Over the course of one-and-a-half days at the 10th annual Billington Cybersecurity Summit, more than 70 speakers hit upon nearly every unclassified topic you could imagine. Attendees even heard from Israeli and U.K. cyber executives, who helped make the world a little smaller by demonstrating their challenges are no different than the ones faced by US federal agencies.
The one common theme that permeated across nearly every keynote, panel and breakout session was the safe discussion about the cyber workforce.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
And while discussing the cyber workforce is both a nonthreatening and easy topic for most of the industry moderators, who are worried about making a current or future customer mad by asking more pointed questions, the panelists actually offered some real updates about how they are addressing this long-term challenge.
Let’s start with a little background.
There are dozens of studies and surveys that add to the cyber workforce shortage narrative, and how it’s only going to get bigger when agencies and private sector organizations add the need for data scientists and software coders to this cyber workforce.
In the federal sector, the Office of Management and Budget, the CIO Council, the Department of Homeland Security, and the National Institute of Standards and Technology have all sprung up initiatives to tackle the cyber workforce program from a grand scale—think of the cyber workforce reskilling program and the executive order creating a rotational program for public and private sector experts.
“The workforce work under OMB has been incredible in that we’ve actually divided it up amongst the CIO and CISO councils where we are not taking work streams and putting people in work groups to develop an approach to developing data analyst to make sure it’s the same whether at departments of Energy, Veterans Affairs or Treasury,” said Paul Cunningham, the VA chief information security officer at the Billington event. “What’s really important about that, when they get categorized, and their level and coding are done correctly, we can now move them across the federal space and we will know where they are at, what we are getting and what they need to move to the next branch. While it’s important to have the historical side of cybersecurity in a federal organization, it’s also beneficial when we can leverage what is being done in other federal elements.”
For our purposes, let’s delve deeper into a few examples of how specific agencies are adding more cyber firepower to their workforce.
Sometimes agencies have to take some risks with their workforce and while these aren’t the typical risks for CIA employees, the changes make sense for the overall direction of the agency over the last decade.
Sean Roche, the associate deputy director for Digital Innovation at the CIA, said the spy agency changed its pay scale, altered the way it hired by putting some of their business and mission leaders in the field to recruit new employees and decided promotions don’t necessarily have to mean management.
“We did something that hadn’t been acknowledged before which was we now promote people up through the Senior Executive Service as experts and they don’t have to manage. They are better with machines than people and we want to keep it that way,” Roche said. “To be promoted up to an SES, they have maintain the skills, but they have to be mentoring and bringing on others. It’s a significant portion of the people we promote to SES every year. That has really given people a path.”
While the CIA transformed its human resources approach when it launched its digital innovation directorate in 2015, the lessons they offer can be applied to the cyber workforce.
The Defense Department’s implementation of its Cyber Excepted Service has been slower than many would’ve liked. The recent decision by Congress to reject the Pentagon’s request to reprogram $4.8 million for this program tells you a little bit about lawmakers’ frustration with the military’s efforts.
Still, Tom Michelli, the vice director of command, control, communications and computers (C4)/cyber and deputy CIO for the Joint Chiefs of Staff/J6, said the initiative is picking up steam.
DoD has converted 2,500 people in the Cyber Excepted Service and reduced time to hire at the U.S. Cyber Command to 80 days from 111 days.
“We can hire folks at higher grades than we would normally hire and through direct hire. We are able to bring in military folks at different grades than we would normally bring them in at,” Michelli said. “Once they are in, we have the ability to provide additional education and training and a higher pay scale on the civilian side and bonuses on the military side.”
Even though Congress provided DoD with the authorities under the Cyber Excepted Service, there is enough evidence that every agency would benefit from similar rights. The Office of Personnel Management gave all agencies in October 2018 the ability to hire cyber workers directly
DHS, like DoD, has been out in front of addressing cyber workforce shortages.
DHS has used retention bonuses of up to 25% of an employees pay back in 2016. The department also held cyber and technology job fairs where it made on-the-spot offers to 150 candidates. And it has been developing a new cyber talent management system for the better part of two years.
John Zangardi, the DHS CIO, said the goal is not just to find people who know cybersecurity but the skills and abilities they bring to the agency.
“We have to make salaries more comparable to what industry earns. It’s about flexibility. It’s about using technology. And it’s about creating an environment where people can move back and forth [between government and industry],” he said. “How can I actually get on board the right technical skills that can help me with mission? Being in government, I cannot match the salaries of industry so I have to work some unique ways. I have to appeal to their sense of mission and their patriotism.”
Zangardi said the new talent management system should help create more automation in how DHS hires people. He also said a new cyber internship program, which ran this summer with 10 individuals, will help create a pipeline of qualified workers.
“You have to help the team deal with the growth in data and we have to face up the unique challenge the government has in hiring,” he added.
One way DHS is taking advantage of the skills and abilities of its workforce is through new training for cloud computing, which includes some cybersecurity aspects.
Zangardi said the Cloud Stand Down effort is about training and educating technology and non-technology workers about how cloud works and what they need to consider as they buy, manage and use these services.
All three of these agencies have added authorities that others don’t, but it’s clear there are steps every department can take whether it’s asking mission leaders to recruit new employees or investing in training and education resources. It would be nice if we could stop talking about the cyber workforce at every panel as this is a fixable problem.