To build their cybersecurity workforce, agencies should consider opportunities to cross-skill IT-capable employees for advanced roles.
As the public sector increasingly recognizes the human factor of cybersecurity as a necessary resource to protecting infrastructure and data, government agencies are still struggling with a talent shortage. In fact, the government is currently underserved by approximately 33,000 practitioner job openings.
The growing talent shortage has created an inherent level of ambiguity as specialized agencies and divisions are beholden to the talent acquisition acumen of USAJOBS. While a central clearing house for federal employment has its benefits, key stakeholders are left wondering if the talent they’re vying for is congruent with the knowledge, skills, abilities and task descriptions (KSATs) that agencies actually need?
So what can agencies do in order to advance the federal workforce and assure that it is composed of qualified cybersecurity professionals?
Agencies looking to advance their cybersecurity workforce in a meaningful way should first take an inventory of what they already have in addition to the roles outstanding. Agencies are too often focused on the talent they don’t have and miss out on opportunities for efficiency within existing personnel. Many are turning to the National Initiative for Cybersecurity Education (NICE) within the Cybersecurity Workforce Framework (NCWF), which outlines 52 distinct cybersecurity roles across seven categories. Agencies can use this common lexicon to categorize current employees in a consistent manner. The list is incredibly specific, extensive and provides a comprehensive inventory of KSATs for each role.
Some of the most likely talent gaps that agencies may discover are in threat hunting, digital forensics and cybersecurity architecture. These roles are also in high demand in the private sector, making it difficult for agencies to compete in terms of salary and other benefits. In these instances, agencies should consider opportunities to cross-skill cybersecurity employees or other capable employees -- such as an IT systems administrator -- for these advanced roles.
Standardize and formalize roles
The NCWF also outlines specialty areas and associated descriptions agencies can use to set up and define their cybersecurity job families prior to creating individual job descriptions. The descriptions describe the functional work broadly enough to apply to a wide set of organizations. The work role descriptions are helpful as well, but are not definitive. Rather, they serve as a useful starting point for the creation of job roles and families if paired with an agency’s unique requirements and job functions.
While every agency has unique responsibilities given its missions, the baseline for cybersecurity KSATs is relatively consistent from one agency to the next. This provides significant opportunities to identify and recruit new cybersecurity talent through public-private partnerships such as the Cyber Talent Initiative, a nonpartisan initiative aimed at recruiting and training a world-class cybersecurity workforce.
Shape job roles to your organization
Even with a detailed job inventory, federal agencies have their work cut out of them. For one, to be successful in a role, candidates must be carefully measured against their KSATs, so agencies must consider how they will assess team members within their roles.
As it exists today, the 52 roles within the NCWF lists KSATs one-by-one with no clear grouping, priority or relationship. It will be up to the agency to review, manipulate, and synthesize the requirements into a digestible, relevant job description.
Make it easier for HR
Implementations of the NCWF or similar frameworks, while well-intentioned, often prove difficult to implement through existing human resources processes, making it important to consider HR issues early on. Rather than being on the receiving end of open-ended and difficult-to-evaluate positions, HR must have a clear understanding of the mission requirements, tools by which to evaluate candidates and the flexibility to pursue employees within new pools of talent.
In other words, if newly defined positions list 50 KSATs without priority or relationship, it will still be near impossible for HR staff to evaluate job seekers if they must “check boxes” that meet criteria. The best solution would be a designation as to which KSATs are teachable or could be acquired via training and workforce development post-hire.
If agencies take the time to ensure that roles meet their needs and figure out how they relate to each other, then HR is much more likely to be able to place candidates into positions with a higher degree of confidence. Similarly, if agencies understand how employees will move from one position to the next over their respective careers, they are far more likely to build processes and procedures to facilitate that movement, keeping their employees happier for longer.
As the human factor of cybersecurity remains an essential resource to protecting infrastructure and data, many agencies are holding themselves back from acquiring the best talent for the job and often don't know what they need. With government cybersecurity guidelines moving toward including human capabilities and talent requirements, federal agencies can better understand the existing cybersecurity talent holes they have and what resources they need. Assessing cybersecurity skills and training where there are existing deficiencies are the beginning steps to addressing the cybersecurity skills and workforce shortage within the federal workforce.
NEXT STORY: 5 ways to avoid phishing lures