When it comes to hiring in-demand cybersecurity talent, a resume isn’t everything.
In the pursuit of the next generation of cyber talent, agencies are thinking beyond typical recruitment efforts, looking instead at putting prospective hires to the test at cyber competitions and building momentum behind efforts to reskill current federal employees.
Insight by MFGS, Inc.: In this exclusive Federal News Network survey, cybersecurity experts from the military services and intelligence community offer insights into how their agencies are transforming their approaches to cybersecurity to address the ever-changing threats.
The Energy Department, for example, has a playbook for putting prospective cyber hires to the test. This weekend, the department will hold its fifth CyberForce competition at 10 of its national labs, putting teams from more than 100 universities through “red-blue team” exercises.
Teams this year will focus on defending four simulated critical infrastructure sites – a solar energy facility, a high-performance computing data center, a manufacturing site and an energy distribution station.
Participants will try to keep their infrastructure running during intrusion attempts, and maintain communications with other teams.
Sean Plankey, the principal deputy assistant secretary for Energy’s Office of Cybersecurity, Energy Security and Emergency Response, said the department may use its direct-hire authority to extend job offers to some of the cyber challenge participants.
“This is active battling — cyber battles — and there’s different stages of them,” Plankey said Tuesday at Fifth Domain’s Cybercon event in Arlington.
Agency leadership, he added, will also participate in the challenge to better understand how potential hires respond to the simulated cyber attack.
“They can see the university-level participants and what they’re thinking about, how they react, and talk to them during the event, and potentially build that relationship to recruit them, but also understand what their motivators — the reason they’re thinking the way certain things are — and then educate them as well,” Plankey said.
Building a pipeline of future cyber talent remains a top priority for CESER, which has also made on-the-spot job offers to participants at conferences like Hack the Machine and Black Hat.
In addition, the department, along with the Department of Homeland Security, hosts a program called Cyber Strike at the Idaho National Laboratory.
Through the Cyber Strike program, the public and private sectors can train and test on real industrial control systems and run through recreations of major cyber attacks, including the “Black Energy” hack that brought down the Ukrainian power grid in 2015.
“They recreate that live, show you what happens and you have points, as a part of the lesson, where you can prevent it or defend against it,” Plankey said. “So you can understand the entire spectrum of events, from initial surveying of the system, all the way through to causing an actual incident.”
The exercise reflects efforts by the Cybersecurity and Infrastructure Security Agency to stand up an interagency working group to ensure a “whole of government” approach to evolving cyber threats, Richard Driggers, CISA’s deputy assistant director for cybersecurity, said.
“Those types of infrastructure that we’re worried about protecting against today are going to be different in the future,” Driggers said. “Ten, 15 years ago, we weren’t worried about securing cloud technology or cloud infrastructure. Today we are. So we have to be focused over the horizon to make sure that we can be ready with our technologies, be ready with the types of defensive capabilities that we’re putting in place.”
The interagency working group, he said, will meet before the end of this year. The meeting would build the groundwork for an executive committee meeting with private-sector partners that will take place sometime early next year.
But the evolution of threats also requires agencies to keep their cyber workforce up-to-date with emerging trends and skills.
“The tradecraft is changing, the vulnerability landscape is changing, the infrastructure landscape is changing, and the cybersecurity workforce that we need today is going to be different than one we have in the future,” Driggers said. “The reskilling programs that we have are great, we just need to do a lot more of that type of thing.”
While efforts to reskill federal employees for cybersecurity jobs remain in early stages, those programs may help alleviate some of the pressure agencies face in recruiting new talent.
Driggers’ comments reflect the findings of an annual cybersecurity workforce study from the International Information System Security Certification Consortium. The report said cyber workforce hiring in the United States would need to increase by 62% to keep up with demand.
The U.S.’s ability to secure its networks, Driggers said, depends on building a strong cyber workforce both inside the government and among the industry partners that CISA works with.
“This isn’t a recruiting pitch for the federal government. Yes, we need cybersecurity professionals in our ranks. This is really about building a cybersecurity workforce as a national asset for America and making sure that we can sustain that effort,” he said.
Part of building that cyber workforce, he added, comes down to bringing together some of the “pockets” of excellence in government with some of the startups and nonprofits that have also worked to build up cyber talent.
“Please engage with our agency, please work with us. Please bring us ideas, bring us talent, bring us innovation,” Driggers said. “Allow us to share information with you [and] share information with us, so that we can make sure that we are meeting head-on our nation’s cybersecurity challenges.”
Meanwhile, CESER is also taking steps to build a cyber response workforce that leans on the talent from what “adjacent” skill sets, such as physical security personnel.
“Maybe you’re in IT and you move toward cyber. Maybe you’re in industrial control systems, as in a mechanical engineer, and now you’re moving towards cyber, because an incident is an incident. It’s not only, ‘This is our cyber incident, let’s call our IT people.’ No, it’s an incident, let’s respond holistically,” Plankey said.
While the Trump administration has trained two cohorts of federal employees through its Federal Cyber Reskilling Academy, challenges still remain in matching those newly trained employees into cybersecurity jobs.
But Venice Goodwine, the Agriculture Department’s Chief Information Security Officer, said the academy’s efforts have helped diversify the pool of talent available for cyber jobs.
“I think that’s another opportunity where we’re just really trying to build a workforce within, and when you talk about having a diverse portfolio or that diverse experience, you get to do that, because I can work cyber on a financial system, or I could do cyber on a research system. Managing financial systems is a little different because there are different vulnerabilities and things that you think about when you think about financial systems.”