In the two-plus years since the Cyberspace Solarium Commission released its groundbreaking report on U.S. cybersecurity shortcomings, the federal government continues to make improvements in shoring up the country’s defenses based on those findings… but hiring enough skilled tech and cybersecurity professionals remains a challenge.
Cybersecurity experts note that the skill requirements for federal government work and salary considerations (especially when compared to more lucrative opportunities in the private sector) remain significant issues to hiring enough workers.
The latest Cyberspace Solarium progress report, released in September, does contain good news for those concerned about the state of U.S. cybersecurity: The federal government is on track to have about 85 percent of the commission’s recommendations implemented.
Over the past two years, the federal government has implemented several of those big-ticket items. These include additional funding for the Cybersecurity and Infrastructure Security Agency, the creation of a cyber ambassador at the State Department, and the establishment of a national cyber director appointed by the president and confirmed by the Senate.
As part of the update, the commission’s staff also looked at the progress made in hiring more skilled tech and cybersecurity workers, as well as raising awareness of the security issues the country now faces. In the section entitled, “Growing a Stronger Federal Cyber Workforce,” the report notes several areas where there have been improvements, such as developing apprenticeships for non-traditional hires and emphasizing cybersecurity education in K-12 schools.
When it comes to hiring tech workers with the necessary skills, however, the report finds more work is needed. For instance, under the section, “Improve Pay Flexibility and Hiring Authorities,” the report’s authors noted:
“The Office of Personnel Management has established a special salary rate for some cyber positions. However, full implementation of this recommendation, which is closely linked to Recommendation 2 [Properly Identify and Utilize Cyber-Specific Occupational Classifications] in the white paper on the federal cyber workforce, will require executive action. That executive action may also be supported by congressional mandate, and in one case – the establishment of a new cyber excepted service – it will require authorization.”
Make Hiring Cyber Talent a Top Government Priority
Cybersecurity experts have noted the federal government’s hiring difficulties for quite some time. “Especially challenging for the public sector is the competition with compensation and equity packages within the private sector for the same pool of candidates,” Dave Gerry, chief operating officer at Bugcrowd, told Dice. “While CISA has made great strides in improving the partnership with the private sector under Director [Jen] Easterly's oversight, employees oftentimes will be drawn to wealth creation opportunities above and beyond a sense of civic duty.”
The Biden White House recently announced it’s looking to fill about 700,000 cybersecurity jobs across the U.S. The job-tracking site Cyber Seek estimates there are about 39,000 open cyber positions in the public sector, including local, state and federal agencies.
While the government cannot compete with the private sector when it comes to salary (a recent report in Axios found there’s about a 14 percent difference between salaries in the private versus the public sector), officials have pointed to other benefits of government work, such as job security, pensions and superior health benefits.
During this year’s RSA conference, CISA’s Easterly also appealed directly to patriotism. Even with benefits and appeals to a higher calling, the government continues to struggle with hiring enough skilled cyber and tech professionals, said Mike Parkin, senior technical engineer at security firm Vulcan Cyber.
“The cybersecurity field currently has considerably more positions to fill than there are qualified candidates. While more people are entering the field, it can still be very challenging to find the right people for the job,” Parkin told Dice. “With government jobs, it’s even more of a challenge. While government work is known for long-term stability, it also has a reputation for being bureaucratic, political and not especially well-paying compared to the private sector.”
Darren Guccione, CEO and co-founder of Keeper Security, pointed to his company’s survey that said 71 percent of respondents made new hires in cybersecurity over the past year, while 58 percent increased cybersecurity training in that time. Much of the struggles in the private sector are reflected in the public sphere.
“This lack of cybersecurity expertise available in both the private and public sectors reflects a broader skills shortage across the country,” Guccione told Dice. “The analysis and concrete benchmarks outlined by the Cyberspace Solarium Commission provide a clear roadmap the government can use to address these pervasive challenges.”
Developing the Right Cybersecurity Skills
The need for skilled tech and cybersecurity professionals is driving many with some technical know-how to further upskill to help meet the requirements for their next job or promotion. Bugcrowd’s Gerry noted the federal government has started to reach out to non-traditional students and those without computer science degrees with more resources for apprenticeships—but more is needed.
“While degrees in computer science and other related technical fields is a nice-to-have, the reality is that almost anyone can become successful in a cybersecurity role with the right training, assistance and on-the-job training,” Gerry said. “The Cyberspace Solarium Commission makes great recommendations around investing in work-based training via volunteer clinics, apprenticeship programs, and increased flexibility around hiring authority and pay ranges to compete for talent.”
For those interested in pursuing government work, Parkin added that communications skills often trump even the most technical know-how. “The public sector needs cybersecurity talent at every level, from entry-level analysts to seasoned incident responders to experienced managers,” Parkin said. “As for specific skills, communication is paramount. The ability to communicate clearly and concisely is required for anyone in cybersecurity, and the ability to work as part of a team. That’s a priority for anyone, at any level, in the cybersecurity field. Getting the required technical know-how is relatively easy compared to learning how to work well with others.”