US agencies are coping with understaffed security departments

Uncle Sam wants YOU in cybersecurity. No, really. Can you start now?

More than one-third of US government security employees surveyed believe their agencies’ security teams will never be fully staffed, according to a new report from security automation platform Swimlane, which included input from more than 100 cybersecurity staffers at the federal level.

The hyper-specific requirements for cybersecurity jobs are contributing to the pessimism: The study found that 83% of federal agencies have openings on their security teams, and 64% say they could fill a position faster two years ago. (Some 67% percent of public sector respondents across all industries said the same.)

The report highlights the vacancies as agencies are gearing up to comply with the Biden administration’s Zero Trust mandates, which generally call for the federal government to harden cybersecurity in compliance with stricter standards by the end of next year.

“Security teams within the federal government are expected to investigate and remediate thousands of alerts daily while keeping up with evolving mandates,” the report said. “Many are navigating these challenges with chronically understaffed teams, as finding candidates with the right mix of technical expertise, relevant experience, and industry-specific knowledge has become increasingly difficult.”

Several factors contribute to Uncle Sam’s hiring difficulties, Swimlane co-founder and CSO Cody Cornell told IT Brew. Successful candidates often need to have or be able to obtain security clearances, and the government competes for talent with high-paying companies in the private sector.

One way to combat the shortage? Cornell suggested lowering the bar for entry-level positions. Instead of requiring three to five years of experience, for example, or a previous background in cybersecurity, he said hiring managers would do well to consider whether candidates “are skilled and ambitious and willing to be cross-trained.”

“One of the things we’ve been historically not great at is not setting realistic expectations for both the qualifications and the experience of a role,” he said. “Much like many other trades, there’s an opportunity to give people on-the-job training, where they pair with somebody who’s experienced. Those people will come up to speed very, very quickly.”

On the bright side, the majority of government agencies think they can comply with the fast-approaching security mandates. According to Swimlane, 67% of surveyed agencies are confident they can implement the Zero Trust requirements, including by using low-code security automation.