Differences Between Private Sector and Government Cybersecurity
There are many paths you can decide to take on your cybersecurity career journey. Some decisions will be about the details, and others will be broader in scope. A broad decision might be whether to work for the government (the public sector) or for a commercial business (the private sector).
We talked to cyber risk management expert Rob Arnold, founder and CEO of Threat Sketch, about the differences between the two and what you should know as you decide which sector to enter. "For the government...keeping services flowing to the citizens is more important than the bottom line," Rob says. However, in the commercial world, the main concern is usually profit. But there is an upside: "The ability to measure profit so precisely with dollars and cents makes decisions a little easier because they can be readily quantified."
Wondering what else you need to know about government cybersecurity versus working in the private sector? Consider the questions below to help you make your decision.
Where Do I Want to Work?
Many government agencies employ cybersecurity professionals, including the CIA, NSA, and FBI. However, the largest national cybersecurity employer is the Department of Defense (DoD), which in 2015 laid out a cybersecurity plan to build a workforce made up of 133 teams and 6,200 individuals. The plan also recognized a need to attract the best talent by building "strong bridges to the private sector." This means government agencies are on the lookout for cybersecurity talent, and are working to win them over from the private sector.
In the private sector, the largest employers are healthcare and finance, and this is not expected to change. But, Arnold says, "As larger businesses shore up their security, the bad actors are turning their focus to small and medium organizations who are less equipped (or willing) to secure their data." Thus, you can expect to find cybersecurity jobs in small businesses on the rise. In addition, the private sector owns 85 percent of the country's critical infrastructure, like power grids and chemical facilities, which will increasingly need protection from cyber attacks.
What Education Will I Need?
"At this point the major cybersecurity credentials out there are universal to all sectors," says Arnold. "That will change over time as cybersecurity becomes more and more specialized." For now, however, private sector and government cybersecurity requirements are largely the same. The one exception is the Department of Defense, which issued Directive 8140 to establish the minimum qualifications its professionals should have.
The DoD cybersecurity requirements reconfirm the significance of well-known certifications like CCNA Security, Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP). The directive also added several newly approved certifications, such as CompTIA Advanced Security Practitioner (CASP) and Certified Ethical Hacker (CEH). These credentials are equally important in the private sector.
If you're considering a degree along your path to working in the government sector, there may be one thing that can give you an edge on your competition. "Academic programs that are NSA Center of Excellence-certified and those aligned with NIST's NICE effort will likely make it easier to get a government cybersecurity job," adds Arnold. There are 200 colleges across the United States that have earned the NSA Centers of Academic Excellence in Cybersecurity designation, including both two- and four-year colleges.
What Is Best for My Career?
Government cybersecurity careers can give you more opportunity to learn and grow, as you are typically able to take on more responsibility and "climb the ladder" faster than you would in a private company. They are also excellent entry-level jobs because processes and training are established and clear. If this is your first job in the field, the public sector can be a great way to get started in your cybersecurity career.
Keep in mind that cybersecurity defense contractors are not the same as working for the government directly. With a contractor, you may not get as much experience as you would in the public sector, as contracts are usually for specialized skills—but you will most likely gain a higher salary. Similarly, the private sector will typically pay more than government cybersecurity jobs, and you may get stock options as well.
In the end, you don't have to think about this as an "either/or" decision. Many professionals work in both private sector and government cybersecurity over the course of their careers, and a mix of both can be beneficial to your perspectives and your skillset. "The best way to stay abreast is to be forever curious," says Arnold. Hear, hear!