September 6, 2022 | Federal Times

Washington must act to build capable federal cybersecurity workforce

September 6, 2022 | Federal Times

Washington must act to build capable federal cybersecurity workforce

With the U.S. facing a reported cybersecurity personnel shortage of at least 700,000 workers, the White House’s July workforce summit set the appropriately ambitious goal of filling those vacancies.

The summit—hosted by National Cyber Director Chris Inglis — emphasized plans to build the national workforce and improve its skills while addressing issues of diversity, equity, and inclusion. The programs announced at the summit, however, only minimally address one of the central problems: the mismatch between the skills of applicants and the needs of employers, including the federal government.

Most of the initiatives announced at the summit focused on enhancing school programs and increasing the number of individuals entering the workforce. For example, CISCO, IBM, Girls Who Code, Fortinet, Dakota State University, and Ambassador Susan E. Rice have unveiled plans focused on bolstering K-12 cyber education as well as recruitment from historically black universities and colleges. This will increase the number of cybersecurity professionals entering the market but may not significantly close the gap between qualified cybersecurity professionals and open vacancies in government and industry.

The summit also highlighted a number of skill enhancement initiatives, but these programs lack nationwide scalability and accessibility. The cybersecurity professional association announced its One Million Certified in CybersecuritySM initiative to provide individuals with free certification training and exams to help fill 2.72 million vacancies globally.

With chapters in over fifty countries, and it is currently unclear how many of the certification opportunities will go to Americans. The nonprofit NPower said it will offer free IT training for “military-connected individuals” and young adults from underserved communities, but the applicants must live near a handful of cities and the program has age restrictions.

The summit could have achieved more by focusing on several key challenges that are responsible for the persistent mismatch between the skills of applicants and the needs of both public sector and private sector employers.

Building technical skills

First, cybersecurity is a dynamic field that relies on perishable skills and niche capabilities. No matter how much school or training individuals have, or how many certificates they hold, there is always more to learn.

As technology and adversary techniques advance, so do the technical skills required by the workforce at all levels, not just the entry-level. The qualifications employers seek in a given year may be overshadowed by new requirements the next. In addition to gaps in the technical abilities of recent university graduates, 66 percent of those graduates were found to lack desired soft skills like communication, flexibility, and leadership.

On-the-job training

Second, while obtaining a degree in cybersecurity provides students with a broad understanding of the field and its fundamental principles, most organizations, including the Department of Defense, require baseline certifications to demonstrate specific knowledge in security infrastructure, risk mitigation, threat recognition, and other topics. On top of the baseline certifications, employers may require knowledge and sector-specific certifications on the products or technologies they use.

The makers of some vendor-specific technologies, like Splunk, offer select free training on their products, a practice that should be explored and encouraged amongst all vendors. With each employer creating a niche list of qualifications, an individual can go to college for cybersecurity, graduate, and still not be qualified for an entry-level job in the field.

Gaining needed experience

Third, even with the right certifications, individuals might still find themselves unqualified. The biggest obstacle for applicants is the requirement of prior work experience, even for entry-level positions. According to global information technology professional association ISACA’s annual workforce survey, an overwhelming 73 percent of respondents stated that the most important factor for determining whether an applicant is qualified is whether they have previous hands-on experience with the specific systems the company is using.

During the summit, Accenture announced an apprenticeship program to provide such experience, however, there needed to be more discussion of scalable community partnerships that would provide experience on the technologies being used locally.

Obtaining security clearance

Fourth, even with the right certifications and prior experience, applicants will face another obstacle if they want to be a part of the 16 percent of cybersecurity professionals working for the U.S. government or a federal contractor: Nearly all of these positions require a security clearance. For a government contractor, employees with clearances can engage in billable federal support work immediately. However, if an employee does not have a clearance, the company may need to wait months, if not years, before the employee can do billable work. What’s more, there is always a chance they may not obtain the clearance at all. So even if qualified cybersecurity personnel are available, government contractors may not be willing to keep the employee on payroll while waiting for clearance.

Collectively, these four challenges create another problem for the industry. Qualified applicants are so scarce that the minute a company invests in an entry-level employee, advancing them to a mid-career qualification level, that person may well get poached by a competitor. 60 percent of ISACA survey respondents reported difficulties retaining qualified cybersecurity professionals.

Early cybersecurity applicants are having trouble getting jobs in the private sector or federal government. Companies and the government, meanwhile, complain that there are not enough qualified applicants. However, there are plenty of applicants – they just need a clear pathway to becoming qualified.

Goodwill’s IT Training program

The efforts announced at the White House summit are a good start, and there are other community initiatives — not addressed at the White House summit — that also promote certification training. Great examples that could be replicated nationally include the Information Technology Training program available in Denver and Colorado Springs through the Goodwill of Colorado.

This nonprofit organization provides free career development resources, including cybersecurity training and certification exams. And the Microsoft Technology Education and Literacy in Schools program partner schools with industry volunteers to help teachers understand various technology topics to address in teaching.

Washington must do more.

To build on these initiatives, the government must convince companies to invest in hiring entry-level applicants without prior experience. That can be a hard sell when employees are apt to leave after a short time. Similar to a hiring bonus, companies could incentivize new employees to stay for a certain period of time by offering retention bonuses or well-established advancement pathways.

Right now, factors contributing to employee turnover include better offers, poor financial incentives, and lack of development opportunities. Providing employees with professional development as part of a broader retention strategy will reduce employee turnover and ultimately advance the cybersecurity industry’s mission.

The federal government can set an example for industry by creating its own Federal Cyber Workforce Development Institute. An idea promulgated by CSC 2.0, the successor to the congressionally mandated Cyberspace Solarium Commission, this program would offer entry-level federal employees the training and experience needed to become mid-career professionals.

The institute would provide hands-on learning opportunities, skills assessments, and other training for entry-level federal employees as well as develop upskilling and reskilling curriculum for existing employees looking to transition to cybersecurity positions. This program would “make it easier for federal employers to prepare newly hired early-career personnel for federal cyber work roles,” the CSC 2.0 report explained.

Benefit for private sector

While the federal government should seek to retain those that participate in this program, the nation also benefits if they leave for private sector jobs. With critical infrastructure largely owned by private companies and small and medium-sized businesses as the backbone of the U.S. economy, the national interest is served when the government bears more of the burden when industry – particularly small companies cannot – and trains more entry-level cyber personnel knowing that some will move on after a time.

Cybersecurity jobs reflect the specific needs and technologies in use by an organization, causing numerous variations in what “qualified” means, regardless of time in the field. Ultimately, strengthening the national cybersecurity workforce – from where the federal government draws its own workforce – comes down to providing training, a career development path, and retention incentives for new and existing cybersecurity employees.

Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies. Matthew Brockie is a research assistant and student in cybersecurity at Colorado State University. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.

Issues:

Cyber