What if there was a war and nobody came?
It almost seems that way for the U.S. government, in terms of recruiting cybersecurity professionals in the ever-expanding war on cybercrimes.
White House officials contend "there simply is not a sufficient supply of cybersecurity talent to meet the increasing demand of the Federal Government. Recent industry reports project this shortfall will expand rapidly over the coming years unless companies and the Federal Government act to expand the cybersecurity workforce to meet the increasing demand for talent."
The remarks were made in a White House memo in which Shaun Donovan, director of the White House Office of Management and Budget (OMB), Beth Cobert, acting director of the Office of Personnel Management and federal CIO Tony Scott detail "the need to enhance the security of the Federal digital infrastructure and improve the ability to detect and respond to cyber incidents when they occur."
WHAT TO DO? THE FED RESPONDS
One year ago in June, the OMB launched the Cybersecurity Sprint to rapidly improve cybersecurity across the federal government. The strategy, which included a review of federal cybersecurity policies, plans, and procedures, yielded two key observations about the federal cybersecurity workforce: a lack of cybersecurity and IT talent hampers the ability of federal agencies to protect information and assets; the existing initiatives to meet this challenge lack awareness and inconsistent implementation.
Federal agencies face another obstacle in recruiting and retaining candidates: lower wages relative to the civilian sector. For example, as reported by Patrick Thibodeau, an ad for an "IT specialist INFOSEC" position lists a salary floor of $55,670. The job, which requires a master's degree, can top more than $100,000.
However, Thibodeau notes that in the private sector, a cybersecurity specialist with more than three years' experience averages a salary of $99,000, with a range between $83,000 and $117,000. The range escalates ($118,000) with more than five years' experience, he quotes David Foote, chief analyst at Foote Partners, an IT salary research and consulting firm.
Demand for cybersecurity professionals has been high generally, said Foote. "There just isn't enough talent to go around," he said, and in a scarce market "the private sector usually wins because they can pay more."
To thwart the challenges of lack of talent pool, lower wages, and implementation issues, the Cybersecurity Sprint established four initiatives:
Identify Cybersecurity Workforce Needs. Improving the government-wide understanding of the cybersecurity workforce by identifying key capability and capacity gaps in order to enhance workforce planning.
Expand the Cybersecurity Workforce through Education and Training. Working with educational institutions, professional organizations, training organizations, and other experts on cybersecurity program guidance from P-12 through university-level education to significantly expand the pipeline of skilled cybersecurity talent available for the Government and beyond.
Recruit and Hire Highly Skilled Talent. Engaging in government-wide and agency specific efforts to expand the cybersecurity workforce through recruitment of highly skilled talent, and streamlining the hiring and security clearance process while still meeting applicable law and standards.
Retain and Develop Highly Skilled Talent. Promoting an enterprise-wide approach to retention and development to support the continued enhancement of the cybersecurity workforce.
To better match civilian wage levels, the strategy calls for the establishment of programs to "assist Federal agencies in their use of existing flexibilities for compensation and explore opportunities for new or revised pay programs for cybersecurity positions consistent with other special Federal pay programs (e.g., special salary rates and/or market sensitive pay structures)."
According to White House officials, agencies are better able to identify, recruit, assess, and hire the best candidates with specific cyber-related skills and abilities. The first half of 2016 saw more than 3,000 new cybersecurity and IT professionals hired. The government plans to hire 3,500 more individuals to fill critical cybersecurity and IT positions by January 2017.
Earlier this year, the Obama administration 2017 IT budget called for a 35% increase in cybersecurity spending to $19 billion. The funds would be earmarked to replace outdated IT infrastructure; a new position of federal chief information security officer; a commission to study cybersecurity problems, and a program to recruit cybersecurity experts into government roles.