Cybersecurity professionals believe their teams are understaffed, many teams have unfilled positions, open positions often take six months or more to fill, and job candidates often are not qualified for the positions for which they applied, as evidenced in the last several State of Cybersecurity annual surveys conducted by ISACA.
However, it seems progress is being made on the cyber staffing shortfall, at least anecdotally. At the 10th Annual Billington Cybersecurity Summit conducted 4-5 September in Washington DC, the theme of cyber workforce development was discussed in several sessions. Specifically, a number of speakers employed at various US agencies commented on the progress the US government has made in using creative and innovative approaches to hiring individuals for cybersecurity roles.
The Office of Management and Budget (OMB), for example, is piloting a cybersecurity reskilling effort according to Grant Schneider, federal CISO at the OMB. As part of the Federal Cyber Reskilling Academy, US federal employees are offered an opportunity to be trained in cybersecurity.
The Federal Bureau of Investigation (FBI) asks new hires to take an aptitude test to gauge their potential ability to perform cyber tasks. Thus, for example, if an individual is hired to be an analyst (perhaps because of language or data skills) but scores high for cyber on the aptitude test, the FBI will encourage the individual to pursue employment within the Bureau in cybersecurity.
A number of speakers from several US agencies stressed that the government has shifted its hiring practices to focus on aptitude versus requiring specific degrees or skills (and in many instances have eliminated the degree requirement). In one example, government-employed cyber professionals worked very closely with government recruiters to vet candidates and help establish aptitude for cyber roles.
The US government has also had recent successes in hiring industry experts at its agencies. Often these employees started in government, left public service to work in the private sector, and are now returning to the public sector, sometimes via a partnership arrangement with industry. Often individuals want to work for the government, fulfilling a need to give back or serve the public. As Katherine Arrington, chief information security officer, Office Undersecretary of Defense for Acquisition, noted, “We need to reduce the bureaucracy to facilitate that. We’re moving in the right direction.”
As ISACA’s State of Cybersecurity reports note, retention of qualified cyber professionals can be challenging. This is especially true in government, where public sector cybersecurity jobs often don’t pay as well those in the private sector. The government, however, has had recent successes with hiring cyber professionals at a higher pay grade than in the past (particularly for civilian employees) and increasing renumeration via bonuses (for military personnel) according to Jack Wilmer, deputy CIO for cybersecurity and senior information security officer, Department of Defense.
It’s encouraging to see the progress the US government is making in tackling the cybersecurity workforce shortage. The private sector should take note and consider adopting some of these successful tactics.