While the cybersecurity skills gap in the private sector has been fairly well chronicled over the years, including a recent study published by the Enterprise Strategy Group and the Information Systems Security Association, the U.S. federal government is also struggling to recruit and maintain security talent at a time when threats from nation-state actors continue to grow.
In fact, while the public sector currently employs around 52,000 cybersecurity professionals, another 31,000 positions remain open—meaning about one in three security jobs at the federal level are going unfulfilled, according to a whitepaper released this month by the Cyberspace Solarium Commission.
The Cyberspace Solarium Commission was created under the 2019 National Defense Authorization Act, and is currently co-chaired by Sen. Angus King (I-Maine), and Rep. Mike Gallagher (R-Wis). In March, the commission released a highly anticipated report that included 75 recommendations for revitalizing and revamping cybersecurity throughout the U.S., including election security improvements designed to protect the vote this November.
Since then, the commission’s report has spurred new Congressional legislation proposals, including the creation of a national cyber director position within the White House, as well as additional money and grants for states to improve their security plans.
Now, the Solarium Commission is turning to the task of easing the security skills gap when it comes to recruiting, retaining and promoting cybersecurity talent at the federal level.
“Without talented cyber professionals working the keyboard, all the cutting-edge technology in the world cannot protect the United States in cyberspace,” King and Gallagher wrote in the paper, titled “Growing a Stronger Federal Cyber Workforce.”
“If we do not take action now to ensure that our talented and experienced workforce continues to grow, we are leaving our country vulnerable to future cyber attacks,” the lawmakers added.
“There are plenty of hiring challenges for government job requisitions, especially in the cybersecurity space,” Kacey Clark, a threat researcher at security firm Digital Shadows who previously worked to recruit cybersecurity talent for government, told Dice. “When considering job specification confusion, salary restraints, sparse career development opportunities, inflexible education and tenure requirements, lengthy security clearance acquisition times, the federal cybersecurity workforce is a tricky and rigid landscape to navigate.”
In order to address some of these issues, the Solarium Commission report details five steps that federal agencies should take to recruit and then keep the cybersecurity talent they need. This includes:
Organize: Federal agencies need to create flexible tools for organizing and managing their workforce. This means adapting to each department’s individual mission, while creating coherent security strategy across the whole government. Part of that plan includes identifying and utilizing cyber-specific occupational classifications to allow for more tailored workforce policies, while building a federal cyber service that offers clear and agile hiring authorities.
Recruit: Federal agencies need to compete with the private sector for talent, and one way is to appeal to potential workers’ sense of duty and service. In addition, the report calls for the expansion of CyberCorps, a scholarship program for students that are studying cybersecurity, which is administered through the Office of Personnel Management, National Science Foundation, and Department of Homeland Security.
Develop: The report notes that the federal government cannot limit itself to only recruiting those with cybersecurity backgrounds and certificates. Instead, it should draw from a diverse group of candidates and then offer upskilling opportunities to earn those degrees and certifications.
Retain: In addition to more flexible pay, federal agencies need to create career opportunity paths for those talented cybersecurity professionals who want to stay in public service.
Stimulate Growth: This includes promoting diversity within the cybersecurity ranks, as well as investing in research to see how attitudes toward work and career development are changing.
Clark noted that the report is right to focus on personal development as a way to maintain talent.
“Professional development is an imperative practice in any career; many candidates will accept an offer from an organization that highlights the importance of continuing education and on-the-job training compared to a stagnant role with more earning potential,” Clark told Dice. “I have received many job requisitions from government hiring managers that involved stringent and niche skill sets that were nearly impossible to find, leading to the role remaining unfilled. Offering more flexibility in hiring and focusing on developing candidate skill sets can significantly reduce the hiring gap.”
Focus on Recruiting
Bob Stevens, an Air Force veteran who served as a computer specialist at the White House Communications Agency, notes that, in addition to the five points the Cyberspace Solarium Commission outlines, the federal government should make recruiting cybersecurity talent a national security issue, which would help give it a new level of seriousness and urgency.
“The U.S. government sees the shortage of available cybersecurity talent as a national security risk and is making significant investments to improve its recruitment and development strategy for a cybersecurity workforce,” Stevens, who is now vice president for the Americas at security firm Lookout, told Dice. “This investment presents an excellent opportunity for a diverse range of people who wish to transition to a cybersecurity career or enhance their current career path.”
Stevens added that the CyberCorps program highlighted in the report is one way to start recruiting talent and bring new people into the federal government. In addition, he notes that those schools and universities that support Centers of Academic Excellence for Cyber Operations should also take the lead in recruiting talent and making sure those students find their way into the federal talent pool.
From a practical view, Clark suggests that recruiting talent to the federal government can run into bureaucracy. She noted that it can sometimes take over 100 days to get a Secret clearance and nearly 150 days to get a Top Secret clearance, which are necessary for many jobs. It’s one reason recruiters rely heavily on military veterans.
“Acquiring and maintaining security clearances has been a headache for candidates, recruiters, and hiring managers alike,” Clark said. “As most government cybersecurity talent needs are often urgent, most of the candidates I successfully placed were military veterans with current or active security clearances or government workers whose contracts recently expired.”
This reliance on recruiting from the military is one reason why diversity and career development are essential to bringing more security talent into the federal government. “The government is making it clear that addressing cyber security problems requires an extremely diverse group of people including people of color, women, men and those with neurological differences,” Steven said. “The best cyber security defense brings together the perspective of all of those who need to be protected.”