5 Problems that Plague Federal InfoSec HiringSolutions Posed to Close the Cybersecurity Talent Gap
That the federal government struggles to recruit and train qualified cybersecurity personnel isn't new. But a just-published report details the challenges agencies face to build and maintain an IT security workforce and offers recommendations on what can be done to improve the situation.
The nonpartisan, not-for-profit Partnership for Public Service, working with the business consultancy Booz Allen Hamilton, produced the report titled Cyber In-Security II: Closing the Federal Talent Gap, which compares current challenges in building and retaining a federal government IT security workforce with efforts the government faced in 2009, when the partnership published its original report on the federal IT security workforce.
As the report points out in its introduction, no government-wide strategy to build a vibrant, highly trained and dedicated federal cybersecurity workforce existed in 2009, and after six years the government continues to lack a clear definition of cybersecurity jobs.
"What's surprising is that it appears we haven't made as much progress as we should," says Karen Evans, national director of the U.S. Cyber Challenge, who once served in the post now known as the federal chief information officer.
Lack of Coordinated Strategy
The report says the lack of a coordinated strategy to help agencies get the high-level talent they need continues to be a major problem. The departments of Defense and Homeland Security have been able to get legislative authority that will enable them to become more competitive for top cyber talent, but the report points out that other agencies remain wanting.
Sen. Tom Carper, D-Del., who sponsored legislation enacted in the last congress that provided more hiring flexibility for the Department of Homeland Security, says the government needs to take similar actions for other federal civilian agencies.
"As this report underscores, more work needs to be done to build on those efforts and to give federal agencies the necessary authority to stay ahead of the curve in cyber workforce recruitment and retention" says Carper, ranking member of the Senate Committee on Homeland Security and Governmental Affairs, the panel with government IT security oversight.
Systemic Underlying Problems
Former Transportation Chief Information Officer Daniel Mintz, who was interviewed by the study's authors, says the report does a good job documenting the challenges the government faces in building and retaining a cybersecurity workforce, but its suggestions to fix the problems could be more detailed.
"There are a lot of problems with people who come in with a solution to government problems; they don't take into account the fact that there are systemic, underlying reasons why well-meaning and knowledgeable people aren't able to solve the problems," says Mintz, program chairman for information systems management at the University of Maryland's University College. "Just articulating the problem isn't enough. The question is: What are the steps you have to take that will do something about that? And they're a little light on that."
Still, Mintz says, he likes some of the recommendations, such as promoting scholarships programs, creating cybersecurity academies and establishing programs to allow cybersecurity experts to interact. "I think they're good ideas; there's meat to that," he says.
In the report, the authors identify five challenges to sustain a cybersecurity workforce and offer a series of recommendations to improve it:
1. Government Lacks a Master Cyber Workforce Strategy to Attract, Retain Top Cyber Talent
Without a master strategy, agencies mostly operate on their own under a haphazard system. Agencies in the intelligence and defense communities have more success than others, leaving the playing field in the federal government for cybersecurity talent uneven at best. Because the emerging talent needs remain undefined, supervisors and employees experience frustration in understanding who in the current workforce needs to be retrained to meet future requirements.
- Develop a comprehensive cybersecurity workforce strategy.
- Create a new occupational job series for cybersecurity employees.
2. Skilled Cyber Workers Are in High Demand, and the Federal Government Struggles to Compete
The demand for skilled cybersecurity talent outstrips the supply, and that demand is expected to grow and evolve in the years ahead. Citing a Rand study, the report's authors say the shortage is most acute at the upper end of the workforce for employees with such skills as forensics, code-writing and those capable of thinking like an attacker to figure out a system's vulnerabilities.
- Expand cybersecurity internships and scholarships.
- Create a cybersecurity reserve corps for college students, similar to the military's ROTC, with the students committing themselves to government service upon graduation.
- Make academic cybersecurity certification more rigorous, which would create a more skilled workforce.
3. Government Loses Top Candidates to a Slow and Ineffective Hiring Process
The overall slowness of the federal hiring process places the government at a competitive disadvantage. The length of time it takes to receive a job offer can result in talented individuals getting frustrated and taking positions in the private sector. A number of federal leaders interviewed said that as a result, critical positions have remained vacant for long periods of time.
- Expand direct-hire authority to allow agencies to expedite hiring by eliminating competitive rating and ranking and veterans' preference.
- Designate all cyber positions for the excepted service. Excepted service jobs are exempt from some procedural requirements that apply to competitive service positions.
- Validate cybersecurity competitions and scenario-based testing to identify and assess talent.
- Allow agencies to share best qualified candidate lists.
- Reform the security clearance process.
- Develop recruitment expectations of managers so they can communicate clearly to program managers how to identify and recruit cyber teams members.
4. Agency Cyber Training and Development Is Uneven
The newly recruited, especially college graduates, need additional training, including information security policies. Agencies have faced budget constraints, often making it more difficult to free up funding to give new recruits all the help they need and to keep the skills of more experienced employees up-to-date.
The current approach has created a cybersecurity training regimen that is ad hoc and uneven at best, with every agency and IT staff on its own to find suitable training. There is no unified program across government to instill a set of professional values and behavior, and no common thread to create a shared mission and sense of community across government.
- Create a cybersecurity training academy focused on technical and leadership skills.
- Form a cyber-reserve for experienced talent patterned after the military's reserve corps.
5. Government Compensation Isn't Competitive, Especially for Experienced Talent
Following pay freezes, the federal government has fallen behind the private sector in compensation, especially for elite positons. Agencies without special authority to hire find it tough to compete for entry-level talent, not only with the private sector, but with DoD and intelligence community, saying they're "scraping the bottom of the barrel" because they lack flexibility. Once entry-level recruits gain experience, they move to the private sector for better pay.
- Conduct a pay study to understand in depth the nature and extent of the differences between federal and private-sector salaries for various specialty areas and localities.
- Track cybersecurity personnel attrition to better understand the reasons staffers leave, including conducting an exit survey to further understanding why top talent depart government service.
- Develop a market-sensitive pay system for the cyber workforce.
The report's authors say it will take a network to defeat, or at least defend against, all the cyberthreats against our network. And that network cannot just be one of terminals and fiber optic cables; it must be about the people.
"This process needs to begin with a comprehensive understanding of our existing federal workforce and the resources that we have available," they write in the report's conclusion. "We also need to anticipate the types of skills that we will need in the future."