Richard Foster// October 30, 2013//
The Virginia state government data center doesn’t harbor the kind of classified, hush-hush, top-secret data that its federal counterparts do; hackers seeking to discover info about the Roswell aliens or who really killed JFK would be better advised to look elsewhere.
Just the same, the state’s servers contain a lot of confidential information about Virginia residents and taxpayers, and they’re hit by cyber attacks of one form or another about 120 million times each year.
“That’s about 10 million attempts a month,” says Virginia Secretary of Technology Jim Duffey. “The bad guys are definitely out there, and they’re persistent; and they’re getting better all the time, so your defense has to respond and be one step ahead. You have to be right all the time, and they only need to be right once.”
Cybersecurity is the most in-demand sector among information technology jobs, according to major IT staffing firms, and it’s not likely to change anytime soon. Demand for cybersecurity professionals has grown more than 3.5 times faster than demand for other IT jobs over the last five years, according to a recent Cyber Security Census conducted by Semper Secure, a public-private partnership led by Virginia’s state government that is focused on increasing the number and quality of cybersecurity professionals in Virginia.
Furthermore, demand for cybersecurity professionals is 12 times higher than that of all other professions. The average annual salary for a cybersecurity expert is $116,000, according to the survey of 500 cybersecurity professionals in 43 states across 40 industries.
“The demand is definitely there, and it’s going to continue to be there,” Duffey says. “There are a lot more people producing a lot more data than ever in our history and all of that data needs to be protected.”
The need for cybersecurity pros is felt across government agencies and affects pretty much every industry from health care to energy companies and finance. “You name it, they’re all going to require cybersecurity,” Duffey says, “and they’re going to require it whether the economy is doing well or not doing well.”
So why are cybersecurity professionals so difficult to find?
Part of it is the amount of certification and education needed.
Duffey and Semper Secure are working with Virginia’s universities and community colleges to encourage more cybersecurity training and curriculums. In September, it was announced that Longwood University’s new Longwood Center for Cyber Security became the first university program in Virginia to be designated a National Center of Digital Forensics Academic Excellence by the Defense Cyber Crime Center. It offers studies in cybersecurity and information systems.
“In order to fill these positions down the road, we’re going to have to be more proactive” in working with schools and universities to increase the number of STEM graduates, says Theresa Quallich, senior director of human resources for Herndon-based federal IT contractor LGS Innovations. For instance, LGS CEO Kevin Kelly serves on industry advisory boards for Penn State and George Washington universities, and LGS offers scholarships and internships and supports programs designed to interest more students in STEM and IT careers.
But education isn’t the major issue causing the lack of cybersecurity pros, says John Larson, president of Baltimore-based IT staffing firm CPSI Consulting. Cybersecurity jobs require someone with a unique skill set and experience.
“It’s a situation where you need extreme analytical skills,” Larson says. “It’s not just a matter of writing code … where I’m working against a set of specifications. On the cyber side I’m not only doing that, but I have to be very analytical and think about the person who wants to break through the system for whatever reason, malicious or whatever. I’m working under a different set of rules. It’s extremely complex … so you need a high level of experience. You can’t come out of college in general and start working in the cybersecurity world.”
One out of four cybersecurity professionals has less than five years of work experience, according to the Semper Secure census. Businesses far prefer those with more experience, Larson says, because “there’s a high likelihood they’re paying top dollar for that individual and as a result of that they need that person to be productive the minute they walk in. They can’t train them and wait … six months. They need instant accountability and productivity.”
Government clearance is another major issue. The largest groupings of cybersecurity professionals are found in California’s Silicon Valley or in the metro Washington, D.C./Northern Virginia region, according to the Semper Secure census. And the IT industry in the D.C. area is driven by federal contracts, almost all of which require various degrees of security clearance.
For instance, General Dynamics Information Technology, a unit of Fairfax County-based General Dynamics, recently announced that it’s working on a $6 billion, five-year federal contract to strengthen the security of .gov networks and assess and combat cyber risks, working with the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program.
Due to the high demand for IT professionals, there are many foreign workers on visas from India, Eastern Europe, Russia and China filling the gaps, but the majority of them can’t get security clearances, Larson says. It can take as long as six months to get top-secret security clearances in some cases, and government contractors don’t want to wait that long. Companies are seeking to hire cybersecurity professionals who already hold clearances.
Related positions are also in high demand, particularly Java software developers who are needed to develop mobile applications, says Michael McCaughey, managing director for Northern Virginia IT staffing firm DISYS. More and more government agencies and industries are utilizing mobile apps to access data from tablets and smartphones, creating a whole host of new security problems, but there is a lack of people with experience and security clearances.
Similarly, McCaughey adds, cybersecurity professionals with experience in cloud computing and data storage are also in great demand, particularly in Virginia, which holds data centers for many major federal agencies as well as for a huge percentage of the United States’ Internet users. (By some estimates, as much as 60 percent of U.S Internet traffic comes through Virginia, Duffey says.) And in the Richmond area, where finance firms like Capital One drive IT hiring, cybersecurity professionals need to have a good grasp on back-end enterprise resource planning software applications such as SAP and Oracle PeopleSoft, according to Shawn Handley, senior vice president of business development for Richmond-based Apex Systems.
As one might imagine from all this, unemployment isn’t a problem in the IT world — far from it. “From all measures, we have pretty much full employment in the IT space,” Larson says. “It’s not like there are people waiting, saying, ‘I can’t find a job in IT.’ If you’ve got the skill set, you’re employable and are working today and have been for some time.”
T