The Department of Homeland Security is looking at a new personnel system for hiring cybersecurity talent later this fall to transform the way it attracts, retains and develops its cybersecurity workforce.
DHS Chief Information Officer Eric Hysen, speaking at Institute for Defense and Government Advancement’s Homeland Security Week conference, said the much-anticipated Cyber Talent Management System will serve as the driving force behind his top-tier priority of investing in the department’s IT workforce.
“When I saw CTMS for the first time, my reaction wasn’t just, ‘Wow, this is good for government,’ but this is better than many of the talent systems that I’ve used in the private sector,” Hysen said last Friday.
Hysen said he’s worked closely with Chief Human Capital Officer Angie Bailey putting the finishing touches on the talent management and compensation system. Several major cybersecurity incidents, including the SolarWinds breach, have accelerated the demand for federal IT talent.
Hysen said the DHS IT workforce has done “incredible work” getting the department through these challenges. Looking ahead, he said he’s looking at strengthening the cyber workforce by promoting diversity, equity, and inclusion principles.
“That’s really top of mind for me — how can I continue to further invest in our workforce and make DHS a great place to work for IT professionals,” Hysen said.
Brandon Wales, the former acting director of the Cybersecurity and Infrastructure Security Agency, told senators in May the CTMS should be ready this fall, and that CISA will be first in line to use it.
CISA, Wales added, hired more people in the first six months of 2021 than it did in the last two years combined. DHS, meanwhile, concluded a 60-day cyber sprint in July by hiring nearly 300 cyber professionals and making an additional 500 tentative job offers to prospective hires.
The sprint, the department’s largest cyber hiring initiative, exceeded DHS’ goals by nearly 50%.
DHS Secretary Alejandro Mayorkas said the sprint allowed DHS to fill 12% of its more than 2,000 cybersecurity vacancies “during a time when our country is facing extraordinary threats.”
“As cybersecurity threats to our communities continue to rise, we must recruit and retain diverse top talent to defend against today’s threats and build a more resilient future,” Mayorkas said.
DHS is also rethinking the way it vets cyber talent. In standing up a Network Operations and Security Center to respond to cyber incidents, Hysen said DHS is working with the U.S. Digital Service to use their Subject Matter Expert Qualification Assessment (SMEQA) method, which rethinks the way agencies vet job applicants.
As part of this process, subject matter experts help conduct technical reviews of applicants’ resumes earlier in the process. DHS is still in the final stages of that work, but Hysen said the SMEQA process is already giving the agency a “much higher level of talent.”
Zero trust, data sharing key to IT modernization
Aside from these workforce investments, Hysen said DHS is moving its systems from perimeter-based security and toward a zero-trust model as part of its latest IT modernization initiative.
“We need to assume that we are going to get breached and design our systems in a way that we are limiting the damage of those breaches once they do happen,” Hysen said.
Hysen said moving to zero trust will require a “fundamental” change in how DHS builds its systems from the ground up. The Biden administration elevated the need for zero-trust security across the federal government through a recent cybersecurity executive order, which Hysen said was “one of the most ambitious agendas ever to reform civilian federal cybersecurity.”
“As the department that houses CISA, and has a responsibility for the cybersecurity of the rest of the civilian federal executive branch, we are uniquely obligated to lead the rest of the federal government by example when it comes to our own cybersecurity practices,” he said.
As part of this IT modernization effort, Hysen said DHS also seizing an opportunity to strengthen the sharing of its data across the enterprise. Hysen said many of the department’s current IT systems and programs are built as “pretty large monoliths that do everything in-house,” but aren’t conducive to sharing data.
“What we’re seeing more and more is operational needs require us to have systems that are flexible, that can share across components of DHS, across departments, with the private sector and other groups as necessary,” Hysen said. “We need to be modernizing in a way that enables better data and information sharing from the ground-up, knowing that we don’t know now everything that we’re going to ask our systems to do, and all of the different information and data sharing missions that we’re going to ask them to support. We need that flexibility.”
Hysen said he’s working with DHS CDO Mike Horton to ensure IT system owners are adopting standards that will enable systems to interoperate and share data.
Hysen said the department’s ongoing move to the cloud remains a “prerequisite” for the rest of its IT modernization goals.
“In some cases, we’ve seen and been able to really accelerate our work by looking at large-scale cloud migration efforts. In some parts of the department, it’s more component-by-component. But overall, it’s something that I think is a part of all of our work.”
Hysen said cloud remains an important “baseline” for IT modernization at DHS, but added that component agencies will have to go through that cloud migration on their own terms.
“We are not trying to say that the entire department is going to be on one cloud. We know that our components — even components within components — will have different mission needs to leverage services that might be uniquely available in one provider’s offerings or another,” he said.
Hysen said in an interview at the end of June that DHS submitted four proposals to obtain funding from the Technology Modernization Fund. But speaking at the IDGA conference, he said his department is now combining proposals sent to his office from component agencies.
“We’ve been saying, ‘Here’s a proposal from TSA, here’s a proposal from CBP. They’re both looking at air travel.’ It’s the same people that depend on this, it’s the same traveling public that’s going to be served here. Let’s bring these together. We’re not going to overly centralize, we know that our components are where the work at DHS happens. But we want to be sure that we are bringing a customer-focused view to the work that we are doing that allows us to look holistically at meeting the needs of our end-users,” he said.