If there’s one type of person every agency will need, it’s cybersecurity people. As you’ve probably heard, there’s not enough of them to go around. That’s why the government’s personnel shop has devised a five-part strategy for planning, hiring and retaining cybersecurity people. But not everyone follows the strategy. Dave Hinchman, director of information technology and cybersecurity at the Government Accountability Office, joined the Federal Drive with Tom Temin to discuss.

Interview transcript:

Tom Temin: So you looked at five cabinet-level departments and how they did their workforce planning and so forth with respect to cyber people. And what did you find?

Dave Hinchman: So this was, I think, really interesting work. We had never done anything like this. From what we can tell, no one has really looked at the cyber workforce per se as a distinct element of the overall federal workforce. And just to help the readers set the stage a little bit. Yes. Office of Personnel Management established this five-step process for managing your workforce. They wrote it for the workforce writ large, but we talked to them and said it was totally appropriate focusing on specialty workforce. So we found the five nonmilitary agencies that had the largest employment numbers of cybersecurity workers and sat down just to look at how they were managing that. And overall, we found that one of the agencies is doing pretty well: Department of Homeland Security. But there’s a lot of work to be done for the other four.

        More endpoints, more data — how can the government keep both safe? Find out in our latest ebook, sponsored by Tanium Federal and Carahsoft.

Tom Temin: In other words, Homeland Security generally follows the best practices as outlined by OPM, and the rest of them didn’t like Health and Human Services only follows one of the five, Veterans Affairs, three and 1 of the 15 practices that come under these five overall strategies.

Dave Hinchman: Yeah. And that’s actually I think gets in something that’s important to point out for your listeners. When we talk about the implementation of these practices, we’re looking only at the departmental level. So in the secretary’s office, what is their visibility into their department-wide cyber workforce? It’s not great is what we found, but that’s because lots of times, this is being pushed down to the bureau in some level. So it’s not to say that the cyber workforce isn’t being managed, but it’s being managed in small little pockets down at lower levels. But that’s not good because in this day and age, with the threats we face, we feel very strongly that the department has to have clear and unambiguous visibility into what their cyber workforce looks like to make sure that they deployed it to the right places, that they’re hiring the right people and then putting those people where they’re most needed.

Tom Temin: Yeah, especially a place like Health and Human Services, a gigantic and so many large components that are away from headquarters. But with the health care sector being one of the prime targets these days. That’s an example of where you’d want to make sure everything’s buttoned up and that you know it at headquarters level.

Dave Hinchman: Absolutely. And I think VA is another great example with the deployment of their electronic health record system. Once we start moving these things into cloud computing, into electronics where files are being passed around, those are potential access points and points of vulnerability. So we want to make sure that the agencies that are focused on this and have that as a key aspect of their service delivery are also making sure they have the right people in place to ensure that information security.

Tom Temin: And just briefly, just run through the top line of the five basic strategies OPM is recommending for people to manage that cyber workforce.

Dave Hinchman: Absolutely. So like you said, there are five steps. There’s set the strategic direction that’s understand what your workforce is doing, where are they going. The second step is to conduct a workforce analysis. Who do we have? Who do we need? Where are the people? What are they doing? Are they doing the right things? Then develop a workforce action plan and that takes that workforce analysis and turns into something actionable that helps you build a better workforce that’s more resilient and with the resources in the right place. Then you want to implement and monitor a workforce action plan, which is really what allows you to make sure that all those things are being done on a continual basis. And then finally, we’d like to see agencies coming back to evaluate and revise their action plan as circumstances change because workforce changes, your mission needs change. You want to make sure that you have a robust living plan that adapts to the changing circumstances.

Tom Temin: We’re speaking with Dave Hinchman. He’s director of information technology and cybersecurity at the Government Accountability Office. And was there also evidence that these departments or some of the components are short of people they need?

Dave Hinchman: We didn’t look at that so much, although we do have a report coming up this spring, just put $0.02 in looking at all the nonmilitary federal agencies and the cost of the federal cyber workforce. So that’s going to dig a little bit deeper into that issue. But I think that it’s fair to say that if you have an agency that hasn’t done a department-wide workforce analysis. You can’t answer that question about whether you have the people you need because you don’t know who you need. And I think that’s a huge part of establishing that baseline that you can manage off of moving forward.

        Read more: Cybersecurity

Tom Temin: Right. So these are practices that an agency or a department can use for all of the major functions?

Dave Hinchman: Absolutely. That’s the way OPM designed. And I think one of the beauties of this workforce plan is that it can be adapted to any kind of workforce.

Tom Temin: And I suppose when the workforce is being looked at really carefully right now by the DOGE and they’re coming in and working with federal agencies, people already in place. That planning could be good support for what you might need.

Dave Hinchman: Absolutely. And I think that’s an important part of any decisions the new administration makes in terms of ensuring that the people that you need are where they need to be and that you’re moving resources where they’re best provided.

Tom Temin: And you’ve got a pretty extensive list of recommendations here, I guess, tailored for each of those departments. What are the top line ideas that they need to know?

Dave Hinchman: So we didn’t go into detail about which specific practices were implemented or not implemented by each agency. The degree of sensitivity around of that for fear that sharing with the bad actor that, ‘Oh, we don’t do this one practice particularly well.’ That’s a point of vulnerability that someone might try to exploit. So our recommendations are centered around each agency implementing any of those workforce plans, steps that weren’t completely implemented. But we also did another part of this work was looking at, OK, here are the challenges you face in your cyber workforce. What actions you be taking to mitigate those challenges? And then have you assess the effectiveness of those mitigation actions? And while agencies identify challenges and we hear about cyber workforce challenges in the news all the time and they taking actions to mitigate them, none of the agencies had evaluated the effectiveness of their actions. And so that’s a recommendation we made to each of the five agencies as well.

Tom Temin: And is this evaluation of your workforce, these steps in these strategies, that’s not simply a HR function or a personnel function, is it?

        Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app

Dave Hinchman: No. This needs to be department-wide. I would argue it needs to be driven by the secretary’s office because you’re bringing in human capital. You’re bringing in the CFO for the paychecks are coming in as well as that CIO, presumably, has some management chops over this. And I think more importantly, especially with the workforce management that’s currently pushed down to the resources and subcabinet level, you’re sort of losing that clear cut chain of command. You’re going down into this other smaller organization unit within your agency and you need someone who’s going to bring all of that together so that everyone sitting down at the table and making sure that you’re working off the same set of information and that you’re working collaboratively to get the resources where they need to be.

Tom Temin: And given the criticality of the cybersecurity workforce, did the people to whom you presented this report say, ‘Yeah, you’re right?’

Dave Hinchman: We didn’t we were very pleased with the response. Three agencies completely agreed with the recommendations. One did not agree or disagree, but spoke positively about supporting the objectives of our work. And one agency, VA, did agree with two recommendations and disagree with three, but it was a partial disagreement. They just thought they had done a little bit more and asked for credit on that. We worked out with them. They’re making progress, but they’re not there yet.

Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.