Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
United States Security

Biden Administration Pushes To Close the Growing Cybersecurity Workforce Gap (cnn.com) 104

The Biden administration is pushing to fill hundreds of thousands of cybersecurity jobs in the United States as part of a bid to close a talent shortage US officials describe as both a national security challenge and an economic opportunity. From a report: On Tuesday, the administration announced a multi-agency plan to create hundreds of registered apprenticeship programs with the private sector to flesh out the nation's cybersecurity workforce -- and defend against a rising tide of data breaches, ransomware attacks and other hacking incidents. In a 120-day sprint, the US government will work with employers to establish apprenticeship programs in the cybersecurity industry, said Labor Secretary Marty Walsh, vowing to launch the joint program with the Department of Commerce "in as little as 48 hours."

The initiative draws funding from a wider $500 million Commerce Department program known as the Good Jobs Challenge, and will particularly focus on recruiting young people, women and minorities to train and work in the cybersecurity field, said Walsh and Commerce Secretary Gina Raimondo at a White House event on Tuesday focused on broader cyber workforce issues. The US government commitment highlights what officials describe as a critical lack of cybersecurity professionals in both government and the private sector who can help protect the nation from foreign adversaries and cybercriminals. Months ago, there were an estimated 500,000 unfilled cybersecurity positions in the United States, Raimondo said, but today that figure has exploded to more than 700,000, a 40% increase.

This discussion has been archived. No new comments can be posted.

Biden Administration Pushes To Close the Growing Cybersecurity Workforce Gap

Comments Filter:
  • Funny (Score:5, Insightful)

    by Luckyo ( 1726890 ) on Wednesday July 20, 2022 @09:12AM (#62718608)

    I was reading the first paragraph and thinking "and this will go nowhere, because it's just going to be a diversity hire program, mostly hiring talentless people that were born into the right skin color rather than talented untermensch".

    And what do you know, the second paragraph delivered just that.

    • Were else are they going to pull from.
      They already got all the white males that want to do the shit work.
    • Re:Funny (Score:5, Insightful)

      by Brain-Fu ( 1274756 ) on Wednesday July 20, 2022 @09:20AM (#62718636) Homepage Journal

      Even if they do train up a lot of people for these positions (regardless of skin color or gender or whatever), that isn't going to stem the tide of data breaches. Most security holes are easily-understood mistakes made because leadership pushes the team to hit unrealistic deadlines and cuts scope on security. EVERYBODY knows that passwords shouldn't be stored in plain text files, but when you gotta cut features to make a trade show date, the "invisible" features are the ones that get cut, and then everyone forgets about it and moves on.

      This problem is most prominent in young companies, of course, since leadership hasn't been burned by this enough to justify hiring cybersecurity pros to tell them what features can't be cut. And, every company was a young company once, thus inheriting all the security holes.

      So anyway, while I think there is SOME benefit to having more cybersecurity talent available, I don't think that is the fix. There must be some kind of legal accountability to motivate leadership of young companies to pay attention to this stuff, or it simply won't happen no matter how much talent is available.

      • Most security holes are easily-understood mistakes made because leadership pushes the team to hit unrealistic deadlines and cuts scope on security.

        And the ironic ones where the cybersecurity team trains workers to do the wrong thing. Like getting e-mails from IT saying "you need complete your cybersecurity refresher! Click this link for information."

        And pop-up messsages "your computer must restart to install a mandatory update. Click 'accept' to continue." (where "clicking accept" leads immediately to "enter your password to install update").

        • I love it when they do that. My last two employers did that and its super annoying. Thankfully at least with updates no one is notified. You just get a popup usually at the most inopportune time to restart your computer.

          My real concern is how many infosec people I run into that have no idea about basic systems administration. They can work with ELK stack to find IPs but have no idea which vulnerabilities are a risk and which are ridiculous. I used to get dinged by Infosec for Office vulnerabilities to whic

      • I'd worry that this program is just going to teach people how to read log files for whatever commercial security tool offered the biggest bribe... er... "campaign donation" to get picked by this program.

        It's probably not going to improve security all that much, other than blocking obvious script kiddie attacks. These "cybersecurity professionals" won't stand a chance at stopping professional state-sponsored attackers.

      • I'd actually like to see more cybersecurity training for the workforce in general. While there are lots of sophisticated attacks that require tools like deep packet inspection to suss out what the hell is going on, in my experience, most of the vulnerabilities are pretty much PEBCAK. The worst attack we ever had on our company was due to a guileless receptionist opening a ransomware email that slipped through our virus scanner, and managed to encrypt quite a few important directories, and the immediate tip

      • by Luckyo ( 1726890 )

        The problem is that they are going to have less people, not more. When you train people based on traits irrelevant for the job at hand such as race, you definitionally pass people who have traits that are needed for the job, also known as "merit".

        Because items with infinite supply such as training posts are inherently a zero sum game.

      • by ebyrob ( 165903 )

        > Even if they do train up a lot of people for these positions (regardless of skin color or gender or whatever), that isn't going to stem the tide of data breaches.

        Exactly. This isn't a talent shortage. It's a diligence shortage. Security is EVERYONE's job.

      • It is rare that I see reality laid out so barely. It is indeed partially a problem with management. Security is a very difficult job to do well. You have to understand everything, from how the business operates to the personalities of management within the org to all of the technical details. Once you understand it, then you have to balance out all of the competing needs and capabilities and then come up with recommendations for management to follow... which they won't.

        Oh. And everyone hates you because you

    • Re: (Score:1, Insightful)

      by AmiMoJo ( 196126 )

      Too many white dudes taking early retirement or going to part time, especially with the pandemic. Now rectifying decades of under-funding and sexism are suddenly a priority because there's a shortage of workers.

      As for being talentless, every woman and minority has to deal with the accusation that they were only hired for their gender/skin colour. Similarly, companies that include more than 50% of women or 15% of black people in their advertising are accused of being woke, when in fact they are mostly just c

      • As for being talentless, every woman and minority has to deal with the accusation that they were only hired for their gender/skin colour.

        And it is exactly because of programs like this, that give advantages to those categories, rather than being hired on merit alone.

        If you get special consideration during the acceptance/hiring phase, then there will always be doubts as to why you were hired on.

        • If you get special consideration during the acceptance/hiring phase, then there will always be doubts as to why you were hired on.

          For you perhaps. Unless you were involved in the HR process how would you even know?

        • by AmiMoJo ( 196126 )

          They aren't talking about giving anyone an advantage. They are saying that they want to target those groups because they think they are an under-used resource.

          • With the incredibly tight labor market we're experiencing, we don't have a choice. We have positions that even five years ago had to go to someone with a degree, rather than just some college certificates, and well, guess what, those folks these days are either our direct competition, or finding jobs far beyond what our budgetary limitations can pay, or in a lot of cases, they're sipping marguerites on a beach in Mexico, having left the industry entirely at 55. Apart from it being the right thing to do, it'

        • As for being talentless, every woman and minority has to deal with the accusation that they were only hired for their gender/skin colour.

          And it is exactly because of programs like this, that give advantages to those categories, rather than being hired on merit alone.

          If you get special consideration during the acceptance/hiring phase, then there will always be doubts as to why you were hired on.

          Doubts are erased when you prove to be an effective co-worker. I work with people across the full spectrum of traits for which they would be subject to these accusations, but are in fact experts in their field. If you leave it to merit alone, you will fail to hire the most effective people because other biases discount merit.

          • Implicit bias during the hiring process can be very difficult to deal with. Most people just assume they aren't racist and rely on their own judgement which being subjective can change at any time. Many times cultural issues or non-native english speakers can convey information in unexpected ways which requires the whole team to adapt. Once that happens then you are correct and that merit will start to take over. Giving people that time to adjust is critical and most organizations just expect you to jump ri

        • Ah yes, the old "merit" argument. It's peculiar how merit and racial and socio-economic class so strongly correlate.

          We do government contracts in my business, and pretty much every contract we've signed in the last five years has had strongly worded hiring quotas. My old partner found these quotas horrible. "We hire on merit!" she proclaimed loudly at one strategy meeting And I thought back to when she had not hired an Indigenous applicant (that's what we call American Indians up here in Canuckistan), and i

        • Egg-zactly.

          When you limit the pool of candidates by, gender, race, the best you can say is "well, they hired the best black woman for the job", undermining the new hire before they even start in the position.

          We recently had such a case here in the US, for political reasons one presidential candidate committed to only hiring a black woman for a SCOTUS opening - declaring her an affirmative action hire before he even started looking for a nominee. Better for all concerned if he simply kept his mouth shut and

      • To be fair, most cybersecurity "professionals" don't know their ass from a hole in the ground, so it's natural to question why they were hired regardless of their gender, ethnicity, etc.
        • They were hired to satisfy a bureaucracy. They can measure controls, and create some risk analysis based what is defined as the tenants of cyber security. They do a good job with complience. Unfortunately, most of them cannot stop hackers because they are not focused on real cyber security.
      • by gweihir ( 88907 )

        The actual problem here is that IT security is _hard_, because it is largely non-functional (or rather "prevent-function") and classical engineering approaches only work to a limited degree. Hence it does not really matter what pool of people you tap, most will not be able to cut it and those that will need something at least on the level of an IT type engineering Bachelor's degree and something like 5 years of experience before they actually can become effective on their own. So sure, tapping "women and ot

        • by AmiMoJo ( 196126 )

          I don't know about "prevent-function", it's more about changing the way your business does things to sandbox processes and workflows. All the focus used to be on stopping people opening attachments in email, now it's shifted to making sure that when they do open some malware it can't do much damage.

          • by gweihir ( 88907 )

            I don't know about "prevent-function", it's more about changing the way your business does things to sandbox processes and workflows. All the focus used to be on stopping people opening attachments in email, now it's shifted to making sure that when they do open some malware it can't do much damage.

            That is the thing. It is a really complex field with numerous differently targeted measures and you basically have to be somewhat familiar with all of them. Otherwise you cannot make competent decisions as to what to use and risk management becomes really bad. That is why security is not simply regular engineering. It is more like safety engineering, but with the "random events" of safety engineering being smart and doing exactly what hurts most, so the statistical aspect of safety engineering does not work

            • i don't believe it quite that difficult. The problem is when you rely of the private sector to set standards on hiring, operations, areas of responsibilities,...it always goes wrong since every corporation has it own way of doing things and does not want "the other guy" to succeed. 90% of an IT staff has nothing to do with attack vectors other that what the standard operating procedures make policy so prevention is an action of global policy, again not always the first priority of the private sector.

              • by gweihir ( 88907 )

                Actually it is. It always was, but pressure from criminal enterprises was low for a long time and who cared if the NSA hacked you but did not publish that fact or your data. With ransomware that has changed now. IT security is a _lot_ harder than the rest of IT. Secure software engineering is a _lot_ harder than just software engineering. And, unfortunately, many supposed "experts" in IT security have no IT engineering experience and either build castles in the sky or just recommend to buy from a certain ve

      • From how things are worded in the article, it sounds like they are just focusing recruitment efforts at women and minorities. I don't see any mention of plans to exclude white men from the programs.

        I don't think there is anything racist or harmful about putting up posters in places that are expected to get high viewership among women or minorities (or similar tactics). If it is just a matter of where one advertises, I don't see a problem. And wherever we see evidence of actual sexism/racism going on, we

        • https://eda.gov/arpa/good-jobs... [eda.gov]

          Paragraph two:
          "Through the Good Jobs Challenge, EDA is allocating $500 million to collaborative skills training systems and programs. EDA encourages efforts to reach historically underserved populations and areas, communities of color, women, and other groups facing labor market barriers such as persons with disabilities, disconnected youth, individuals in recovery, individuals with past criminal records, including justice impacted and reentry participants, serving traine
      • What do you mean now? Have you been in a coma the past 10 years? Diversity goals are not new.

      • Re: (Score:3, Insightful)

        by Luckyo ( 1726890 )

        And one of the biggest racists on the site instantly goes for racist argument. "But those people of the race I hate are retiring, it's such a great opportunity to elevate races I love in their place".

        Notice how merit not only doesn't even enter to consideration, it's specifically and pointedly ignored. And the complaint that follows is "but those people of race and sex I find inherently superior have to tolerate being thought of as inferior". Imagine how much of a two-faced scumbag you must be to specifical

        • by AmiMoJo ( 196126 )

          I don't hate white people. I'm half white.

          Older white people are retiring in larger numbers, that's just a fact. Many of them did well and can retire a little early. Boomers aren't exactly known for being short of cash, especially since their properties likely have huge amount of equity in them and they can downsize with a nice lump sum.

          A lot of them got COVID and never fully recovered either. Its severity correlates with age. Another reason for early retirement or going to part time, or they are simply dea

          • while the current IT makeup is 90%+ white males... I read about some discussions going on when they were trying to decide what the constitution will look like. many signers admitted that a lack of diversity will kill this country in about 300 years. Yet, mcconell has been quoted saying "he would only allow{hire] white males to run is IT, bannon said for years that white people need to get serious about IT to "control the narrative", weinstein wanted to run IT operations for the white house and said "it didn

    • ...it's just going to be a diversity hire program, mostly hiring talentless people that were born into the right skin color rather than talented...

      It I were a woman or minority, I'd be offended that the Biden administration has such a low opinion of me.

      • It I were a woman or minority,

        You have no idea how you would feel if you have never been either of those things.

        I'd be offended that the Biden administration has such a low opinion of me.

        That's the opposite of what's happening, but OK boomer.

    • It's not like any of this is magic, or that people with one skin hue have some mystical ability to manage firewalls or peruse security logs better than another. The software is complex, but then again lots of jobs are complex. Do you have a specific objection, beyond your fear that non-Caucasians will enter the field?

      • by Luckyo ( 1726890 )

        Yes, I have an objection against racism. Both in general and in hiring processes in particular.

        Takes one hell of a racist to consider this such a non-issue as to just walz past that and go "you must have a fear for this specific race losing their imaginary superiority".

    • This sounds like another graft program for cronies. Some big bucks will go to those people and/or companies picked to run the program(s).

    • by gtall ( 79522 )

      Ya, what white folks need is a jobs program that only hires them. You poor little sensitive white snowflake. Years of discrimination have left no mark on you.

      • by Luckyo ( 1726890 )

        This is exactly how a typical modern racist would react. Complete lack of understanding of concept of merit, coupled with projection of their own racist world view upon others.

        You don't even know what race I am, and yet you are absolutely certain I'm "white", because to you, race is integral to the ideology. You are the Joe Biden with the "if you don't vote for me, you're not black". Because to you, those races that aren't white? They're slaves, to be farmed for social capital among your peers.

        It's why ther

  • Pay enough and the gap will close itself.

    As it stands now good security people don't make enough so spots are filled by every idiot claiming to be able to spell "cyber". This is not a surprising outcome.

    If CEOs (and government managers) were held truly liable for data breaches in a way that directly and personally impacted them then the so-called gap would close damned quick.

    No one wants to pay for real security because it is expensive and doesn't generate top line revenue.

    At the other end, I think various

    • Re: (Score:3, Insightful)

      by _xeno_ ( 155264 )

      Pay enough and the gap will close itself.

      Don't worry, they already thought of that:

      will particularly focus on recruiting young people, women and minorities to train and work in the cybersecurity field

      This is just another virtue signaling thing, where they're using a bunch of buzzwords you can bet none of them understand to signal to their own voters that they're doing "the right things" and provide a reason to vote for a staggeringly unpopular administration.

      And you're right, none of this really matters because the risk of any real consequence is ultimately seen as low. No one cares about cybersecurity until after they've been hacked, and then they just blame th

    • by Tablizer ( 95088 )

      No one wants to pay for real security because it is expensive and doesn't generate top line revenue.

      Those managers who make bad decisions often just hop to a new company using their Buddy Network when things go sour. They don't see the risks of the gamble as falling on them.

      Gamble by cutting corners, if it works party, if not, hand the bag to somebody else and hop ships. Rinse, repeat.

    • Pay enough and the gap will close itself.

      Not when the laws and their enforcers get in the way or learning or practicing the profession.

      "White Hat" security research or work has major legal pitfalls, and a number of practitioners who have identifyied vulnerabilities and engaged in responsible disclosure have been sued or prosecuted as criminals rather than praised and rewarded. A newbie learning the techniques, without a public track record, is even more at risk of being hauled before a court, pauperized, a

  • by Virtucon ( 127420 ) on Wednesday July 20, 2022 @09:19AM (#62718630)

    $500 million for 500,000 vacancies? Not everybody wants to work in IT, not everybody is cut out to be in cybersecurity. It's like "Learn to code" whereby we have a lot of new talent coming into the workforce but like any group, there's a bunch of duds too. What they're hoping to do is create a program, dump money into it and say "we did a thing."

    • So, would you say that you have supplied the requisite "equal and opposite criticism" for this action, then?

    • The $500 million isn't just for cybersecurity jobs but is a larger overall job training program, this is just a sub-program from that.

      Good Jobs Challenge [eda.gov]

      I imagine this is for people already in or considering the CS/IT fields but to gently push them into security roles.

    • by _xeno_ ( 155264 )

      $500 million for 500,000 vacancies?

      Less than that for more than that. It's pulling funding from a program that's been funded for $500 million, it doesn't get the entire thing. Also, the last line of the summary (plagiarized straight from the article I note) says that there are now 700,000 unfilled positions.

      So how do they solve the fact that they're trying to spend less than $715 per position to fill it? Well, simple, this isn't trying to fill those positions. Rather, it's trying to train people to be able to fill those positions, by "creat[

    • There's a saying in German, the knave thinks (everyone is) the way he is.

      Politicians noticed that any braindead bum can do their job, so they expect this to be true for every other job, too.

  • He specifically said it was a government contract.

    Here is the opening https://leidos.wd5.myworkdayjobs.com/External/job/Columbia-MD/Jr-Cyber-Software-Engineer_R-00079575

    The idiot cant write a SQL query, doesn't know how a computer works, and doesn't know how the internet works.

    He essentially graduated with a bachelors degree and knows how to be a stack exchange google-fu code monkey, but has never had a real job since graduating university 2 years ago, and who thinks he is worth $100k because he got interes

  • >...will particularly focus on recruiting young people, women and minorities to train and work in the cybersecurity field...

    Yup. Sure looks that way. Maybe there's something wrong with your hiring profile when it could be confused with a porn cast or a 19th century plantation house.

  • This cannot be fixed fast. IT security does not only need education, it needs experience. Say a minimum of 3 years education and a minimum of 5 years experience. After that time people doing it will probably start to actually become effective. If you get the right people in the first place. An experienced person in this field currently runs at something like 150k annual salary and up. Maybe you can get somebody competent for 120k, but go below than and see title of this posting.

    • Security is the "and then security on top" of IT. You want someone to secure your database? You need someone who knows databases, and then security on top of that. You want someone to secure your mainframe? You need someone to have a clue about mainframe administration, and security on top of that. You want someone to secure your webpage...

      Security is the "endgame" of IT. There is no shortcut to it, at least if you want to do it right.

  • Whilst a commendable initiative, China now has 100% of your IP, so I'm not sure what is going to be protected...
  • Five percent of 350 Million is about 17 and a half million. Subtract the people who are smart enough and determined enough to be doctors and lawyers and scientists and you don't have a great talent pool to pull from in the "Top Five Percent" of the population for your IT Army. Now subtract the dumb-ish ones who can't pull their heads out of their phones even though they otherwise have potential. And the ones who are inclined to take the easy way out. They won't work in IT either. Now estimate how many

  • Now we get a bunch of clueless security morons to discover the blunders the clueless cargo-cult programmers introduced that we produced with similar programs for the lack of programming talent, who first of all caused the glaring security issues that were exploited and led to companies scrambling for security staff.

    What could possibly go wrong?

  • This should be a piece of cake for the Bidenoids, as the one, and maybe only, thing they excel at is filling vast numbers of positions with incompetents.

  • I'm 70 years old. I've been in the IT industry for 50 years. I've taught system and network security at the university level. I've taught classes literally all over the world from Fiji to Moscow. Think I can get a job? Hell, I can't even get an interview.

    (Frankly most places that should hire me can go fly a kite. They are so mismanaged I'd be happy to tell them that I'm retired even as I watch them crash and burn.)

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...