The federal government has pledged nearly a billion dollars to strengthen its cybersecurity capabilities — but even the security agency tasked with the bulk of that work acknowledges that recruitment is challenging.
Canada’s electronic spy agency, the Communications Security Establishment, is set to receive a large influx of funding to launch cyber operations and ward off attacks on government servers, power grids and hospitals.
CSE, which gathers and decodes signals intelligence and is also in charge of technology security for the government, says it receives 10,000 to 15,000 job applications per year. But only about one or two candidates out of 100 applicants go on to be hired after the skills testing and background security checks.
“It is no secret that recruitment for high-tech organizations remains challenging and highly competitive,” said CSE spokesperson Evan Koronewski.
“At CSE, the same is true due to the specific technical competencies we require for many of our positions, the necessary security clearances, and the current requirement for successful candidates to relocate to the National Capital Region.”
CSE is still working out how many codebreakers and codemakers it needs to support the increased demand for their services. Koronewski wouldn’t say how many unfilled positions CSE is trying to fill. The agency has an annual attrition rate of about four per cent, he said.
“We just don’t have the talent pool and without developing that talent pool, we’re going to be in a lot of trouble,” said John Zabiuk, chair of the cybersecurity program at the Northern Alberta Institute of Technology in Edmonton.
‘Bidding war’ for top talent
As the number of ransomware and malware attacks rise, more companies and organizations are investing in their in-house cybersecurity, he said.
“It’s kind of a mad scramble right now for organizations trying to find cybersecurity skills and employees. And because of that, when they do find a person, that person is so sought after that,” said Zabiuk.
Governments often find it hard — if not impossible — to match those private sector salaries, he said.
“It almost becomes like a bidding war for the employees, so unless you can play in that game you’re going to miss out on those talents,” he said.
A quick browse through LinkedIn shows a handful of former CSE employees who have moved on to senior positions at private companies.
Christyn Cianfarani is CEO of the Canadian Association of Defence and Security Industries, which represents hundreds of defence, security and cyber companies. She said that because there’s not much in the recent federal budget suggesting the government will lean on the private sector workforce, she’s “preemptively pessimistic.”
“In a country as small as ours, we’re all fighting for the same talent. That’s the head-scratcher. How can they go it alone? It will be a never-ending resource shortage,” she said.
Could Ottawa work with the private sector?
Cianfarani pointed to a program run by the National Cyber Security Centre in the U.K. called Industry100 which brings together government and industry representatives to identify vulnerabilities and ward off cyberattacks.
Under the U.K. program, secondments from the private to the public sector range in duration from a day to a week to a month. Participating organizations continue to pay the salaries of seconded employees — which often are higher than public service salaries. Security clearances are still required.
“I refuse to believe that if the U.K. can figure out the way in which to make classified networks, classified systems and the public-private domain swappable, that we can’t figure that out in Canada,” said Cianfarani.
“The siloed approach we know doesn’t work anymore. We think it should change and this budget didn’t give us the warm fuzzies.”
Public Safety Minister Marco Mendicino, who is helping to oversee Ottawa’s national cybersecurity strategy, said that one of his goals is to scale up the cybersecurity workforce.
Part of that effort, he said, could involve looking abroad.
“I think we should be creating dedicated pathways to attract talent in cybersecurity,” said Mendicino.
“We should never compromise security just to hire someone. But what I am talking about is working closely with provinces and provincial regulators to make sure that if somebody comes and has a solid degree or a diploma that qualifies them, that bureaucracy and red tape don’t get in the way of onboarding them as quickly as we possibly can.”
For now, CSE said it’s updating its recruitment programs and concentrating on its co-op programs to bring in students.
“We recognize there are challenges and restrictions for those working in the security and intelligence community,” said Koronewski.
“But CSE’s work is all about protecting Canadians — our security, our economy and our communities — and we take our work very seriously.”