When it comes to hiring the federal cyber workforce, it is easy to cling to a narrative that much of the work is beyond the control of the government. Focusing on the difficulty of the task obscures the tangible steps already taken to equip the federal workforce for the cybersecurity challenges of today and tomorrow. At the 2019 CyberCon conference, speakers from government, industry and the think tank world spoke to how, exactly, federal agencies can hire people to provide stability in an era of ever-present threats.
“The private sector wants to keep the lights on just as much as the public sector does,” said Sean Plankey, principal deputy assistant secretary in the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response.
To that end, Plankey pointed to trainings sponsored and coordinated by the Department of Energy that bring together industry and government to model crisis simulations. Some of these are modeled on the “Black Energy” attack by Russia on Ukraine’s power grid, and show the importance of integrating federal emergency response with private-sector handling of critical infrastructure.
Convincing stakeholders within government of the importance of cybersecurity is but one part of the job. Another is making sure that skilled people can be recruited, brought on board, and then kept engaged in government careers so that they are available when needed.
Looking at the available labor statistics for employment in the industry, New America Cybersecurity Policy Fellow Laura Bate found that, while the private sector paid more for the same degrees than government, it amounted to only about a 24 percent increase. While that’s a significant gap, it’s a much smaller and more manageable disparity than popular perception, which holds that the private sector pays orders of magnitude more than the government for the same skill set.
“We don’t have to start people at step one,” said Venice Goodwine, chief information security office for the Department of Agriculture. “There are opportunities for negotiation when entering government.”
Simply taking advantage of the tools on hand, and knowing the full extent to which those tools can be used to build the workforce at all levels, is one key way to mitigate that disparity. Another is emphasizing the full range of the mission at places like USDA, where cybersecurity can matter for everything from crop integrity to the safety of people fighting forest fires.
And while the perception is that technology companies are what’s driving cybersecurity salaries, Mantech President Rick Wagner highlighted that the banking industry is now a huge competitor for that same supply of workers. Government has to offer something beyond just the dollars to be competitive for those workers.
“If I want to keep the young, bright-eyed, bushy-tailed individuals, I need to make an environment where they can be creative,” said Goodwine. To than end, Goodwine emphasized reskilling to cyber from within government, and finding ways to pay for cyber workers to advance their own knowledge, so that they can stay engaged and keep doing the job.
The necessity and difficulty of clearances was a recurring theme for the panel.
“Clearances, and the delay to get people from conditional offer to into the job bigger deal than numbers suggest,” said Bate. “Anecdotally, I can say it’s a huge part of why people walk away; as a researcher that we can’t quantify it drives me crazy.”
Goodwin spoke to USDA having a fast turnaround of between 30 days and six weeks for interim clearances as one way to bring people in who might be turned away by the process. On the civilian side, the presence of cybersecurity jobs that don’t require clearances is also helpful to bring people into government.
“When having people break down and cry during polygraph is part of the normal hiring process, you’re not starting the relationship with an employer in the right way,” said Bate.
For Plankey, making clearances sticky for people, allowing them to have clearances sponsored while they work in the commercial sector, would make it easier for them to return to government service, even if it isn’t the same part of government they worked at previously. And there are more unconventional avenues to get people into cybersecurity roles.
“The NDAA authorized direct hiring into officer ranks for cyber expertise,” said Plankey. “The authority is out there; experience using it is not.”
Kelsey Atherton blogs about military technology for C4ISRNET, Fifth Domain, Defense News, and Military Times. He previously wrote for Popular Science, and also created, solicited, and edited content for a group blog on political science fiction and international security.