Shortage of People or Ideas?

Is there really a shortage of cyber security experts, as this article would suggest, or are there hindrances to hiring the available experts into government positions? On only need to do a cursory search for all the people with cyber security experience and credentials (a topic for another day) who are looking for work to say that it is pretty clear that the latter statement is more accurate than the former. Regardless of whose numbers you use, the cyber security market is measured in tens of billions of dollars. Cyber security is where the food is, to paraphrase an old Sam Kinison routine, and people are flocking to it. What most of the best practitioners are not prepared to flock to is the paperwork, bureaucracy and (frankly) bulls*** that is par for the course for government work. There is a lot of cool work in the government, some things only the government can do, but the government is not for everyone.

Even if the government could get as many people as it needed to improve security, why do some think that throwing more bodies at the problem is the only way to ‘scale’ to address the issues? Throwing bodies at a problem stopped being a successful strategy back when the attrition warfare model went out of vogue. Better security isn’t going to come with a rise in the size of the ranks; it will come when we have in place models that let security mechanisms scale to match security threats.