Yes, the government’s midcentury personnel structure needs an overhaul to fit today’s needs. And yes, bureaucratic systems like the security-clearance process can make it hard for workers to flow in and out of government. And the country overall needs more professionals trained in the STEM fields of science, technology, engineering and math. But there are things that agencies can do right now to address their pressing need for cybersecurity talent.
That message was emphasized by authors of a new report lamenting the lack of progress the federal government has made over the past six years in hiring and retaining civilian cybersecurity workers. The growing awareness of cyber threats has made talented cybersecurity workers a hot commodity worldwide. The report finds those employees now leaving more quickly than the government can replace them.
“The federal government isn’t alone, but we have handcuffed ourselves because we don’t have the same tools that our private-sector competitors might have,” said Ron Sanders, vice president at Booz Allen Hamilton, speaking Tuesday at the report’s presentation at the Partnership for Public Service.
To tackle the biggest hurdle — pay — the Office of Personnel Management could take the 100,000-
plus federal cybersecurity workers out of the General Schedule and put them in a separate pay system that more closely resembles the private sector, said Sanders, a former OPM official.
A little-known legal provision lets OPM do this. It is more than a decade old, but the agency has never used it, he said.
“This is the place to use it. Let it be the grand laboratory for civil-service- wide reform and, in the process, help us win the war for talent,” he said. It might even serve as a model for the rest of government, he added.
To take advantage of the law, OPM would have to consult with agencies, hold public hearings and notify Congress. Notably, it would not need lawmakers’ permission.
“At the end of the day, it’s OPM’s decision or the CIO Council’s decision,” he said. “We could, I think, easily within a year, have a market-sensitive pay system for cybersecurity professionals.”
According to the report, senior software engineers in the private sector make about $28,000 more than their counterparts in the government.
The report’s other short-term recommendations focus mostly on how agencies can work with existing personnel-management tools to recruit more creatively. For example, the Homeland Security Department hosts the National Collegiate Cybersecurity Defense Competition each year, yet doesn’t consider it a pool of potential job candidates, said Mallory Barg Bulman, the Partnership’s managing editor for research.
“In 2014, they had hundreds of people participating. These were people who were practicing and ethically hacking into networks, demonstrating the exact type of skills that we need,” she said. “After the competition, almost all of the individuals had jobs, none of which were with DHS.”
Agencies look to NSA
Some agencies are wrestling with the handcuffs and making progress, despite some bruises. The National Security Agency has had an easier time than some others in attracting new cybersecurity graduates. Unlike other civilian agencies, students are more likely to know what they’ll be doing in cyber at the NSA and they’re more likely to build “street credibility,” as Barg Bulman puts it, which can help them later in their careers.
The NSA also is among a growing number of agencies that can offer higher salaries to junior cybersecurity professionals, thanks to Congress. Starting salaries are around $65,000. Yet the pay advantage that the NSA has over other federal agencies lessens as cyber workers move up the career ladder. At the same time, the difference grows between what the NSA can afford and what private companies are willing to pay trained cybersecurity professionals with security clearances.
“You’re making the person that others want to hire,” said John Yelnosky, technical director in NSA’s Associate Directorate for Human Resources. “They share their parting thoughts on our internal social media and often say, ‘I love the NSA, but I can’t afford to stay here.'”
Cybersecurity professionals are most likely to leave within their first five years at the agency, Yelnosky said. When they go, the agency loses the investment it has made in their training and development.
To prevent attrition, the NSA takes a holistic approach to recruitment and retention of cyber workers, Yelnosky said.
“We try to hook people up as they come in the door,” he said.
The strategy includes assigning a buddy or mentor to the new employee, helping them plan a career trajectory at the agency, and giving them information about living in the Washington, D.C. area, among other things. Later on, it encourages employees to move from job to job within the agency to gain experience.
Those options are especially important to the younger generation of millenials. Overall, they stay just four years with the government. They want and expect the agency to have great technology and office space as well as development opportunities, Yelnosky said.
“There are employers who are more experienced in providing that whole package,” he said. “We recognize it and are trying to work in multiple dimensions to look at all the kinds of things people say they care about and see if we can make even incremental changes.”
Other agencies are watching NSA closely so that they can learn from its successes and losses. DHS recently gained the ability to offer more pay to cyber workers, thanks to a 2014 law. DHS is now conducting the preliminary step of assessing its workforce to determine which cyber-related jobs should qualify for the higher pay, said Renee Forney, executive director of the department’s Cyberskills Management Support Initiative.
“We are going to be working closely with [the Defense Department] and NSA to avoid the stumbling blocks they might have had,” she said. “Why reinvent the wheel?”
But many civilian agencies cannot follow suit because they do not have the special pay flexibilities. The chasm between the have and have-not agencies is noted with alarm in the report.