Why the Military Is Losing the Battle for the Best, Brightest Cybersecurity Talent

COMMENTARY Cybersecurity

Why the Military Is Losing the Battle for the Best, Brightest Cybersecurity Talent

Feb 27, 2019 3 min read

Commentary By

Elias Gavilan

Spring 2019 member of the Young Leaders Program at The Heritage Foundation

James Di Pane

Policy Analyst, Defense Policy, Center for National Security

The Pentagon makes its search even more difficult because of its unwillingness to accept applicants who lack college degrees, regardless of their technical qualifications.  Towfiqu Photography/ Getty Images

What do GPS satellites, F-35s, and the new Department of Veterans Affairs health care records management system have in common? 

The latest Defense Department annual assessment of cyberthreats has found disturbing weaknesses in each of these systems. 

Furthermore, Robert Behler, director of the Defense Department’s Operational Test and Evaluation, claimed that the Pentagon’s cybertesting was crippled by a lack of expertise and required tools to assess software-intensive systems. 

Something needs to be done to improve cybersecurity, and it all starts with attracting talented people to tackle complicated problems.

However, both the Department of Defense and the private sector are scrambling for talent. By one estimate, there will be 3.5 million unfilled cybersecurity jobs by 2021.

Thanks to this high demand for cybersecurity professionals, combined with the low supply of qualified candidates, it’s becoming increasingly difficult to recruit individuals into the ranks of the government.

The problem is aggravated when the private sector offers a plethora of jobs for individuals with this skill set. Those jobs tend to offer superior pay, a more casual work environment, and better opportunities for employees to hone their craft. 

The Pentagon makes its search even more difficult because of its unwillingness to accept applicants who lack college degrees, regardless of their technical qualifications. 

The military will provide cybersecurity training and jobs for personnel who receive a qualifying score on the Armed Services Vocational Aptitude Battery test. But entry-level civilian cybersecurity jobs at the Department of Defense usually require a bachelor’s degree, despite the fact that many of the technical qualifications for these professionals can be achieved without ever stepping onto a college campus.

The current hiring model is simply not working

The Department of Defense’s unnecessary focus on traditional educational backgrounds only shrinks the already dwindling pool of potential workers even further. 

The Department of Defense must recruit candidates who have nontraditional—yet professional—educational backgrounds to allow for more potential candidates, as The Heritage Foundation laid out in its recommendations for the National Defense Authorization Act.

A start would be to accept credentials from Massive Online Open Courses—aka “MOOCs”—and technology boot camps. These two excellent forms of nontraditional education are widely respected in the cybersecurity field, with many graduates from MOOCs and boot camps landing jobs in the private sector.

One particular technology boot camp, known as Coding Dojo, boasted that 94 percent of its onsite graduates got technology-related jobs within 180 days of graduation. 

MOOCs and technology boot camps each present their own unique strengths in the realm of cybersecurity studies. 

MOOCs are very fluid and adaptable courses. They allow a student to learn the necessary skills required for a cybersecurity job by adding courses that complement their own personal strengths and weaknesses. 

They can be used both as a supplement to conventional study or as a stand-alone course to achieve certifications. 

Technology boot camps are much more focused in nature, with courses that tend to be shorter, yet more intense. 

Much like their military namesakes, these courses teach all of their students the same curriculum, starting from an assumption that they have no prior computer experience. While less fluid, they put a lot of focus on practical skill sets and future job placement. 

When it comes to the military, the department already has technical requirements that an applicant must possess before being qualified for a job, so it should not matter whether a candidate met these requirements through their education in a college, a MOOC, or a technology boot camp. 

Opening up to these nontraditional educational backgrounds would make the recruiting pool much wider. 

Such a policy would help the performance of the cybersecurity force, since more unconventional backgrounds would bring different strengths to the table. 

Adm. Mike Rogers, former commander of the U.S. Cyber Command, promoted this sort of diversity, warning against relying on “cookie cutter”personnel.  

Changing the department’s educational requirements would result in a larger, more diversified, and ultimately more effective U.S. cybersecurity force.   

The Defense Department must now choose whether it will renovate an antiquated system or fall by the wayside in the stiff competition for cybersecurity talent.