficulty of finding and retaining qualified individuals at what are considered reasonable wagesis predominantly at the high end of the capability scale: roughly the top 15 percent of the overall workforce. These are the people capable of detecting the presence of advanced persistent threats, or, conversely, finding the hidden vulnerabilities in software and systems that allow advanced persistent threats to take hold of targeted systems. Such individuals can often claim compensation above $200,000$250,000 a yearalthough capturing such salaries requires a mix of talents and soft skills (e.g., marketing, management), which means recipients are far more likely to be in their 30s than in their 20s (a factor which also extends the lead time required to get new people into such positions).