Struggle to Retain Top Cybersecurity Talent Crosses Borders: A Panel Discussion

Posted on by Tony Kontzer

Security is hard, but it's even harder for government agencies than it is for private sector companies. Government entities generally hold more data, and are targeted more frequently as a result. They have less incentive to take risks and innovate. And they struggle to hold on to their best people.

It was with that backdrop that three "Cyber Wisemen" were asked to share their thoughts about the security challenges facing government during a panel discussion Wednesday at the RSA Conference. Wise men or not, they had no more answers to the problems they face than their private-sector peers.

One of the most vexing of these issues is their inability to retain their top talent, and it's a problem that transcends borders. In the U.K., which is a hotbed for the security industry, it's difficult to keep people from jumping to the more lucrative private sector after short stints in government roles.

Alex Dewdney, director of cyber security for CESG, which manages information security for the British government, said he's struggled to find a model that will keep his best people from jumping ship in this fashion.

Even in Israel, which has some distinct advantages because of the experiences its youth are exposed to, the same problem exists.

Junior high school and high school students there are taught cybersecurity and computer engineering concepts much earlier than most nations, if not all of them. The compulsory military service that begins at 18 years old exposes them to further technical skills, trains them to think outside of the box, and makes them conscious of national security issues at an early age. These factors would seem to set the stage for a consistent influx of fresh talent into government roles.

Yet, Eviatar Matania, head of the Israeli National Cyber Bureau in the prime minister's office, has had difficulties achieving the kind of balance he seeks between private sector resources and a core of skilled government workers.

As a result, he said he and his staff are "rethinking the way we interact with the private sector in an effort to attract more people into the government."

Meanwhile, in the U.S., federal agencies have the same difficulties with employees chasing money that Dewdney has in the U.K. Rather than wring their collective hands, however, Michael Daniel, cyber security coordinator for The White House, suggested that it's time for agencies instead accept the economic dynamics and adjust their expectations accordingly.

"Lots of agencies still operate as if they'll bring in a talented person, and they'll retire in 40-45 years from that agency," said Daniel. "That's insane. No one does that anymore. We can attract the best people in cyber security, and they'll stay with us for two or three years for the mission. But they're not staying for 40 or 45 years."

(Don't even get me started on how out of touch a security professional who'd stayed with a federal agency for 45 years would be.)

The irony of the human resources topic is that it may be putting the cart before the horse. There's a growing sense that governments need to consolidate security in fewer hands to optimize resources and improve results.

Daniel said that the model of having every agency manage its own security isn't sustainable. By having a few core agencies manage security for all, he said, "we can really focus the talent and get the economies of scale we really need."

Dewdney agreed, suggesting that so many security heads creates added vulnerability, and that consolidating the risk with fewer security teams makes so much sense. Unfortunately, Dewdney's efforts to start that process have been met by push back from agencies that don't want to be responsible for the security and privacy of another agency.

Given that this sounds like a child refusing to do what a parent asks, Dewdney's reaction to this push back is perfect: "Come on!"

Come on, indeed.

Tony Kontzer

, RSA Conference



Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community