The RAND report acknowledges the market for cybersecurity professionals in general is highly diverse, where there's often a line drawn between "good and great hackers--almost to the point where they are different markets--and different people," the report says. And it's shaking up human resources departments because traditional means of finding and vetting the right talent aren't necessarily effective.
It points out the "best of the best" in this are very good at finding vulnerabilities in software for both defense or offensive purposes (such as creating tools that can be used to attack systems). There's the growing recognition that sometimes these hackers are "born and not made," and that there are "naturals well under 18 years old." If hackers have talents that are "innate," the question of training them is secondary to discovering them and convincing them to make "cybersecurity a lifetime's work" with educational opportunities and "requisite ethical norms," the report says.
Human resources staff struggle with pinpointing suitable cybersecurity candidates because, in part, "cybersecurity credentials have proven to be only weakly correlated with competence." HR departments are adjusting to the idea of identifying innate talent through things such as successful participation in hackathons, for example.
But according to the "H4CKERS WANTED" report, the hardest type of cybersecurity professional to find and recruit overall is the individual who combines technical talent with business and organizational experience and management skills. Such people typically are in their 30s, not 20s, the report notes. This "upper-tier" professional can make well over $250,000 per year. While government can find it hard to compete in the $300,000 range, the report says the NSA has been able to "persuade their veterans to stay in the face of very large salary offers (typically double--which then translates to near $300,000 a year)."
Those that leave the NSA at that level often go to the banking sector, for example, or defense firms and other government contractors.
The RAND report, in its recommendations to the government, suggests more focus on "grooming" younger cybersecurity professionals for management. "For instance, if jobs in the greatest demand require managerial experience, more intensive efforts can be made to take promising cybersecurity technicians, so to speak, and run them into management to determine more quickly which of them can achieve the rare combination of technical and managerial skills."
Sign up for CIO Asia eNewsletters.