Even as the federal government has increasingly prioritized cybersecurity issues internally and with outside stakeholders like private industry, it still faces the same shortage of qualified human talent to meet the demand.
In fact, it’s often worse than other sectors because government salaries and an overly complex hiring system can’t compete with the kind of compensation and perks most businesses can offer to job candidates. For years, policymakers have pointed to the unique opportunity that comes with public service (“the mission” as it’s often called) as a key difference maker that would help them level the playing field. But it’s long been clear that better pay and a more streamlined employment pipeline are key to solving the problem.
That recognition is why the Biden administration’s flurry of cybersecurity-related announcements Wednesday included a significant step towards finally setting up the Department of Homeland Security’s Cyber Talent Management System, a program that would allow agencies like the Cybersecurity and Infrastructure Security Agency to sidestep the federal government’s byzantine job hiring process to provide the kind of compensation boosts needed to recruit and retain high end talent.
An interim regulation published today fleshes out how the program will be set up and operate. DHS will use its authorities to create a new federal civil service job category that would be exempt from some of the more burdensome, one-size-fits-all hiring requirements around qualifications or skillsets. Ultimately, the system is designed to create a separate track for cybersecurity candidates to hire faster and pay more.
It also includes a number of elements that represent “a shift from the traditional methods and practices Federal agencies typically use to hire, compensate, and develop civil service talent.” That includes custom qualifications for DHS cybersecurity jobs, dedicated analysis focused on the shifting cyber job market to leverage the latest trends and stay ahead on recruitment, a talent acquisition system, a compensation system, and programs to address performance management and career development.
It’s not a new program, and officials at DHS have been trying to get it off the ground for years. The federal government’s rigid General Schedule pay scale puts a premium on experience and qualifications, but this is not how things work in cybersecurity, a field where the world’s greatest botnet was created by a group of teenagers (who then went on to help the FBI track down other hackers) and multi-billion-dollar corporations like Twitter can be hacked by a 17-year-old.
Chris Krebs, the founding director of CISA, told Congress in 2019 that the strict requirements around the GS-scale made it impossible to make a realistic hiring pitch to job candidates that were clearly qualified but hadn’t checked the right boxes.
“Are they a GS-4 or a GS-11? You know, by the standards that we have in place right now, I can't reward that person and pay them the way they could be paid in the private sector," he said.
Rick Driggers, former assistant director of integrated operations at CISA and current critical infrastructure cyber lead at Accenture, echoed those thoughts in an interview with SC Media.
“You don't need a college degree to get a job in this space…give them a job as an apprentice, almost like a trade school,” said Driggers. “If you want to be a plumber, you want to be a mechanic, you go to a trade school; you learn on the job. You can do the same thing in this space.”
While programs like the Cyber Talent Management System can help, there also needs to be more investment within the education system because ultimately all these different organizations are competing for the same talent to address problems that transcend the private or public sector.
“We have a talent gap across cybersecurity writ large, we have a major talent gap in the OT/ICS space, and so it's important to invest in education, not just through more college programs, although college programs are critical and they're important,” said Driggers. “I think we also have to invest in high school kids, making sure that we can pull them out of high school. They can get a job in critical infrastructure, industrial control systems, operational technology.”