Fragmented efforts hurt cybersecurity workforce development
- By William Jackson
- Nov 30, 2011
The weak economy has made it easier for at least some agencies to recruit and retain cybersecurity professionals, but government needs to do a better job of identifying and tracking these workers and of assessing the effectiveness of hiring programs, according to the Government Accountability Office.
“The ability to make federal IT infrastructure and systems secure depends on the knowledge, skills, and abilities of the federal and contractor workforce,” GAO wrote in a recent report. But the report described a fragmented environment for workforce development, with incomplete and overlapping efforts to identify, attract and retain these workers.
Workforce development should be integrated into department cybersecurity strategies, and hiring initiatives should be better coordinated across government, the report concluded.
Federal IT security workforce could double in 5 years
How to get hired fast: Be a cyber pro
GAO evaluated cybersecurity workforce planning at eight agencies with the highest IT budgets for the report: the Defense, Homeland Security, Health and Human Services, Treasury, Veterans Affairs, Commerce, Transportation and Justice departments.
GAO has identified government information security as a high-risk area since 1997, and government and industry officials have recognized training a professional cybersecurity workforce capable of serving both the public and private sectors as a long-term challenge. But there appears to be no immediate manpower crisis. Four of the agencies studied were generally able to fill their cybersecurity positions. Officials at several agencies reported challenges in filling more technical positions, and officials at two agencies reported currently being under a hiring freeze.
DOD reported that it had about 9,000 information assurance positions unfilled in 2010, due in part to the Cyber Command having been created in May 2010. The command had reported that it expected to be able to fill 80 percent of those positions by September 2011.
One of the first challenges identified by GAO is simply identifying cybersecurity workers, because there is no specific classification for them. Definitions — and totals of workers — vary among and even within agencies. But DOD is easily the largest cybersecurity employer in government, reporting 66,000 full-time equivalent positions to the Office of Management and Budget for 2010, with Justice coming in a distant second at 2,887.
Because of the difficulty of defining cybersecurity jobs, and the possible negative impact on an employee’s job mobility, OPM has no plans to create a designation for the job. The CIO Council, the National Institute of Standards and Technology, the Office of Personnel Management and DHS have made efforts to define skills, competencies, roles and responsibilities for the cybersecurity workforce, but these efforts overlap and are potentially duplicative, GAO said. Officials from these agencies are beginning to coordinate activities, however.
The greatest hiring challenges are for highly technical positions, and most agencies offer some incentives for recruiting, including higher salaries, student loan repayment and additional leave time. But there are no programs to assess the effectiveness of these incentives.
There also are a number of governmentwide programs to address cybersecurity needs, including the National Initiative for Cybersecurity Education, the Information Systems Security Line of Business to provide training across agencies, and the Scholarships for Service program. But these efforts lack planning and coordination, GAO said.
Scholarship for Service, run by the National Science Foundation, is a small but useful program, but it lacks data on whether its participants remain in the government long-term. It produces about 125 to 150 graduates a year who agree to work in the federal government for at least two years in exchange for scholarships, a small number when divided among 24 major agencies. DOD is the largest consumer of these graduates, hiring 49 percent of them in 2009 and 2010, about half of those going into the National Security Agency.
William Jackson is freelance writer and the author of the CyberEye blog.