A rare White House RFI solicited frank discussion from industry on the pain points on cyber workforce recruitment for both the government and federal contractors.
Although there is broad agreement between industry and government that the growing cyber talent gap demands attention, how exactly the White House will wield its ability to assess federal agency work and annual budget proposals to address the issue remains to be seen.
Cybersecurity workforce stakeholders offered their insights to help inform the White House Office of the National Cyber Director’s forthcoming cybersecurity workforce, training and education strategy as part of a rare White House request for information issued on the topic last month.
The strategy is meant to address the shortage of workers (currently sitting around 769,000 job openings, according to Cyberseek) and push a deeper cyber awareness in the broader public.
Camille Stewart Gloster, the ONCD’s deputy national cyber director for technology and ecosystem security, has previously said the strategy will clarify roles among government actors and drive ONCD efforts to grow successful programs and shrink others.
FCW reviewed RFI responses from a variety of stakeholders on how to shape the strategy, finding that many focused on recruitment and hiring, diversity and inclusion and data.
Agencies need more money to bolster effective cyber programs
Some of the comments centered on the traditional appropriations challenges of scaling successful programs to make a more prominent impact.
“The first thing you want to do, is you want to start with the good things that already occur and try to leverage those more effectively,” David Powner, director of MITRE’s Center for Data Driven Policy, told FCW, suggesting the White House scale the use of direct hiring and pay flexibilities in government and the Cybercorps Program.
Cyberspace Solarium Commission offshoot CSC 2.0 also has a wishlist: more funding for Cybercorps; more funding for the Cybersecurity Education and Training Assistance Program, and more funding for National Initiative for Cybersecurity Education, among other ideas.
Redefining cyber certs could help target more talent
Hiring was a big topic in several submissions and it may prove the most difficult to solve.
Currently, many employers use education and certifications to evaluate cyber candidates, not skills or aptitudes. Several RFI respondents say that many employers ask for advanced certifications and years of experience, even for entry-level jobs.
“There's a gap between the requisitions that are being put out by companies and the skills that the workforce has,” Tennisha Martin, founder and executive director of nonprofit Black Girls Hack, told FCW.
Even (ISC)², a nonprofit that maintains a portfolio of cybersecurity certifications, wrote in its submission that its own research shows employers look for “certifications that require several years of experience” for entry- and junior-level hires.
CSC 2.0 recommended that the White House work with academic institutions, training programs and tech companies to bridge the gap between what employers want and what job seekers have.
Aspen Institute’s Tech Policy Hub, a component of Aspen Digital, went even further, suggesting that the cyber director’s office organize a coalition to assess different certification programs.
“You want to open up those pathways to encourage diversity, but you also don't want to create a situation in which money-making organizations create certifications that allow folks to tick a box without giving them the skill sets that they need to achieve in the job,” Tech Policy Hub founding director Betsy Cooper told FCW.
Scaling skills-based hiring could broaden the talent pool
The Biden administration has maintained a Trump-era executive order meant to push the government towards skills-based hiring, but global enterprise security provider IBM wrote in its submission that ONCD needs to take a look at requirements for contractors as well.
“Currently federal contractors, like IBM, are rarely able to place an individual without a four-year degree on a technology services contract, regardless of their qualifications. Federal agencies tend to require educational degrees despite the reality that many roles can be well staffed by individuals without degrees,” the IBM RFI response reads.
These practices also affect the diversity of the cyber workforce, which has long seen representation of women, Black and Hispanic people lag in the industry. Stewart Gloster has also previously said that rather than offering an alternative into the field, certifications can be an expensive barrier.
What Skills are the Right Skills?
Several RFI respondents also push ONCD to encourage more on-the-job training through apprenticeships, something the Labor Department is currently working on.
CSC 2.0 also wants the White House to consider its idea of a Federal Cyber Workforce Development Institute to hone early career cyber feds – something Mark Montgomery, CSC 2.0 director, told FCW that the nonprofit wants to put into legislation.
Other RFI respondents say that the problem stems from a lack of agreement about the skills needed for different cyber roles.
The National Institute for Standards and Technology has maintained a cyber framework — meant to be a dictionary of the specific skills and knowledge needed for cyber jobs — since 2017. But in practice, “cyber-related roles are not well-defined,” said Simone Petrella, CEO and co-founder of CyberVista, a cyber training and workforce development program.
The National Academy of Public Administration, a nonpartisan association of policy and management experts, suggests that ONCD work with employers and certification providers to define work roles and drive the adoption of common standards in the federal government with minimum qualifications for specific roles and with federal acquisition regulations for government contractors.
Lynn Dohm, executive director of nonprofit organization Women in Cybersecurity, told FCW that the WiCys submission focused on practices for retention and inclusion, something that “people aren’t talking about.”
“We have a retention problem,” she said. “Once you have that culture of inclusion, diversity will expand and we will be retaining our top talent.”