Security Staff Acquisition & Development, Security Strategy, Plan, Budget, Governance, Risk and Compliance, Leadership

CISA is on the hunt for a CISO

Jen Easterly, United States Director of the Cybersecurity and Infrastructure Security Agency

One of the primary missions of the Cybersecurity and Infrastructure Security Agency is helping federal agencies and other entities improve their cybersecurity operations. Now, the agency is looking to hire someone to help it do the same.

CISA posted a job notice for a new chief information security officer (CISO) this week, seeking a candidate to who can manage the agency's cybersecurity operations, protect IT assets and contribute to its larger mission supporting federal government and private sector cybersecurity.

“You will be responsible for the Agency's security architecture, security operations center, and responsiveness to incidents that may impact business, mission assets, personnel, and networks across CISA's multi-billion-dollar information technology enterprise,” the notice states.

Beyond protecting CISA networks, they would also help to develop collaborative relationships across the federal interagency, engage with members of industry to work on collective defense strategies, and lead and develop the agency’s incident response and investigation procedures and processes.

The position is one of the earliest high-profile examples of how CISA is exercising new hiring authorities launched last November to boost hiring efforts in the notoriously competitive cybersecurity job market.

Director Jen Easterly confirmed that the position will fall under the Cybersecurity Talent Management System, or newly exercised hiring authorities that officially went live last November.

“This is a super important role that will help strengthen our own cybersecurity posture and that of the federal government,” Easterly said on Twitter.

 The Cyber Talent Management System represents a shift from many of the traditional practices that are used to hire, compensate and develop federal workers. It includes foregoing the usual General Schedule hiring system which ties pay and seniority for newly hired federal employees to strict timelines, letting CISA offer higher starting salaries and other benefits. It also allows the agency to pursue job candidates who don’t have the blitz of certifications, educational accomplishments and tenure that are often required for many high level federal positions.

The CISO position would report to CISA’s chief information officer (currently Robert Costello) and pays an annual salary between $157,300-$226,300.  Notably, the job does not include any degree or certification requirements. SC Media has reached out to CISA to ask about any other aspects of the position that may have been changed or enhanced due to the new authorities.

“Degrees are not required for jobs in the DHS Cybersecurity Service, but DHS is interested in your level of education and the topics you studied," the notice reads.

This is something leaders at CISA and other agencies have been complaining about for years, saying cybersecurity does not operate like many other industries. In a field where a trio of teenagers can develop the world’s most dangerous botnet and the 2017 WannaCry attacks were halted by a 20-something hacker who was later arrested and charged for developing malware, things like age, tenure and certifications are not always accurate indicators of someone's capability.

The traditional approach, where higher levels of credentialing and experience dictate higher performance, is "just not how cyber works," former CISA director Chris Krebs told Congress in 2020 while stumping for new hiring authorities.

"I'm getting, 17-, 18-year-olds that apply for a job and [they] have six years of practical — operational effectively — experience in security research, so they've been online white hat hackers since they could…turn on a computer,” Krebs said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.