The search for cyber talent
- By Chase Gunter, Derek B. Johnson
To fill the growing cybersecurity skills gap, agencies must boost their efforts to attract younger and more diverse talent, with help from Congress.
Agencies are finding it tough to compete with the private sector for cybersecurity talent, so the government must widen its recruiting scope, said Deborah Plunkett, a strategic advisory board member of the International Consortium of Minority Cybersecurity Professionals, at an Aug. 11 New America event.
What makes the case for an expanded scope of recruiting "more compelling today is that we need so much more capacity in cybersecurity than we have ever needed" for other skill sets, she said.
Federal cybersecurity workforce issues landed on the Government Accountability Office's 2017 high-risk list. Echoing those concerns, the Center for Cyber Safety and Education recently estimated a global shortage of 1.8 million cybersecurity professionals by 2022, adding that women comprise just 14 percent of the U.S. information security workforce.
Mihoko Matsubara, chief security officer for Japan at Palo Alto Networks, said that encouraging women and minorities to participate in information security education not only benefits those underrepresented groups, but the field as a whole.
Expanding the talent pool, Plunkett added, would provide government the opportunity to extend its search beyond traditional, four-year universities and help diversify the federal workforce.
"If we simply look at demographic trends ... there are going to be a lot more women available in the workplace and people of color in the workplace, so it's almost a no brainer that we need to figure out how to leverage that capacity in this critical field," she said.
Simply sticking to traditional recruiting methods and restricting the search for talent to four-year colleges "defies logic," she added. "While it's true we've got to work more closely with colleges and universities to recruit … it has to start so much earlier than that."
Plunkett, who served as the former director of information assurance at the National Security Agency, outlined some practical steps government could take to help fill its skills gap, including expanding programs such as the National Science Foundation's CyberCorps Scholarship for Service program, forging partnerships with schools and sponsoring more camps and showcases.
The military services are also dealing with the problem of retention of cyber professionals. Some in Congress are addressing the issue with legislation. Sen. Mark Warner (D-Va.) introduced an amendment to the upcoming National Defense Authorization Act to establish a five-year pilot program within the Department of Defense to recruit, train and retain cyber personnel. His colleague Sen. Tim Kaine (D-Va.) introduced his own legislation this month mandating that a percentage of Department of Homeland Security and NSF scholarships be set aside for members of the armed forces.
Samara Moore, former director for cybersecurity critical infrastructure of the White House National Security Staff, suggested that retraining mid-career employees who want to transition to cybersecurity jobs could open the pipeline to those who already have government experience, even if it isn't strictly in information security.
Randi Kieffer, former deputy director of DHS's National Cybersecurity Communications and Integration Center, said that it's not just techies behind keyboards that government needs.
"They need more people who can speak about cyber... [and] can go out and speak to people in a way they can understand it," she said.
Plunkett said she believes there's a "deficit on the policy side" in the recruiting effort.
The times when federal tech employees would serve in government for decades straight "has probably passed," Plunkett said, adding "that is a phenomenal scenario because government gets the benefit of the experience from the outside" and vice versa.
In addition to policies that can enable fluid transitions between government, the private sector and additional resources, Congress "can provide accountability because of their oversight responsibilities and ask agencies that are recruiting the tough questions." It can also point agencies in the right direction, she said.
One thing government service can offer trained cybersecurity professionals from all backgrounds is a compelling mission. During a media briefing at TechNet in Augusta, Ga., Maj. Gen. John B. Morrison Jr. of the Army Cyber Center of Excellence said that there are number of initiatives military leaders have put in place to hold onto their cyber workforce. Retention bonuses and additional training are one component, but Morrison also cited patriotism and a unique mission as advantages that help keep some high-performing cyber workers in the fold.
"The Army cyber force is conducting cyber missions each and every day. Nowhere else in the world can they conduct the kind of operations that they’re doing now, and that by itself is a pretty big retention tool," he said.