Federal agencies have until April 2019 to identify critical work roles and skill shortages in IT and cybersecurity as part of the Federal Cybersecurity Workforce Assessment Act. While this is a first step in determining a holistic approach to address this issue, most CIOs can already tell you that they are struggling to fill open IT and cybersecurity positions, and the situation has become critical. They need solutions now.
While this problem isn’t isolated to the federal government, public concern over federal cybersecurity has reached a fever pitch. Finding qualified candidates has become difficult based on a confluence of factors: Older professionals are retiring and taking their knowledge with them, and younger professionals either lean toward higher-paying, private-sector jobs or they just don’t have the right set of skills. There are no easy fixes to this complicated issue, but there are some solutions federal agencies can use now to help close the gap.
Cybersecurity is hectic: Specialists in the field often bounce between responding to threats and working to prevent them in the first place. For many, it can be difficult to find time to integrate new technology, train on new skills and troubleshoot the detection/response process. When it becomes necessary to integrate new or complex technologies, or tackle one-off projects or limited-run initiatives, there probably aren’t enough employees in-house to handle it. There also may be shortage of budget to hire the necessary resources.
CIOs in these situations can leverage contracted solution providers, who can take a holistic approach to assessing the agency’s specific needs, and then recommend solutions to get the job done.
This could include providing training for in-house staff on short-term projects, placing a resident expert in the agency to help with day-to-day operations or long term projects, or creating an action plan that agency resources can follow. Not every need in every agency is the same, and through consultative evaluation solution providers can build a customized program to meet immediate needs.
Another great benefit of using resident experts from a solutions provider is that their resources are fully vetted — which could include security clearances.
Federal agencies can use a variety of incentives to recruit or retain subject matter experts with critical skills in cybersecurity, engineering, and other in-demand fields. These incentives, or special payments, and can come in the form of recruitment, relocation, and retention incentives, student loan repayment offers, and critical position pay.
The program is greatly underutilized though. A report by the GAO published in December 2017 noted that less than 6 percent of federal employees receive any of these special incentives.
CIOs looking to fill critical positions in information technology and cybersecurity could tap into these incentives lure qualified candidates away from the private sector. A great incentive to attract younger talent is the student loan repayment incentive. With student loan debt in this country ballooning to the trillions, 4 percent of private-sector corporations include some sort of student loan repayment in their benefits package.
Federal agencies already have this tool at their disposal. Using it could greatly improve recruitment of younger talent.
While this might seem like a no-brainer, keeping existing employees up-to-date on the latest technology through training is critical to having a team that can take on the ever-changing demands of cybersecurity. However, what is happening in both the federal and private sectors is that organizations are investing in technology, but not in training people to use that technology. This just leads to frustration and poor performance, and ultimately could lead to serious data breaches.
This is another area where solution providers can help: customizing training programs based on specific needs. Also, if your agency is already using a solutions provider to integrate new technology, it is the perfect opportunity to train your staff on that technology — hands-on exposure that no traditional training class can offer.
It’s also important to think about the type of training you offer your employees. A recent study from the Information Systems Security Association and the Enterprise Strategy Group notes that private-sector organizations use specific training courses and professional development to build skills and knowledge, but they don’t invest their employees obtaining highly sought-after security certifications. Investing in existing staff can be cheaper and more effective in the long run than recruiting for those skills.
Jason Parry is vice president of client solutions at Force3.