It's Hard to Know Where to Turn During a Cyber Attack

The private sector holds a lot of the cybersecurity talent.

If a chemical, biological or nuclear attack were to strike the United States, most would assume the government is the most capable entity to respond. But what about a cybersecurity attack? What industry would be best suited to respond? One expert argues that it all comes down to the war on cybersecurity talent. 

“When you talk about the cyber threat, the most capable responders are not government employees, they’re in private industry,” said Evan Lesser, managing director at “While the government has some good talent, it’s pretty much understood that the best and brightest talent in cyber warfare is coming from industry. It makes the lines blurry in regards to response.”

The challenge is that the government and private industry have not fully run through the question of who would be in charge and would most effectively respond to a cyber attack. One thing the government has done, he said, is partner with the private sector to share information and exchange personnel. “But when you look at the broader issue of attacks on our public resources, it’s unclear which government agency is best set up to respond,” he said. “There’s not a lot of coordination at this point.”

The usual culprit for the lack of sophisticated cyber talent -- both in government and industry -- is the education system, which has fallen behind in terms of grooming students for science, technology, engineering and mathematics, or STEM, positions, Lesser said.

Complementary to that, however, is the issue that some of the brightest minds in cybersecurity belong to people who have participated in illegal acts like hacking, Lesser said. “There’s a lot of talent within the hacker community, but it’s difficult for them to have the courage to go to government and admit to some of the things they’ve done that are illegal,” he said. “There’s also a culture in the hacking community that views the government as intrusive and the enemy. It’s not very cool to work for government.”

In addition, many of private industry’s cyber experts are not necessarily U.S. citizens, Lesser said. While they have the knowledge, expertise, and a better STEM education than most U.S. students, they cannot obtain a security clearance, he said.

And with such a limited pool of cyber talent, it’s no surprise that cybersecurity workers are among the most highly-paid employees who hold an active security clearance. A recent ClearanceJobs survey found that 59 percent of security-cleared cyber workers were happy with their pay – with total compensation averaging more than $101,000. Sixty-four percent said they were happy their jobs. 

At the same time, however, 36 percent of security-cleared cyber workers responding to the survey said it is very likely that they will change jobs within the next year and would expect a salary increase. “From a budget perspective, it’s very hard to hire these people and retain them,” Lesser said. “And it really doesn’t play in our favor that budget cuts are coming at a time when there is this new threat.”