For the past four-plus years, the Office of Personnel Management has been on a journey to address one of the most difficult positions in the government to hire and retain—the cybersecurity worker.
Starting in 2016 with the first-ever cybersecurity workforce strategy and leading up to today’s most recent effort—a new memo detailing different approaches to assess the cybersecurity aptitude of current and potential employees—OPM has been trying to give agencies the tools and authorities to make up for the shortage of workers.
Both the government and the private sector feel this shortage.
The Center for Strategic and International Studies says in 2019, CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), estimated the United States faced a shortfall of almost 314,000 cybersecurity professionals. CSIS also says according to data derived from job postings, the number of unfilled cybersecurity jobs has grown by more than 50 percent since 2015.
This latest memo from OPM Director Dale Cabaniss is part of the May 2019 cybersecurity workforce executive order signed by President Donald Trump. OPM, along with the Office of Management and Budget, the Department of Homeland Security, the FBI and other agencies reviewed research and conducted a data call to agencies to learn which cybersecurity aptitude assessments are currently being used for the purpose of reskilling.
“Assessments can be used for the reskilling of current employees or to recruit and hire new talent. Utilizing assessments ensures the right talent is in the right place at the right time,” Cabaniss wrote in the memo.
Assessments not being used
Under the EO, the White House charged OPM and others with identifying the current aptitude assessments in use across the government, and how agencies can start using these evaluations to address the shortage of workers.
And it’s clear from OPM’s data call that agencies need help.
“OPM sent a data call to chief information officers and chief human capital officers, as well as human resources directors and industrial organizational psychologists across the federal government. The data call received 110 responses, with 31 indicating they utilize cybersecurity assessments and 79 indicating they do not utilize assessments,” the memo stated.
OPM outlined three examples of agencies using aptitude assessments.
One agency is using the evaluations for new hires. Two departments are offering the evaluations for current employees to see if they are candidates to be reskilled.
Barbara George, the executive director of the Washington Cyber Roundtable, said these assessments should help agencies overcome some culture obstacles.
“I think the proof will be in the interpretation and application of assessments and how employers can rise above their traditional biases,” she said in an interview with Federal News Network. “The old way we do things is comfortable behavior and people go back to what they know versus keeping with the new approach.”
George said agencies shouldn’t overlook the importance of the human factors when assessing employees.
“I was a little concerned though that it seemed like they were relooking more toward technical side, but there are so many different aspects of cyber that they shouldn’t overlook especially around the policy and strategy pieces,” she said. “One of tools that folks have been using recently is the use case of the show me how you will approach the problem. The ultimate answer is not as important as the employee demonstrating critical thinking. The DHS Cybersecurity and Infrastructure Security Agency is using this approach, which is a good way to weed out the folks who may not have the right skill sets.”
Don’t look for the perfect candidate
OPM also detailed three ways the Defense Department is evaluating cybersecurity candidates through the use of “cognitive ability tests, knowledge tests, personality assessments and interest inventories.”
“Federal subject matter experts recommend the federal government pursue a whole person approach for cybersecurity aptitude assessment for reskilling and the selection of new talent. The whole person approach should incorporate a mix of assessments that evaluate both cognitive and interpersonal competencies, as well as technical cybersecurity related knowledge, skills and abilities,” the memo stated. “The decisions on what type of assessment to use should be guided by rigorous job analysis information and aligned with the outcome. Agencies should recognize that different approaches may be needed for different scenarios.”
George added organizations shouldn’t look for the perfect candidate, but the one that meets maybe 80% of their requirements and then use training to get that other 20%.
“Agencies and industry all have the same challenges when recruiting new cyber talent,” she said. “For the government, the drawback is the salary range so they have to get young people to think in terms of being altruistic. Otherwise, they will chase the money.”