Agencies hired more than 42,000 cybersecurity and IT professionals between 2015 and 2020. They now account for 7% of the federal workforce. But cybersecurity remains a high-risk functional area in the eyes of the Office of Personnel Management.
The forthcoming strategy could start pushing agencies to use a range of existing flexibilities to recruit, hire and retain cyber talent. That’s one of many recommendations from the MITRE Corporation. It highlights cyber pay flexibilities, programs like Scholarship-for-Service, and the Department of Labor’s cyber apprenticeship program.
But beyond those hiring and training tools, MITRE’s Dave Powner said agencies need to do a better job marketing themselves to cyber and IT professionals. He referenced potential cybersecurity positions at agencies including the Department of Homeland Security, the Defense Department, the National Security Agency, and other intelligence agencies.
“The government needs to sell mission a lot better,” Powner said in an interview. “And when you look at some of these organizations, and the missions that we’re operating in, it’s very attractive to many, many of those in the workforce, including the younger workforce.”
Mark Montgomery, senior director of FDD’s Center on Cyber and Technology Innovation, said the institute would allow human capital officers across agencies to draw on shared resources for employee education and professional development. And it would show individuals that the government has an interest in their career progression.
“In other words, get me to that point where I’m getting more experienced in either leadership roles or wider responsibilities faster,” Montgomery said. “And the way you do that is properly developing people. If we have that intrinsic value of government service, if we have appropriate pay bands, and if we have a good system for developing personnel as they move through it, we’re going to have exceptional retention.”
The notional institute could also address another issue: a lack of familiarity with cybersecurity skills among federal hiring managers. Montgomery said the institute could train Human Resources specialists who would lead cyber talent management and recruitment initiatives across agencies.
“The Department of Agriculture’s HR team is probably world class at hiring food inspectors,” Montgomery said. “It’s hard for them to also be world class at cyber. And as we get to smaller and smaller federal agencies, it’s harder and harder . . . For many of these federal agencies, cyber is not a principal mission. It’s a principal vulnerability, but not a principal mission.”
The issue is especially important to attracting and growing a diverse cyber talent pool, according to Irv Lachow, division chief engineer at MITRE’s Homeland Security Enterprise. MITRE recommends the cyber workforce strategy link to the Biden administration’s broader diversity, equity, inclusion and accessibility initiatives.
“In order to understand how well we as a nation are doing on this issue of cyber workforce, we need to understand the demographics of that workforce,” Lachow said. “And we don’t actually have a good snapshot of that at the national level. And so we don’t have a baseline. And so if you don’t have a baseline, you can’t track how well different policies or initiatives are doing. Because you don’t have consistent data.”
“I think there’s an opportunity for the government to take what NSF has done, and apply that to the cyber workforce and get into even more detail,” Lachow said. “How many people are cyber analysts, how many people are threat analysts, how many people are working the help desk.”
MITRE is also recommending the cyber workforce strategy include a way to leverage neurodiverse individuals, which include those with autism. Neurodiverse people are often better at hacking and systemizing skills, valuable traits in the cybersecurity world, according to MITRE.
But autistic candidates are also less likely to be hired, MITRE said, because interviewers often lack knowledge about autistic traits like sensory sensitivities, as well as reduced facial expressions and reciprocation to smiles and handshakes.
There is also a lack of data on neurodiversity in the workforce, according to Teresa Thomas, the program lead for neurodiverse talent enablement at MITRE.
“There’s not a lot of data on how many people are already in the federal workforce who are on the autism spectrum and especially not in the cyber roles,” she said. “The data that could prove how well they could do or how well they could fill the gaps is lacking.”
The National Geospatial Intelligence Agency in 2020 became the first federal agency to participate in a neurodiverse federal workforce pilot program.
NGA’s experience could help inform other agencies as they look to potentially hire and retain neurodiverse individuals to fill cybersecurity positions, Thomas said, as well as force agencies to improve their overall hiring and retention processes.
“It’s a big population, and it’s definitely worth tapping into,” she said. “If we can get them and keep them, it’s not going to fix all of our cyber hiring problems, but it sure is a step in the right direction. And all those other things that we’re learning along the way improves everything else we’re doing. If your managers are giving clear direction now, if you’re treating each person as an individual, if you’re making your application process more clear and understandable, that improves the system for everybody trying to get in.”
The public comment period on the National Cyber Director’s workforce request-for-information closed November 3. Officials are planning to invite some respondents in for virtual conversations. The workforce strategy is expected to be released at some point next year.