4 Barriers to Hiring DHS InfoSec ExpertsRecruiting 1,000 IT Security Specialists Could Prove Challenging
(This story has been updated with a comment from a Department of Homeland Security official.)
Although the U.S. Office of Personnel Management this week granted the Department of Homeland Security permission to hire 1,000 cybersecurity specialists, that authorization doesn't ensure that 1,000 experts will be hired anytime soon.
"The hiring process, and we've gone through it, is absolutely brutal," Tony Summerlin, a senior strategic adviser to the Federal Communications Commission's CIO, told DHS Secretary Jeh Johnson at a Council on Foreign Relations event on U.S. cybersecurity readiness earlier this month.
OPM posted in the Federal Register this week the authorization for DHS to hire up to 1,000 new staff members to perform cyber-risk and strategic analysis; incident handling and malware/vulnerability analysis; cyber-incident response; cyber-exercise facilitation; cyber vulnerability detection; intelligence analysis; investigative analysis; and other related tasks. All of the positions are classified as General Schedule grade levels 9 through 15, which range from mid-level to top-level supervisory positions.
Recruiting and then processing to hire 1,000 people will be an "incredible challenge" for DHS, says Mark Weatherford, a former DHS deputy undersecretary for cybersecurity.
Weatherford, now chief cybersecurity strategist at data center security provider vArmour, identifies four challenges the DHS faces in hiring so many information security specialists:
- Identifying 1,000 qualified individuals willing to take those jobs;
- Dealing with insufficient departmental resources to review and process applicants;
- Persuading newly hired personnel to work in Washington, where most of the jobs would likely be based; and
- Completing the laborious process of obtaining security clearances for qualified recruits.
By some estimates, there's a shortfall of more than 200,000 IT security specialists in the United States. Competition for qualified personnel is intense, not only with the private sector but within government itself.
To be competitive, Johnson says DHS needs to be "creative, innovative and aggressive" in its recruitment efforts. "There is the basic problem of competing with a lot of really sophisticated actors in the private sector," he says. "I like to try to appeal to the patriotism of people in doing so, to come serve their country at least for a couple years and learn what you can about the government's capabilities to carry with you for your entire career."
Another barrier to hiring critical IT security staff are outdated federal government rules that define the qualifications for specific jobs. Some jobs might require specific academic and certification credentials.
But the National Institute of Standards and Technology's Rodney Petersen says some qualified IT experts could perform effectively the tasks required in those position without having the required academic degrees and cybersecurity credentials. "There is really no direct evidence that [degrees and certifications] measure the knowledge, skills and ability needed [to do the job]," says Petersen, director of NIST's National Initiative for Cybersecurity Education, commonly known as NICE.
Even if Homeland Security successfully identifies 1,000 qualified people willing to join the department, it lacks the internal staff to navigate the archaic civil service hiring procedures. Current hiring procedures can be slowed by rigid requirements. Instead, Weatherford says, the department should be allowed to be more flexible in hiring critical personnel.
Processing recruits was a problem Weatherford faced as deputy undersecretary a few years ago when DHS hired scores of IT security specialists. "The civil-service hiring process, and the people we had at DHS, couldn't process people fast enough," Weatherford says. "The first thing they're going to have to do is look internally and build up the capability to just onboard a thousand people because that's not a trivial endeavor, at all."
Asked to respond to a lack of staff to process hundreds of applications, a DHS official, speaking on background, contends the legislative authority to hire the additional personnel "is intended to equip the department with the ability to hire cyber professionals up to the cap of 1,000." Last December, the official says, Congress enacted a law to grant DHS the "additional human capital authority with regard to cybersecurity positions. ... DHS is currently drafting regulatory text as part of the process to implement those new flexibilities."
Qualified personnel, especially those being recruited from colleges and universities, might not want to live in the Washington area, where the bulk of DHS's IT security jobs likely will be based.
"Here in the greater Washington, D.C., area, we know that we have significant amounts of cybersecurity jobs that are available and we would love students from Texas and California and South Dakota and Kansas to come here and fill these jobs," NICE's Petersen says. "But the reality is a vast majority of workers or students in those states are going to want to work locally because of their family connections and cultural backgrounds and whatever local connection they might have."
Weatherford recommends that DHS establish IT security operations centers throughout the country to attract expert staffers and managers who won't relocate to Washington.
Requiring Security Clearances
Those hired for many of the 1,000 positions will be required to receive security clearances before they can start work. According to the DHS website, security clearance screening takes an average of three months to complete. But the process can vary from two weeks to one year, depending on the level of security clearance required for the position and a variety of other factors, such as if a candidate has spent a significant amount of time overseas or has dual citizenship.
A 2011 report from the director of national intelligence shows it took 169 days, on average, for DHS to process a security clearance, 2Â½ times longer than all agencies, which averaged 65 days.
To speed hiring, Weatherford suggests that IT security personnel who do not handle classified materials or work on classified systems skip the security clearance process. He says they could be segregated from those who work on classified materials by being assigned to job sites where they cannot access classified resources.