Feds look to get creative about cyber hiring

weak link 

It's no secret that the federal government is desperate to add more cybersecurity talent to its workforce. The difficulty is in figuring out how.

According to a May 2017 report from the Center for Cyber Safety and Education, "traditional recruitment channels are not meeting the demand for cybersecurity workers" across the economy fast enough to close an expected global shortage of 1.8 million qualified personnel by 2021.

At a Dec. 5 cybersecurity conference in Washington, D.C., acting Federal CIO Grant Schneider said White House IT modernization initiatives like shared services and cloud computing are considered a way to automate some functions and reduce the number of highly skilled information security personnel the federal government relies on.

"We're never -- certainly in government and also in industry -- going to be able to get the workforce we need … to defend all of these different systems," Schneider said. "Quite frankly, we just end up stealing each other's employees."

Schneider told FCW that congressional authority to offer higher pay rates to cyber workers and loosening rules to allow lower level personnel to more easily move between public- and private-sector jobs is also needed.

"I'm not saying throw the ethics rules away…. I think there are ways we need to be more flexible and make sure that we've got the firewall in place," Schneider said.

Michael Daniel, former White House cybersecurity coordinator during the Obama administration, told FCW that increased automation within the federal government could also reduce the surface area for human error across the workforce.

"We have to get humans out of the business because having humans sitting there going through large reams of data is not the most effective use of their time and skill," he said.

However, there is also evidence that even a marginal bottom-up improvement in cyber hygiene within the existing federal workforce may have a greater cumulative effect in protecting systems than hiring more specialists. In a September 2017 survey, federal CIOs ranked vulnerabilities associated with human error, as well as malware and phishing attacks directed at their employees, as higher cybersecurity concerns than cyber criminals, ransomware, internet-facing cyberattacks and the technology supply chain vulnerabilities.

During his panel, Daniel said that when looking at the large number of data breaches that have occurred in the private and public sector over the past few years, a common theme emerges.

"If you pull up any one of the [after-action] reports, you'll see that the overwhelming majority of intrusions rely on known, fixable vulnerabilities. So, the bad guys are getting into a hole that we know about, that we also already know how to fix and probably could have fixed years ago," said Daniel, now president of the Cyber Threat Alliance.

As former federal chief information security officer under the Obama administration, retired Air Force Brig. Gen. Greg Touhill frequently emphasized improving the government's posture around basic cyber hygiene. He told FCW that building a system of accountability and ownership among non-technical feds where both carrots and sticks are clearly communicated can help address some of the low-level human-error cyber problems that plague the federal government.

While successful federal managers will focus more on rewarding good behavior than punishing transgressions, devising a system with clear expectations is key.

"I think it's really important that if you do have rewards and consequences … you need to follow through," Touhill said. "It's like being a parent: if I tell you don't touch that [over and over], the consequence is you get burned. There has to be consequences for folks that fail to perform at acceptable levels."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.