Cyber labor shortage not what it seems, experts say.

• Author: Magnuson, Stew

Businesses and government agencies are engaged in a dogfight over cyber security talent, or so the conventional thinking goes. The shortage of qualified cyber security personnel continues to cause handwringing inside the beltway.

That is mostly still true, but the situation is more nuanced, said Alan Paller, cofounder of the CyberAces nonprofit, who also chaired a Department of Homeland Security task force on cyber job vacancies.

"There is no shortage of people who can talk and write about cyber security," he said in an interview. "The shortage is in the people who actually have the hands-on skills to quickly find the infections, get rid of them and do good incident handling. Those skills are very rare."

U.S. universities are cranking out plenty of graduates with cyber security related degrees, but they have mostly studied policy, he said. Many of those graduates aren't getting good jobs. Faculty members don't have real-world skills, so they are not teaching how to perform complicated tasks such as application penetration testing, advanced memory forensics or wireless hacker exploit development.

It's the difference between sitting in a classroom learning about flying an airplane, and sitting in the cockpit with an instructor actually piloting the aircraft, Paller said.

"The pipeline is putting out way too many people who can talk about cyber security and not enough people that can do it," Paller said. Only a handful of universities offering cyber security degrees are producing graduates who have "hard skills," he said.

A recent study by the RAND Corp. took a look at some of the assumptions about the cyber security labor shortage.

In "Hackers Wanted: An Examination of the Cybersecurity Market," authors Marin C. Libicki, David Senty and Julia Pollak challenged some of the notions.

They found that the real shortage is predominantly in the upper tier of professionals--roughly the 1 to 5 percent of those in the field who can detect advanced persistent threats and find hidden vulnerabilities in software.

These individuals are more likely to be in their 30s rather than recent college graduates in their 20s. They can demand salaries of about $200,000 to $250,000 per year, they said.

That is far more than what the government can pay, which is why some departments such as DHS are having a difficult time attracting talent with hard skills, the report said.

If the universities are failing to provide what corporations and government agencies need, then...