No Recession for Cybersecurity

With the demand for cybersecurity professionals outstripping supply, high-tech companies and government agencies are using innovative programs to recruit and train workers with specialized skills in information security.Booz-Allen & Hamilton Inc. of McLean, Va., for example, held a reunion of former employees who worked on national security projects Nov. 6 in Annapolis Junction, Md. The company also relies heavily on its employee referral program. Recruiting manager Elizabeth Segal said sometimes 50 percent of Booz-Allen's information security hires come through employee referrals.At the State Department, officials are taking advantage of a 3-year-old incentive program to recruit and retain IT security professionals, said Bruce Morrison, deputy chief information officer for operations in the department's Bureau of Information Resource Management. The State Department will pay an incentive bonus worth 5 percent to 10 percent of base salary to employees who receive certificates in certain information technology specialties, including information security. "It's been successful in retaining people who have specific security skills and encouraging people to get specific security specifications," Morrison said. "It targets the people who are most valuable to the department and most likely to be lured away by the private sector."Like Booz-Allen and the State Department, many commercial and governmental enterprises are moving rapidly to satisfy the government's growing need for improved IT security following the Sept. 11 terrorist attacks. Organizations have been beefing up their IT security staffs, checking for system vulnerabilities and installing new security fixes."The people who attacked the World Trade Center and the Pentagon seemed much more interested in blowing things up than in attacking our critical infrastructure, but they also surprised the world with their audacity. We cannot discount the potential threat of attack against our IT infrastructure," said Lynn McNulty, an information security consultant who works primarily for federal agencies. Consulting firm Booz-Allen has responded to the threat by bringing together its partners representing government and commercial groups in one strategic security service."We've never really offered it as a cross-firm effort for both government and commercial clients," Segal said. "But what we're seeing after Sept. 11 is a common need. We are going to see that security in a broader sense, including keeping people, physical infrastructures and networks secure, will fall under the umbrella of strategic security. It's disaster recovery, business continuity, information operations, computer network defense, critical infrastructure protection and information assurance."Morrison said the State Department is increasing its security programs across the board. The department's firewall staff has been beefed up and is operating 24 hours a day, seven days a week. Other priorities include contingency planning and security audits on each of the department's 300 Web sites. The department is also expanding its use of public key infrastructure and biometrics in order to lessen the possibility that staff members could access information they're not entitled to see.The Federal Reserve also is examining potential threats against its systems, said James Wade, vice president of information technology planning and standards and chief security officer for the Federal Reserve System, the United States' central bank. Like Booz-Allen, he's seeing a movement toward collaboration between the physical security, information security and business continuity operations."We're talking more about information security as an enterprisewide operation," Wade said from his office in Richmond, Va.But finding skilled workers is a serious challenge. "You find people who have good technical skills, but they ... do not understand the concepts and methodologies used in information security," said Wade, who also serves as president of the International Information Systems Security Certification Consortium Inc., a Framingham, Mass., group dedicated to information security education.Innovative recruiting methods are helping to alleviate this problem. An increasing interest in information assurance and a rise in educational programs is also expanding the pool of qualified workers.First of all, "it's cool. It wasn't five years ago. It also has gotten to be important," said Alan Paller, director of research at the SANS Institute, a research and education organization in Bethesda, Md., for systems administration, networking and security. Registration for the SANS Institute's security courses has surged threefold this year, to 14,000 enrollees, Paller said.Similarly, the International Information Systems Security Certification Consortium has seen a surge in IT security certifications, said McNulty, a member of the board of directors of the professional certification group. The group has awarded more than 5,000 Certified Information Systems Security Professional certificates, he said. Several federal education programs designed to boost the number of IT security professionals should alleviate the demand over time, said Vic Maconachy, program manager for the National INFOSEC Education and Training program at the National Security Agency at Fort Meade, Md.The NSA's Centers of Academic Excellence in Information Assurance Education Program brings attention and prestige to schools with rigorous IT security education programs. So far, 23 schools, including the University of Maryland, Baltimore County, have achieved the distinction. Two scholarship programs, one run by the National Science Foundation, the other run by the Department of Defense, pay for some IT security education in return for government service. The NSF program also funds faculty education in IT security and university IT infrastructure. The Defense Department program also provides mentors for the students. "We've been working for several years to place a core of cyber security specialists in federal government. That legislation [establishing these programs] put money out there to make that a reality," Maconachy said. "We're seeing more students come out of academia with greater skills in information assurance. The numbers are small, but they will grow."