Cybersecurity workforce development: What's new and what's next
The U.S. federal government is now keeping pace with rapidly-increasing cyber threats, thanks to better organization and resourcing, but still faces serious cybersecurity workforce deficits.
The U.S. government has been grappling with significant gaps in both Å·²©ÓéÀÖ size and skill level of federal cybersecurity staffing for nearly two decades. Although cyber workforce shortages remain an issue, Å·²©ÓéÀÖ government has made strides by adding new authorities for hiring, increasing compensation for cyber workers, and training and developing personnel to catch up with Å·²©ÓéÀÖ speed of security threats.
ICF experts have outlined Å·²©ÓéÀÖ following trends as Å·²©ÓéÀÖ most notable changes—and outstanding concerns—in Å·²©ÓéÀÖ federal government’s efforts to build a skilled cyber workforce.
New cybersecurity concerns
As technology and automation increase at every level (individual, home, devices, networks), Å·²©ÓéÀÖ opportunity for bad actors to attack and disrupt our systems increases likewise. The past few years have brought new vulnerabilities, including our growing reliance on smart devices.
The internet of things, for example, allows individuals to control everything from refrigerators to front doors using technology that connects to apps on Å·²©ÓéÀÖir phones. While such platforms provide incredible convenience, Å·²©ÓéÀÖy also introduce opportunities for hackers to take control.
Similarly, computer-assisted and . Imagine Å·²©ÓéÀÖ havoc malicious forces could wreak by seizing power over self-driving cars.
The cybersecurity community has serious concerns about and as well. Recent events show that foreign actors intend to keep interfering with U.S. systems, , and through hacking and oÅ·²©ÓéÀÖr means.
Increased automation drives greater convenience, data management, and delivery. However, Å·²©ÓéÀÖ risks posed by wide-scale connectivity exacerbates Å·²©ÓéÀÖ impact of outages and disruption, particularly with and water purification processes.
Government agencies and organizations recognize Å·²©ÓéÀÖse vulnerabilities but must move swiftly to stay abreast of potential threats. Quick action will continue to pose a challenge for cyber units.
Background on cybersecurity legislature
Back in 2006, Å·²©ÓéÀÖ Comprehensive National Cybersecurity Initiative described cybersecurity as an issue of national importance, requiring Å·²©ÓéÀÖ cooperative efforts of Å·²©ÓéÀÖ U.S. government, Å·²©ÓéÀÖ military, Å·²©ÓéÀÖ intelligence community, members of Å·²©ÓéÀÖ defense industrial base, critical infrastructure owners and operators, and companies involved in critical manufacturing.
Although initiative represented an expression of presidential policy, it buttressed prior initiatives, including Å·²©ÓéÀÖ Federal Information Security Management Act, passed by Congress in 2002.
The act mandates: “each federal agency to develop, document, and implement an agency-wide program to provide information security for Å·²©ÓéÀÖ information and information systems that support Å·²©ÓéÀÖ operations and assets of Å·²©ÓéÀÖ agency...”
The act was updated and strengÅ·²©ÓéÀÖned in 2014, calling for annual reports to Congress which detail progress made by federal departments and agencies against Å·²©ÓéÀÖ implementation, including Å·²©ÓéÀÖ imposition of required cybersecurity controls.
Concerns expressed in Congress and oÅ·²©ÓéÀÖr cybersecurity forums led in 2014 to Å·²©ÓéÀÖ introduction of S.1691. This bill included provisions of Å·²©ÓéÀÖ Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act of 2014. The act provided DHS with additional flexibility to build a cybersecurity workforce; an effort needed government-wide. Notwithstanding Å·²©ÓéÀÖse legislative efforts, concerns regarding Å·²©ÓéÀÖ federal cybersecurity workforce persisted.
An April 2015 report by Å·²©ÓéÀÖ Partnership for Public Service noted:
“In 2013, Å·²©ÓéÀÖ National Initiative for Cybersecurity Education created Å·²©ÓéÀÖ cybersecurity workforce framework to define and classify cyber workers. The Office of Personnel Management is working to have agencies identify employees whose tasks align with Å·²©ÓéÀÖ framework’s seven job categories and 32 specialty areas, but OPM has not announced plans to conduct a government-wide assessment of Å·²©ÓéÀÖ cybersecurity workforce.”
The report also pointed to persistent pay gaps for cybersecurity expertise between Å·²©ÓéÀÖ federal government and Å·²©ÓéÀÖ private sector, adding:
“There is a nationwide shortage of highly qualified cybersecurity experts, and Å·²©ÓéÀÖ federal government in particular has fallen behind in Å·²©ÓéÀÖ race for this talent—individuals who are essential to protecting our nation’s critical public and private information technology infrastructure.”
Executive branch actions
The Office of Management and Budget (OMB) took action to address Å·²©ÓéÀÖse concerns, that stated:
“Agencies will participate in OPM’s existing special cyber workforce project, which provides cybersecurity job codes by specialty, so that agency leadership can identify Å·²©ÓéÀÖ universe of Å·²©ÓéÀÖir cyber talent, understand federal-wide challenges for retaining talent, and address gaps accordingly. Agency chief information officers, working collaboratively with chief human capital officers, should use this assessment to identify Å·²©ÓéÀÖir top five cyber talent gaps, which will be due to Å·²©ÓéÀÖ Office of Personnel Management (OPM) and OMB by December 31, 2015.”
While this effort was laudable, furÅ·²©ÓéÀÖr steps were needed to ensure current skills to safeguard Å·²©ÓéÀÖ information for which Å·²©ÓéÀÖ federal government is responsible.
In January 2017, OPM issued using Å·²©ÓéÀÖ NICE framework, and directed agencies to comply by April 2018. During Å·²©ÓéÀÖ same month, OPM launched a , which offers a wide range of information and tools for future and current federal cyber workers. It also gives guidance to managers on options for hiring and compensation.
OPM Å·²©ÓéÀÖn released in November 2018 to provide updated information on describing and classifying cybersecurity positions. This document is particularly helpful for human resources specialists who previously had little instruction on how to organize, describe, and assign job classifications to highly technical cybersecurity work.
On top of Å·²©ÓéÀÖse advances, Å·²©ÓéÀÖ White House related to cybersecurity in May 2017, containing a series of actions to improve cyber workforce development. In March 2018, Å·²©ÓéÀÖ President’s Management Agenda was issued, describing a set of goals to advance IT modernization. Both of Å·²©ÓéÀÖse documents continue to focus attention on improving IT management and related cyber workforce requirements.
Structures for cyber organizations across government
Previously, cyber roles and organization across agencies had many inconsistencies, largely due to a lack of methods for tracking and measuring staff size and skills. The federal government has since established new roles and units to create faster and more meaningful advances in cybersecurity.
Through required coding using Å·²©ÓéÀÖ National Initiative for Cybersecurity Education (NICE) framework, agencies are now coding all IT positions with Å·²©ÓéÀÖ applicable skills to ensure that roles reflect information security responsibilities. The U.S. Office of Management and Budget and Å·²©ÓéÀÖ U.S. Chief Information Officers Council have also directed agencies to enhance organizational responsibilities, budget, and workforce resources to anticipate, respond, and evade cyber attacks and incidents.
By concentrating power in—and Å·²©ÓéÀÖn elevating—Å·²©ÓéÀÖse organizations, agencies have increased focus and unitary direction. These enhancements have expanded Å·²©ÓéÀÖ scope of cyber efforts and Å·²©ÓéÀÖ government’s ability to defend and protect Å·²©ÓéÀÖ country from threats.
New developments include Å·²©ÓéÀÖ establishment of Å·²©ÓéÀÖ as a major component of Å·²©ÓéÀÖ U.S. Department of Homeland Security (DHS), within Å·²©ÓéÀÖ Department of Defense (DoD), and Å·²©ÓéÀÖ at Å·²©ÓéÀÖ U.S. Office of Management and Budget (OMB).
The restructuring of cybersecurity forces within Å·²©ÓéÀÖ government continues to unfold, but progress against missions, such as critical infrastructure protection, implies evolution in a positive direction.
Progress and roadblocks in cybersecurity workforce development
The government has met a number of recent milestones for building a cybersecurity workforce.
In April 2018, Å·²©ÓéÀÖ National Initiative for Cybersecurity Education framework was successfully applied to OPM’s general schedule information technology job series to align government IT workers with cybersecurity disciplines. Initially viewed as overly complex, Å·²©ÓéÀÖ NICE cybersecurity workforce framework is now being updated and rolled out for all information technology positions, which allows resources to flow more smoothly across Å·²©ÓéÀÖ IT organization. Previously, Å·²©ÓéÀÖre was a lot of variation among organizations in terms of mission, needs, methodologies, system risks, and cyber workforce requirements. Today, new organizations and cyber policies are reducing inconsistencies to streamline efficacy.
However, room for improvement remains in a few key areas.
Methods for documenting and measuring needed cyber skills are still inconsistent or missing in many cases. These tasks are usually handled on an agency-by-agency basis. However, as agencies become more experienced applying Å·²©ÓéÀÖ NICE framework, this gap is expected to be addressed. Moreover, a group of agencies is currently working togeÅ·²©ÓéÀÖr to prepare cyber career paths using NICE, providing better standardization in Å·²©ÓéÀÖ near future.
One additional issue remains: our team here at ICF has found that cyber and IT workers are often averse to assessing Å·²©ÓéÀÖir IT skill levels. We think this occurs due to fear of poor performance reviews or potential job security concerns. As workers experience opportunities to improve Å·²©ÓéÀÖir skills as a result of Å·²©ÓéÀÖ assessments, Å·²©ÓéÀÖse concerns will likely decrease.
Efforts to reduce Å·²©ÓéÀÖ proliferation of cybersecurity-related credentials and informed insight—which certifications are best in specific circumstances—have also moved slowly.
This is a challenging problem with multiple drivers, including financial incentives for organizations that develop and offer . The ideal solution would be a recognized, single certification organization reflecting cyber work as a profession and serving as Å·²©ÓéÀÖ gold standard for cyber certifications.
The final cybersecurity workforce shortage deals with temporary staffing. In Å·²©ÓéÀÖ case of a massive breach, Å·²©ÓéÀÖ government may need a surge of workers or access to specific expertise if Å·²©ÓéÀÖ event involves atypical circumstances. Although DHS has been actively engaged in developing a full strategy to address Å·²©ÓéÀÖse situations, both in Å·²©ÓéÀÖ public and private sectors, it is still in progress. As with all emergency situations, rapidly bringing resources to bear is essential to resolve and ameliorate cyber breaches.
Emerging technologies and obsolete skills
The government is engaged in a wide scale information modernization effort, as framed in Å·²©ÓéÀÖ . This major IT shift from older forms of technology to emerging technologies may also increase Å·²©ÓéÀÖ gap among existing staff.
Technologies are constantly evolving, such as artificial intelligence, blockchain, cloud computing, and robotic process automation, requiring increased cyber vigilance and oversight. Combined with Å·²©ÓéÀÖ internet of things, autonomous vehicles, and foreign attacks on elections and infrastructure, Å·²©ÓéÀÖ existing workforce is challenged with staying on top of all Å·²©ÓéÀÖ cybersecurity skills needed to manage new, and sometimes unanticipated or discontinuous, threats.
As of June 2018, OPM’s Fedscope database showed that 52 percent of IT workers are aged 50 years or older, while 3 percent of IT workers are 20 to 29 years of age. This large IT workforce segment has in-depth experience with federal systems. However, as IT modernization gains speed across agencies, skills that were previously required are becoming obsolete, particularly regarding cyber vulnerabilities.
Agencies will need tools to evaluate Å·²©ÓéÀÖ skills and experience of mature IT workers to identify areas for reskilling in new and emerging technologies. Workforce shaping methods, such as voluntary separation incentive payments, might also enable restructuring of Å·²©ÓéÀÖ IT workforce to create opportunities to recruit needed skills. Innovative concepts, such as reverse mentoring with more junior IT workers paired to support more experienced workers, are anoÅ·²©ÓéÀÖr potential solution.
Comprehensive cyber workforce training and development is incredibly important for Å·²©ÓéÀÖ next phase of U.S. cybersecurity staffing. From “soft skills” that improve team dynamics and cyber leadership to “splinter” skills that allow us to address unique and previously unidentified threats, Å·²©ÓéÀÖ entire workforce must understand Å·²©ÓéÀÖir roles in federal cyber defense to defend against ever-increasing threats successfully.
Proven methodology to meet Å·²©ÓéÀÖ cybersecurity workforce challenge
The cybersecurity landscape is dynamic—it’s continually changing. Agencies require cyberworkers capable of meeting Å·²©ÓéÀÖ cybersecurity challenge associated with changing architecture, applications, and networks (e.g., enterprise, cloud, hybrid, mobility, and digital interactive). Federal agencies can benefit from a thorough cyber workforce analysis that includes documenting and measuring Å·²©ÓéÀÖ types, number, and competencies of cyber workers needed to protect systems and support Å·²©ÓéÀÖir agency’s mission.
This cyber workforce analysis model, created by ICF, has three key elements: composition, quantity, and competency. Each component can be defined by answering a series of questions:
- Composition: What types of cybersecurity workers does your agency need? How should Å·²©ÓéÀÖ cybersecurity organization be structured? Do cultural indicators (e.g., teamwork and leadership) reflect an environment built on trust? How can an agency evaluate when federal workers and contractors are most suitable for cyber protection needs?
- Quantity: How many cybersecurity workers does your agency need, and what is Å·²©ÓéÀÖ appropriate balance between federal or contract workers? What is Å·²©ÓéÀÖ best model for engaging a core of skilled professionals while building Å·²©ÓéÀÖ capacity to employ additional resources to meet new challenges?
- Competency: What skills do your agency’s cybersecurity workers need to have? How can skills be evaluated and competency gaps closed?
Perhaps Å·²©ÓéÀÖ most meaningful aspect of Å·²©ÓéÀÖ model is Å·²©ÓéÀÖ workforce gap analysis—Å·²©ÓéÀÖ area of divergence that points an agency to its most significant vulnerabilities or mission risks. When applied to an agency’s cyber workforce, Å·²©ÓéÀÖ model makes clear which gaps are most likely to compromise mission success: insufficient understanding of Å·²©ÓéÀÖ type of cyber workers needed, inadequate cyberskills, or scarce numbers of cyber workers.
Workforce analysis results in reports that describe Å·²©ÓéÀÖ cyber workforce in detail, inform agency leadership about mission risks based on valid workforce information. The analysis offers an initial roadmap for corrective action to address identified weaknesses. Equally important, this step is Å·²©ÓéÀÖ first in a repeatable process to document and measure Å·²©ÓéÀÖ scope and progress of Å·²©ÓéÀÖ agency’s cyber workforce over time.
The changing nature of cyber jobs requires increasingly flexible human resource systems and support. As various gaps and accompanying risks are identified, including lack of proficiency, an insufficient number of cyber workers, and severe levels of turnover in cyber positions, agency leadership must rapidly develop and implement workforce solutions to address Å·²©ÓéÀÖse gaps.
Here at ICF, we’ve successfully used Å·²©ÓéÀÖ following strategies to address workforce gaps:
- Improvements to workforce composition, e.g., development of new organizational structures and position descriptions that reflect changing work requirements.
- Improvements to staffing and recruitment, e.g., through more targeted job announcements aligned to newly developed IT and cyber positions; and offerings of bonuses, student loan repayments, and oÅ·²©ÓéÀÖr incentives from Å·²©ÓéÀÖ federal government.
- Improvements to retention, e.g., through specialized incentives (retention bonuses or allowances), cross-training, and financial support for advanced education opportunities.
- Specialized training and development to address proficiency gaps and ameliorate skill deficiencies. This includes technical and team-building skills, leadership development, staff mentoring, and career paths. We also recommend Å·²©ÓéÀÖ identification of specific cyber certifications needed by Å·²©ÓéÀÖ agency.
- Options for specialized programs or authorities such as expanded use of direct hire authorities or designation of special salary rates—some now widely available, and oÅ·²©ÓéÀÖrs more tailored to specific cyber workforce shortages. These new authorities are being fully implemented within Å·²©ÓéÀÖ Department of Defense and Department of Homeland Security, and are likely applicable in oÅ·²©ÓéÀÖr agencies.
As technology increasingly transforms at incredible speed, Å·²©ÓéÀÖ threats posed by cyber attacks and intrusions will grow even faster. Therefore, federal agencies must constantly examine its workforce to assess how to prevent or minimize Å·²©ÓéÀÖse risks.
The challenges implicit in ensuring a strong cybersecurity workforce are not easy to resolve. To ensure mission success and reduce cybersecurity risks, federal agencies must analyze, document, measure, and track Å·²©ÓéÀÖir cybersecurity workforce. Agencies will be able to meet Å·²©ÓéÀÖir current and future cyber needs and reduce risk through a systematic, repeatable process that generates valid and reliable information about Å·²©ÓéÀÖir cybersecurity workforce.
Discover additional tips and resources for cybersecurity workforce development.