‘We have to find talent’: Cyber leaders push for skills-based hiring

One advocate of skills-based hiring says employers need to stop looking for 'unicorns' and invest more in hands-on training to fill cyber skills gaps.

With nearly 500,000 unfilled cybersecurity jobs across the country, the Biden administration is throwing down the gauntlet on skills-based hiring.

White House officials just committed to using skills-based hiring for most federal IT jobs. The Office of Personnel Management is leading the effort to transition nearly 100,000 federal cyber and IT jobs to skills-based hiring by next summer. The Energy Department is leading a corresponding initiative to move federal IT contracts to skills-based hiring.

The idea behind skills-based hiring is to focus more on a job candidates’ talent and abilities – through skills-assessments and other means – instead of only relying on education and direct experience.

The goal isn’t just to fill open cyber positions now. Advocates of skills-based hiring argue it will open up IT and cyber jobs to a wider range of applicants, at a time when digital technologies are growing in importance. Former Federal Chief Information Officer Suzette Kent, who now works as an advisor to technology training firm SkillStorm, said the government is in sore need of more technical talent across the board.

“We have to find talent, and skill talent at a pace that matches the pace of evolving technology,” she said in an interview. “Both inside agencies, but also with our contractors, we need a bigger pool.”

For years, officials across government and industry have been grappling with a deficit of qualified cyber talent.

But one of the big problems with cyber hiring is that many employers have been looking for what Brian Correa, the director of business development for GIAC at the SANS Institute, calls “unicorns.”

“There’s only so many unicorns in this industry, somebody that can do A, B, C, D, E, F,” Correia said. “It’s like the Lebron of the worlds right? There’s only one LeBron, but as you can imagine every basketball teams fighting for LeBron, they all want them. . . . they’re all looking for people with experience. There’s only so many of those people, but then the question is, can we skill people up to get them where they need to be?”

A new report from SANS recommends employers identify the specific cyber skills they need in each position and then invest more in hands-on training

The National Initiative for Cybersecurity Education Framework, known as the NICE Framework, defines specific cyber work roles. But only 14% of the organizations responding to a survey for SANs’ report used the NICE framework for their job postings.

Correia said employers also need to do a better job of understanding what type of cyber jobs they need to fill.

“We wanted to focus on the skills gap as opposed to the headcount gap. But as we were doing the study, the thing that popped up was, it wasn’t just a skills gap problem. It was also an expectations gap,” Correia said. What a pen tester versus a security architect versus a forensics analyst does, those are completely different jobs with different mindsets, different everything.”

The SANS report said wider adoption of the NICE framework could improve how cybersecurity leaders work with HR managers to fill skills gaps.

That was a point echoed by Leidos, one of the federal government’s biggest technology contractors. The company was highlighted as a case study in the SANS report.

Substituting skills for degrees

Lynsey Caldwell, cybersecurity workforce program director at Leidos, said the contractor is working on several ways to improve cyber hiring. The company now looks for candidates who meet 80% of the must-have requirements.

“And then we try to address the remaining 20% through training,” she said. “We work with our hiring managers to understand what the skill gaps are. We have a cyber career development tool. And we have our employees use that tool to understand what skills that you need in a role to be successful and also helps them understand what their skill gaps are. And we can see holistically where we need to train in the future. “

Leidos is also developing a degree equivalency matrix that will substitute certifications, skills, training, or experience for a four-year college degree. Caldwell said the goal is to open cybersecurity roles to individuals with the right potential and skills .. even if they don’t follow a traditional education path

“It’s taking a look at something like a [Certified information systems security professional] and noticing that there are five years required to even sit for your CISSP exam,” Caldwell said. “So one could reasonably believe that you must have had at least five years of experience in cybersecurity if you have that certification. So could that be used in lieu of a degree? And what is enough to warrant that satisfaction between skill and experience, and what you’ve done with your certification that could effectively replace a degree?”

In some cases, organizations are also finding that they can retrain people to be cybersecurity pros. When she was federal CIO, Kent helped launch a cyber reskilling pilot. The program took current feds who were working in non-cyber fields and trained them to fill federal cyber jobs.

The program had some success, but Kent said many nontraditional hiring programs are often treated as an exception by agencies.

“From a practical perspective, if you treat something like an exception and you evaluate those individuals differently in the way they’re doing those roles, that’s not a sustainable solution,” Kent said. “That’s certainly not a solution that supports volume of talent or velocity of talent.”

Kent said if agencies are going to truly reap the rewards of skills-based hiring, they’ll need to treat it the same as more traditional pathways into a federal job.

“What I would look for as a measure of success is that we see an increase in applications,” she said. “And that what we see is the human capital officers and the team that these individuals might join getting much more active and more comfortable with this process. So instead of just having one track in the door, if we can have three, five, 10 ways that we can find, confirm and on-board talent, that’s an advantage for everyone.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories