DHS's Huge Cybersecurity Skills ShortageGAO: 1 in 5 IT Security-Related Jobs Vacant at Key Directorate
More than one in five mission-critical cybersecurity-related jobs at a key Department of Homeland Security unit are vacant, the Government Accountability Office says.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
That's a finding buried in a GAO report on how DHS could improve how it tracks recruiting costs.
DHS's National Protection and Programs Directorate's Office of Cybersecurity and Communications, which houses much of the department's cybersecurity personnel, had a vacancy rate of 22 percent as of June, according to a new GAO report, DHS Recruiting and Hiring.
Why so many vacancies? DHS officials tell the GAO that they face some challenges because of the length of time to conduct security checks needed to grant clearances, low pay compared with private-sector positions and lack of clearly-defined skill sets for these positions. Each job in the federal government falls into an occupational series classification. Cybersecurity personnel are spread throughout a number of occupational series, with most categorized within the information technology series.
"There is not a specific occupational series that houses all cybersecurity personnel, and NPPD could not provide us with hire and loss data for cybersecurity personnel alone," says David Maurer, GAO homeland security and justice issues director.
The directorate has yet to develop initiatives to recruit and retain cybersecurity experts, but plans to do so if funding is available in the next fiscal year, which begins Oct. 1. But Congress hasn't approved appropriations for government operations for fiscal 2014.
Emphasize the Mission
Karen Evans, national director of the U.S. Cyber Challenge, a group focused on growing the United States cybersecurity workforce, discounts the directorate's contention that pay discrepancy between government and the private sector plays a significant role in its ability to recruit and retain qualified IT security personnel.
"People who want to work in public service are attracted to the mission, not to the pay," says Evans, who served as the federal government's de facto chief information officer during the George W. Bush administration. "Different motivators bring people into public service."
Considering the national shortage of qualified cybersecurity specialists, Evans says DHS must explain why it's an attractive workplace for prospective recruits.
"DHS is a cool place to work," Evans says. "People know about the agency. They need to be able to clearly articulate [to recruits] what they're going to do there."
Indeed, describing what a cybersecurity worker does is a major challenge, one faced by all federal agencies.
The idea that DHS and other federal government agencies have difficulty filling and retaining cybersecurity workers because of a lack of occupation classification isn't new. Through the National Initiative on Cybersecurity Education, known as NICE, the federal government has been working since the last decade to develop an occupation series for various cybersecurity jobs (see 7 Key Infosec Occupation Categories). But defining each occupation has been a challenge, and there's no deadline for finalizing an IT security occupation classification.
Directorate officials told the GAO that departmentwide efforts are under way to better define the required skill set for DHS cybersecurity personnel, including pursuit of a specific cybersecurity personnel job series, which should help in recruiting and hiring.
Providing a Career Path
Diane Burley, associate professor at the Graduate School of Education and Human Development at George Washington University, says DHS must do more than just define the technical skills. "Part of the challenge is being able to define the jobs in a way that is attractive to the individuals [with specific] skills and explain to them ... some vision on how that jobs would evolve over time."
A problem with nearly all government agencies, with the National Security Agency and FBI being among the exceptions, is that there's no clearly defined career path for skilled technical experts who don't want to become managers, Burley says. The NSA provides a track where technically skilled cybersecurity practitioners can "move up the ladder" and maintain their technical skills, she says.
"If you entered into a technical position within the federal government, after a period of time, you would be forced into a managerial role," Burley says. "That would certainly be a source of frustration for individuals who have been working in technical areas and want to continue to work in the technical areas as they advance in their careers."