Slashdot Mirror

← Back to Stories (view on slashdot.org)

RAND Study: Looser Civil Service Rules Would Ease Cybersecurity Shortage

Posted by timothy on from the rand-can't-help-seeming-creepy dept.

New submitter redr00k (3719103) writes with a link to the summary of a RAND Corporation study addressing "a general perception that there is a shortage of cybersecurity professionals within the United States, and a particular shortage of these professionals within the federal government, working on national security as well as intelligence. Shortages of this nature complicate securing the nation's networks and may leave the United States ill-prepared to carry out conflict in cyberspace." One of the key findings: waive the Civil Service rules. (The NSA can already bypass those rules; RAND's authors say this should be extended to other agencies.)

4 of 97 comments (clear)

  1. RAND totally misses it by Anonymous Coward · · Score: 4, Interesting

    1. Good cyber people won't put up with the insane government clearance bullshit. They'll go to work for Google or Microsoft.
    2. Good cyber people don't want to live in places like Jessup, Maryland or Barksdale, Louisiana.
    3. Lots of good cyber people are autodidacts; the report says no more autodidacts should be hired because Ed Snowden was an autodidact. Puh-leeze.

    1. Re:RAND totally misses it by Anonymous Coward · · Score: 5, Interesting

      I don't think that you're fully considering point 3).

      Have you ever actually worked with any autodidacts?

      Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with.

      They may have a surface-level knowledge of a particular topic, but they just don't have the depth or breadth that somebody with more formal training tends to have. But that's not even the worst part.

      The worst part is that they often have absolutely no idea how much they don't know, thus they think that the little they do know is sufficient. At least people with even just some academic background will know that there's a whole helluva lot they don't know, even after years of study and experience.

      If you've had to deal with Ruby or JavaScript programmers you'll probably know what I mean. They're often young, totally self-taught, and are often high school dropouts. They can create simplistic web apps, but that's pretty much where it ends. The moment it moves beyond that, they're either creating really big messes or they're moving on to their next "opportunity". If you confront them about the messes that they're creating due to a lack of knowledge and understanding, they'll just label you an "academic snob" and dismiss you without a second thought.

      While somebody with college training isn't guaranteed to be better, in practice they usually are, or at least they understand their level of knowledge better. They're much better people to work with, and the work they produce tends to be a lot better. I think it's totally worth ignoring the one or two good autodidacts out there if it also means missing out on the thousands who are absolute crap.

    2. Re:RAND totally misses it by Anonymous Coward · · Score: 2, Interesting

      Have you ever actually worked with any autodidacts?

      Having worked with several hundred of them at this point in my career at various jobs, I've found them to be among the worst people to deal with....

      The worst part is that they often have absolutely no idea how much they don't know,

      Yes.

      This is the real problem with autodidacts; their knowledge is patchy and has huge holes, whole areas of study that they are ignorant of. Far too often, you have to spend a few hours educating them just to get them to the point where they understand what they don't know.

  2. So train them. by Animats · · Score: 4, Interesting

    Read the entire paper, not the summary. There are some interesting points there. One is that NSA does not have a shortage of cybersecurity experts. That's because they train them. It takes three years of full-time training. The agencies that complain that they can't find anybody aren't investing in their people in the way that NSA does. Other agencies don't invest in their people like that.

    This is typical of employer whining about not being able to get the people they want. Sure, the companies who want people with some very specific skill set, right now, often at low pay, can't find them. Organizations that are willing to train people don't have those problems.

    One unexpected item from the paper: "One operating system, having been installed in almost a billion devices, has yet to attract malware in any significant way -- although it is falls short of being provably secure." What are they talking about? QNX? VxWorks?