Feds on the hunt for better data as they seek to replenish cyber workforce

Building the cyber workforce is a top priority for the Office of the National Director of Cyber ​​Security. Pictured: Commuters board a Metrorail train at Union Station on March 15, 2016 in Washington. (Photo by Mark Wilson/Getty Images)

As the country faces a massive shortage of cyber talent, there aren’t very good numbers or estimates on how much the federal government will need to grow its workforce to keep pace with the needs and current landscape. threats.

National Director of Cybersecurity Chris Inglis said this week that strengthening the cyber workforce across U.S. government and society is a priority, and his office is developing a broader cyber workforce and education strategy. A day later, Deputy National Cybersecurity Director Camille Stewart said part of that effort will include developing new metrics to measure government staffing and skills needs at more granular levels.

“We want to get an overview of all of the federal agencies on what’s going on, clarify some of the roles and responsibilities, identify some of the measures and benchmarks that are working, and then figure out if and how we can [apply] in the federal ecosystem so that we can be more action-oriented and leverage these measures and create new opportunities,” Stewart said at the Billington Cybersecurity Conference in Washington on Thursday, when asked by SC Media for numbers. or figures on the government’s cyber workforce needs.

There are many programs and initiatives to hire cyberworkers or encourage them to stay with the federal government. Some are more efficient and scalable than others, and Stewart said that gives NCD, charged with reviewing civilian agencies’ cyber budgets, an opportunity to redirect and increase funding.

“There are some things you can change, some programs you can expand, there are some that might have to be scaled back,” she said. “So it’s a really good opportunity to elevate the good work that’s going on…and replicate it where it’s needed, add to it. You should see changes in the years to come as a result of this strategy [and] infrastructure that we will put in place.

The federal government’s ‘real problem’ with data

But the visibility that NCD and other agencies have into their cybersecurity hiring needs, such as specific estimated headcount needs or skills and knowledge gaps, is severely limited by this. which Mark Montgomery, former executive director of the Cyberspace Solarium Commission, called “a real problem.” with data” within the federal government.

Under the Cybersecurity Workforce Assessment Act, civilian federal agencies are supposed to report to the Office of Personnel Management on the number of IT and cybersecurity employees they have in their personnel and categorize these workers with specific job role codes that could give agencies a more accurate picture of the whole. recruitment needs and specific skills gaps. Despite the law, a Government Accountability Office report in 2019 found that many agencies miscategorize their IT and cyber jobs in a way that paints an inaccurate picture.

Montomgery said the OPM and federal agencies “don’t provide sufficient and complete data, so we don’t know what we don’t know.” He hopes NCD’s next strategy will improve the status quo.

“I don’t know which is worse: no data or bad data. Right now we have bad data,” Montgomery said.

Attracting cyber talent is a priority, but retention is also a challenge for the federal government

There are general figures that highlight the scale of the challenge. CyberSeek, a dashboard created by the National Institute of Standards and Technology, currently lists more than 700,000 open cybersecurity jobs across the country, though those numbers aren’t specific to the federal government.

Clar Rosso, CEO of (ISC)2, said a new study his organization is set to release next month will show that while the supply of cyber professionals in both the public and private sectors has increased by 11% since the last year, demand also declined. up 25%.

Much of the federal government’s public focus has been on attracting new talent or retraining existing employees to fill cybersecurity roles, but retaining qualified staff is also a challenge.

A major contributor to this problem is wages, where private sector companies can sometimes easily outbid the government when it comes to wage demands. Colonel Candice Frost, commander of the US Cyber ​​Command’s Joint Intelligence Operations Center, said it’s not uncommon for companies to offer their employees three times what they earn on a government salary to do a change.

Karen Evans, a longtime veteran of the federal government’s cyber workforce and now executive director of the Cyber ​​Readiness Institute, said that as a CIO in government, she considers herself “lucky if she could keep an employee for two years. With this reality in mind, short-term and rotational assignments were often one avenue both to replenish its immediate workforce while allowing its employees to transition into cybersecurity roles or acquire skills. more advanced skills.

Such assignments can be a valuable tool for agencies if they still provide meaningful work opportunities for the employee upon their return and if they result in more valued responsibilities and career development opportunities.

“Rotating assignments should be seen as career change, not career punishment,” Evans said.

This matches what other agencies, like the Cybersecurity and Infrastructure Security Agency, have gleaned from soliciting federal employees.

Later in the day, Kiersten Todt, CISA chief of staff, said that while engaging with other agencies on the retention of cyber personnel, the decision of many employees to remain with the federal government or of a particular agency is closely related to their feeling that there is an opportunity to further develop their skills and career.

“We do a lot of polling within the federal government…and we constantly get feedback on training, leadership, education. So: invest in the individual,” Todt said. “It’s not new, but [it speaks to] do it in a way that suits not just the individual, but the entire workforce [creating] a workforce truly invested in the mission.

Correction: A previous version of this article stated that an (ISC)2 study on worker retention was due out next week. A spokesperson said the report is expected to be released next month.

Brandon D. James