Even the government’s premier cybersecurity bureau has a talent acquisition challenge

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

With the rise of ransomware attacks, it’s clear the cybersecurity threat in general continues to rise. And so does the shortage of cybersecurity talent to help take it on. Now the government’s premier agency on the cyber front has developed a multi-pronged strategy for talent. For details, Federal Drive with Tom Temin turned to the deputy director of the Cybersecurity and Infrastructure Security Agency, Nitin Natarajan.

Interview transcript:

Tom Temin: Mr. Natarajan, good to have you on.

        Join us Apr. 25 at 1 p.m. EST for Federal News Network's StateRAMP Exchange where we'll explore how the StateRAMP program provides cyber assurances as state agencies continue their IT modernization journeys. | Register today!

Nitin Natarajan: Thanks, Tom.

Tom Temin: Let’s begin by maybe quantifying, if you can, how severe the shortage is. What is it the agency trying to hire and what could you if there were lots of people lined up outside that were qualified?

Nitin Natarajan: Globally, the number we’ve consistently heard is in the millions, right. I think within the United States, we know there’s about a half a million vacant cybersecurity jobs. And more than 35,000 of those are in government across the federal landscape. And so as we are looking to continue to hire and grow our team, not just hear in CISA, but across the DHS enterprise, we want to make sure that we’re tapping into talent, not just in the DC metro area, but across the nation to help us tackle these new emerging and complex cyber threats that we’re facing today.

Tom Temin: And when you say a cybersecurity employee or a cybersecurity professional, that’s really about 25 different possible roles, isn’t it?

Nitin Natarajan: Definitely. I think when people think about cybersecurity jobs, often what people will say is, well I’m not a programmer, I’m not an ethical hacker, I’m not a pen tester on a red team and I’m not that deep technical base, and so there’s clearly no role for me in cybersecurity, right. I’m a firm believer that there’s a role for everybody in cybersecurity. And I think that we need that strong technical bench of cyber talent. But we also need a lot of things that work with those teams to help us be successful. And whether that’s everything from our communications teams, and our ability to execute hiring, personnel, budget, all those types of things, that we need to be successful in our mission. And we’re looking for folks across that spectrum, to help us execute that cyber mission effectively.

Tom Temin: And I’ve read here and there that sometimes even people with fine arts or general studies, or what they used to call classical education backgrounds, can be helpful in a technical area like cyber, simply because there’s a lot of cat and mouse and cyclo-graphic work to determine motivations, origins and so forth, motivations of cyber attacks and cyber hackers.

Nitin Natarajan: Definitely, I think, as we look at a lot of our messaging, we have a lot of different communities that we’re trying to speak to. As we talk about cybersecurity as we talk about cyber risk. As we talked about helping prepare entities and whether those are in the public or private sector, whether we’re talking about increasing resilience, we need to speak to CEOs and boards and help them prepare and understand risk. We need to talk to a technical smedes and make sure that we’re giving them the detailed technical interface that they need. And we need to speak to the general public, at all age groups and across the spectrum. so everybody can do their part to help increase cybersecurity resilience across our nation. So having a diverse background, having a diverse educational background, and having a diverse experience. I spent the first 13 years of my career as a first responder, I was a paramedic and a flight paramedic. And so bringing different ways of thinking different experiences of background to what we do really helps us become a stronger program.

Tom Temin: And if you were a flight paramedic, I imagine you’re pretty cool under pressure too.

        Read more: Technology

Nitin Natarajan: I’d like to think so.

Tom Temin: I imagine that’s important for a cyber operator too when you’re really into the spy versus spy situation that you would need to have that presence of mind. And at CISA, now there is something called the cyber talent management system, long time coming, even before CISA was CISA. So tell us about what it is and how it works.

Nitin Natarajan: We’re really excited about the cyber talent management system, and the CTMS is going to be launching in November. And we’re excited to have the opportunity to really change the way we look at not just recruiting and bringing in the finest talent throughout the nation., but how we retain them, right. I think we want to really have the ability to both recruit and retain a strong talent here. It really steps away from the way we’ve traditionally done hiring and the federal government is steps away from, you know, the traditional kind of old school knowledge, skills and abilities and how we apply for a specific job and specific lane. And it really tests people on their capabilities, right? How do we test them on the skills that they learn and show proficiency, and then be able to really use them as a tool within the organization in multiple roles, right? This is a very dynamic landscape that’s changing constantly. And so having that ability to have individuals pivot based on their experience to different roles, to help tackle these new and emerging challenges is key. And CTMS is really going to allow us to do that. It’s also going to allow us to help get a lot of our pay scales commensurate to what we’re seeing in the private sector. We’re never going to reach in government to the exact private sector levels, but things that allow us to allow for the flexibility. We have some amazing individuals coming out of high school, coming out of undergrad colleges that have immense experiences and are being recruited by top cybersecurity firms to the company – and we we want them too. And we want to have that ability to bring on the best talent, even if they didn’t follow a traditional educational path. Even if they’re rescaling upskilling mid career, we want to bring those folks in and have a flexible, nimble system to allow us to do that. And frankly, that’s CTMS.

Tom Temin: We’re speaking with Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency. And what under the system can you do with respect to hiring that is not possible under the very, very difficult under the standard hiring merit systems protection system of the government.

Nitin Natarajan: So I think it’s a few things. So as we look at the hiring process, the applicants are going to come through a customized application path that are based on their skills and their interest. And they’re going to participate in assessments, we’re gonna have simulations, they’re going to be able to demonstrate their skills, and their potential to perform work that we’re looking for within DHS. We’re also going to have new and novel compensation structures, really to look at competitive salaries that are market sensitive, and based on their demonstrated skills and expertise, right, as opposed to the traditional grade and stat model that we’ve seen in federal service, it’ll allow them to also gain access to higher salaries and incentives based on their impact to the DHS cybersecurity measure. We also look at career development, and the ability to encourage them to keep their skills sharp, to be aware of emerging technology threats through regular training and professional development. And they’ll be participating in classroom and on the job learning activities based on their responsibilities, their skills, their interests, and their career goals.

Tom Temin: And we talked about a range of different roles within the cybersecurity function, this will apply to all of those?

Nitin Natarajan: It will. It’ll apply to junior staff coming in fresh out of school or fresh out of certification and experience all the way through senior executive talent. If we need the opportunity to hire and recruit, the nation’s foremost expert on X will have that ability to do so utilizing this resource. It also allows for flexibility for folks to come in and out of government, right. I mean, I think a lot of times we hear the days of people coming into federal service and staying for 20 years, 30 years or longer have gone behind us. This will give us a system allow us to bring in talent, them to go back into the private sector, and come back and take it that kind of innovative career path to help us in our mission.

        Sign up for our daily newsletter so you never miss a beat on all things federal

Tom Temin: Now, are these flexibilities available only to this CISA of part of DHS? Are they available across DHS or can other agencies beyond the department use them?

Nitin Natarajan: So right now, we’re deploying this within the department, DHS is kicking off our launch with CISA and our DHS office of the CIO, the Chief Innovation Officer at headquarters. We do have the ability to utilize this more broadly across the department. I think with the launch of any new novel human capital system, we want to start small, we’ll be able to deploy well. But we have the ability to use this across the department. And I think if this goes well, definitely could be something we use more broadly in the US government.

Tom Temin: And you have statutory backing for this – correct?

Nitin Natarajan: We do. This has been in place for a number of years now. This is not something that was thrown together in a matter of months, or even a few years. This is something that goes back, I want to say it’s about five to seven years, and coming to fruition. So we’ve had teams putting a lot of work and effort into as a lot of analytics, a lot of analysis of what other agencies have done with the private sector is done to put together this entire system. I’m lucky that I’m coming in kind of on the tail end of the last eight or nine months of this, and being able to kind of launch it and bring it to fruition. But this has been a multi year effort to get us to where we are today.

Tom Temin: And you have congressional backing is what I was driving at. There’s an enabling legislation piece somewhere in the past.

Nitin Natarajan: There is, yes.

Tom Temin: And the other big issue for federal hiring at large nowadays is to increase diversity, inclusion, and especially in your case, in the case of this field, to try to get more women and minorities into the whole technical and cybersecurity framework of work. And are there elements there that you’re going to be doing to make sure that that happens?

Nitin Natarajan: Definitely. I mean, we are looking at attracting and retaining a skilled and diverse workforce across CISA. And we’re looking at really expanding our outreach to universities and academic centers. We want to be able to work with a lot of NGOs, nonprofits that are out there to build a pipeline of individuals kind of coming into CISA and being able to build a career here and letting people know what opportunities exist here and making sure those pathways are solid. We’re working with a lot of institutions to help us move forward on that. Also, in addition to that, we recently awarded $2 million to two innovative organizations to help develop a cyber workforce training program. Both empower and the cyber warrior organizations are going to focus on unemployed and underemployed and underserved communities, both in rural and urban areas, as well as traditionally underserved communities, including veterans groups, military spouses, women, people of color, to really help them get access to cybersecurity training programs to subsequently help us with a pipeline of great cyber talent coming into the workforce. And we’re really thrilled about this opportunity, and really helping to make this scalable and replicable in the future to other organizations

Tom Temin: And If there’s someone, say, in Bethlehem, Pennsylvania, or Youngstown, Ohio, or one of the traditional Rust Belt areas where there’s so much unemployment, and still so much backsliding from the economic opportunities in the country, could folks like that work virtually under the system?

Nitin Natarajan: Definitely. I mean, one of the other things we’re really looking at within CISA is how do we really leverage remote work opportunities, right, I think, especially in cyberspace, not everybody has to be in the same location. And we really want to look at how do we utilize and tap into talent across the nation? How do we make sure we have the technology to ensure a strong collaboration with those members throughout the contrary, we have a lot of remote workers here with us already, if people spread out throughout the country, we have some that work in regional offices, we have others that work out of their homes. And we’ve been able to build this over the years here within the organization, and we want to continue to expand this. I think if we keep looking at the same key markets for the same workforce, we’re fighting for the same people, right and competing in the DC market or in a Silicon Valley market with the private sector is going to be a challenge, especially when there’s talent across the nation. There’s talent everywhere, and we want to recruit across the nation to help us meet that mission.

Tom Temin: And one final question. How does this kick off? I mean, there’s not an office in CISA that says CTMS on the door for cybersecurity talent management system, or maybe there is, you’re going to cut a ribbon open to a new facility, or just send an email, you can now do this folks if you need somebody?

Nitin Natarajan: So there’s not gonna be a new facility. But I think we do have that we did a soft launch on our website at DHS to talk about CTMS. We go live on November 15, and we’re really excited about that. But we will have a lot of communications about how people can access the system, how they can enroll in CTMS, what it means, additional information about the benefits of CTMS and how it compares to other systems. We are going to continue to be recruiting cyber talent across all mechanisms, right. So we have CTMS, we have our traditional hiring process. We’re going to use all those available mechanisms to continue to recruit the best talent here within CISA.

Tom Temin: Well, I don’t know that you have a budget for it, but I recommend maybe springing for a sheet cake on the first day and that’ll get people interested.

Nitin Natarajan: Everybody loves cake.

Tom Temin: Alright. Nitin Natarajan is deputy director of the Cybersecurity and Infrastructure Security Agency, part of the Homeland Security Department. Thanks so much for joining me.

Nitin Natarajan: Thanks for having me here. Great to talk about where we’re going in the future.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.