Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The White House is pulling together a new cybersecurity workforce strategy that promises to help the federal government grapple with longstanding cyber workforce challenges, including an emphasis on stronger implementation mechanisms to ensure agencies follow through on the plan’s goals and objectives.
Agencies have long struggled to compete with the private sector for cyber talent. Mounting cyber threats combined with a tight labor market cast an especially acute focus on efforts to recruit and retain the technology workforce at this year’s Billington Cyber Summit in Washington.
“We’re in tough competition for talent — all of you are,” National Security Agency Deputy Director George Barnes said Wednesday. “That’s something that’s germane to our whole industry. NSA has always had a challenge getting talent. That challenge continues to mount.”
According to CyberSeek, there are nearly 715,000 open cyber and IT positions across the country. The public sector makes up about 39,000 of those unfilled cybersecurity positions.
The White House’s Office of the National Cyber Director is now drafting a National Cyber Workforce and Education Strategy, according to Camille Stewart Gloster, deputy national cyber director for technology and ecosystem security.
The national cyber director’s office is currently developing an overarching national cybersecurity strategy. That’s expected to come out sometime this fall, and the workforce strategy will come out afterward.
The workforce plan will cut across both the public and private sectors, and include a big focus on training and education. But for federal agencies, the effort should help bring more “cohesion” to what have often been disparate attempts to address cyber talent gaps, Gloster said Thursday.
“We want to get a view across the entire federal ecosystem of the work that’s going on, clarify some of the roles and responsibilities, identify the metrics and benchmarks that are working, and then figure out if and how we can promulgate them across the federal ecosystem, so that we can be more action oriented and leverage those metrics,” she said.
Noting that there are “some programs that need to grow” and “some that might shrink,” Gloster said the forthcoming workforce plan will include a strong emphasis on implementation, not just high-level goals.
“That’ll be the biggest thing that’s different from probably what we’ve seen in the past,” she said. “There have been a lot of federal workforce strategies. The goal is to create an implementation mechanism and the coherence through collaboration and a continuous dialogue at the leadership level, that should actually drive towards the goals that we outline in the strategy.”
DoD cyber workforce strategy coming soon
The Defense Department is also planning to release a new cybersecurity workforce strategy, likely within the next 60 days, according to Chief Information Officer John Sherman.
“We need to learn differently on how we retain, recruit, upskill, because the 30-year career path that maybe a lot of us have had, it may not be what will take us into the future,” Sherman said. “We need to think differently about how we have people come into the department for a while, go work for you all in industry, and maybe come back in a while without our security folks’ heads blowing up because they had some foreign travel in there. That’s what I’m after with the cyber workforce strategy.”
The Pentagon is also eyeing a major expansion of its Cyber Excepted Service. First authorized in 2016, CES has been slow to get off the ground. It gives DoD more speed and flexibility in hiring for cyber and some IT jobs compared to the traditional civil service’s hiring, classification and compensation practices. The Pentagon can hire CES candidates directly without posting the position on USAJobs, and it can also offer higher pay in some cases compared to the traditional General Schedule system.
There are currently about 15,000 people in the CES, according to Mark Gorak, principal director for resources and analysis in the DoD CIO’s office. The goal, he says, is to expand that to 200,000 in the CES across both military and civilian positions.
“That’s small compared to the 4 million we have in DoD but still a huge program to try to manage,” Gorak said.
Rotational programs increasingly popular
While both government and industry are struggling to fill the deficit of cyber jobs, agency officials often say they will never be able to compete with the private sector on pay, even with special hiring programs.
But agencies are increasingly turning to rotational programs where industry employees can serve in government for short tours of duty, and vice versa.
The CIA is among those agencies. It recently established a technology fellows programs that gives private sector employees the opportunity to spend 6-12 month stints working at the CIA, according to Director Bill Burns.
“And then also to make it possible for some of our officers to get experience for shorter periods of time in the private sector as well,” Burns said on Thursday. “We’re never going to be able to match in the U.S. government the kind of salaries or economic benefits that you can find in lots of parts of the tech sector as well. What we can offer, though, are fascinating problems to solve.”
The Cybersecurity and Infrastructure Security Agency also launched a Cyber Innovation Fellows program in June. It brings in private sector officials for about four-month periods to work part-time on CISA teams doing threat hunting, vulnerability management and incident response.
CISA is also focusing on its workforce as part of a soon-to-be-released strategic plan, according to CISA Director Jen Easterly. Among the “pillars” of the forthcoming document is a section on “agency unification,” Easterly said Wednesday, noting how CISA was only recently spun out from a Department of Homeland Security headquarters unit.
“We’re built off the back of a staff element,” Easterly said. “We’re now a full grown operational component. And we absolutely need to build a unified agency that is grounded in the culture that we are building, the core principles and our core values of collaboration, innovation, service to the nation, and accountability to the American people.”
CISA is also focused on increasing diversity in the cybersecurity field. Easterly laid out a goal to have women and underrepresented minorities make up at least 50% of the cybersecurity community by 2030.
“That’s how we’re going to tap into a much more thoughtful community, because we’re leveraging the incredible diversity out there,” she said. “And that’s women. But it’s neurodiversity, it’s diversity of gender identity and sexual orientation and race and national origin, because that equals diversity of thought. And that makes us better problem solvers. And it’s not just the right thing to do, it’s the smart thing to do. Because the data shows more diverse organizations actually are more productive, have less turnover risk, have less sick days. And so we all need to work together for the security of the nation, and that’s how we’re going to get after this workforce problem.”