Bolstering the cyber workforce is a top focus of the Office of the National Cyber Director. Pictured: Commuters board a Metrorail train at Union Station on March 15, 2016, in Washington. (Photo by Mark Wilson/Getty Images)

While the nation is facing a massive shortage of cyber talent, there aren’t very good numbers or estimates around how much the federal government will need to grow its workforce to keep pace with needs and the current threat landscape.

National Cyber Director Chris Inglis said this week that bolstering the cyber workforce throughout government and American society was a top focus, and his office is in the midst of developing a broader cyber workforce and education strategy. One day later, Deputy National Cyber Director Camille Stewart, said part of that effort will include developing new metrics to measure the government’s personnel and skillset needs at more granular levels.  

“We want to get a view across the entire federal agencies of what’s going on, clarify some of the roles and responsibilities, identify some of the metrics and benchmarks that are working and then figure out if and how we can [apply] them across the federal ecosystem so that we can be more action oriented and leverage those metrics and create new opportunities,” Stewart said at the Billington Cybersecurity Conference in Washington on Thursday when asked by SC Media for numbers or figures on the government’s cyber workforce needs.

There are plenty of programs and initiatives to hire cyber workers or incentivize them to stay in the federal government. Some are more effective and scalable than others and Stewart said that gives NCD, charged with reviewing civilian agency cyber budgets, an opportunity to redirect and augment funding.

“There are some things that you can change, some programs you can grow, there are some that might need to shrink,” she said. “So this is a really good opportunity to elevate the good work that’s going on …and replicate it where needed, add on to it. You should see some changes in the coming years as a result of this strategy [and] of infrastructures that we will put in place.”

The federal government's 'real problem' with data

But the visibility that NCD and other agencies have over their hiring needs around cybersecurity, such as specific estimated headcount needs or skills and knowledge gaps, is greatly limited by what Mark Montgomery, former executive director of the Cyberspace Solarium Commission, called “a real problem with data” within the federal government.

Under the Cybersecurity Workforce Assessment Act, civilian federal agencies are supposed to report to the Office of Personnel Management on the number of IT and cybersecurity employees they have on staff and categorize those workers with specific work role codes that could give agencies more granular insights into overall hiring needs and specific skills gaps. Despite the law, a Government Accountability Office report in 2019 found that many agencies were mis-categorizing their IT and cyber jobs in a way that provides an inaccurate picture.

Montomgery said OPM and federal agencies “don’t provide sufficient, comprehensive data, so we don’t know what we don’t know.” He’s hopeful the NCD’s forthcoming strategy will improve the status quo.

“I’m not sure what’s worse: no data or bad data. Right now, we have bad data,” Montgomery said.

Luring cyber talent a focus, but retention also a challenge for feds

There are general numbers that highlight the scope of the challenge. CyberSeek, a dashboard created by the National Institute for Standards and Technology, currently lists more than 700,000 open cybersecurity jobs across the nation, though those figures are not specific to the federal government.

Clar Rosso, CEO of (ISC)2, said a new study her organization is preparing to release next month will show that while the supply of cyber professionals in the public and private sectors has grown by 11% since last year, demand has also gone up by 25%.

Much of the federal government’s public focus has been on luring new talent or retraining existing employees to fill cybersecurity roles, but holding onto qualified personnel is also a challenge.

A major contributor to that problem is pay, where private sector companies can sometimes easily outbid the government on salary demands. Col. Candice Frost, commander of the Joint Intelligence Operations Center at U.S. Cyber Command, said it’s not uncommon for companies to offer her employees three times what they make on a government salary to make a switch.

Karen Evans, a longtime veteran of the federal government’s cyber workforce and now managing director of the Cyber Readiness Institute, said as a CIO in government she considered herself “lucky” if she could hold onto an employee for two years. With that reality in mind, short-term, rotational assignments were often a pathway both for replenishing her immediate workforce while also allowing her employees to transition to cybersecurity roles or gain more advanced skillsets.

Such assignments can be a valuable tool for agencies if they still offer interesting work opportunities for the employee when they return and if they result in higher value responsibilities and career development opportunities.

“Rotational assignments need to be viewed as a career enhancing move, not a career punishment move,” said Evans.  

That tracks with what other agencies, like the Cybersecurity and Infrastructure Security Agency, have gleaned from canvassing federal employees.

Later in the day, Kiersten Todt, CISA’s chief of staff, said that while engaging with other agencies on retention of cyber staff, the decision of many employees to stay within the federal government or a particular agency is closely tied to whether they feel there is an opportunity to further develop their skills and career.

“We do a lot of surveys within the federal government … and what we constantly get feedback on is training, leadership, education. So: investing in the individual,” Todt said. “That’s nothing new, but [it speaks to] doing it in a way that suits not just the individual, but the broader workforce [creating] a workforce that is truly invested in the mission.”

Correction: A previous version of this article stated that an (ISC)2 study on worker retention was scheduled to come out in the next week. A spokesperson clarified the report is scheduled to be released next month.