Agencies Should Think Creatively to Find Cybersecurity Pros

Agencies Must Understand the Changing Cybersecurity Job Market

The challenge has grown more difficult over the past several years, according to Karen Evans, former national director of the U.S. Cyber Challenge, a DHS-supported program designed to enhance the size and quality of the cybersecurity workforce.

“There is a whole different set of skills that you need to have today,” Evans says, including knowledge of cloud security architecture and familiarity with the Internet of Things. “The question is, how do you know what skills you actually need to have? I think that’s where everybody really is struggling right now.”

This new reality means that agencies must be pragmatic and innovative in their efforts to identify, attract, hire and keep talented personnel.

Earlier this year, the Education Department issued a request for help identifying and defining skills its future cyber workers will need, for advice on how to retain those people and for ­metrics to measure their success.

DHS receives thousands of applications each year, but still struggles to find enough workers to fill its 11,000-plus cybersecurity positions. The agency has developed innovative recruiting tactics:

• Capture and code: The agency’s HR team defined which jobs were related to cybersecurity in non-IT areas such as law enforcement. “We have a gap in highly specialized areas, like forensics analysis, network operations and vulnerability assessments,” Bailey explains. “Now we work hard to make sure that we are filling our most critical needs first.”
• Measure and target: Agency hiring managers advertise cyber jobs in magazines that are go-to sources for the cyber community, attend specialized cyber conferences and events, scan LinkedIn resumes to identify top candidates and fill the pipeline with college and high school students through internships.
• Attract and appeal: DHS hosts webinars featuring front-line employees to help job candidates get a sense of a typical day in the life of a cybersecurity worker. At joint hiring events, “we bring out every cool toy that DHS has,” Bailey says, including the president’s limo, FEMA response vehicles, canine teams and cyber setups.

The strategy is making a difference. DHS webinars have attracted more than 10,000 viewers each, and at a recent joint hiring event, DHS components made job offers on the spot to 300 candidates and hired another 350 shortly after — an expedited hiring process that’s novel for the federal government.

“By really studying and paying attention and knowing exactly what we need and how to go about finding it, we are being far more successful in getting the talent that we’re looking for to enhance our mission,” says Bailey. “And we think we’re getting smarter and better at that.” 

HHS Turns to YouTube to Attract Cybersecurity Workers 

The Health and Human Services Department, grappling with an 18 ­percent vacancy rate in cybersecurity positions, is also turning to unusual means (for a government agency) to attract potential employees.

One example: When job candidates visit USAJobs.gov to search for open cybersecurity positions, they may find that IT postings from HHS include more than the usual job description and contact information — some have a link to a YouTube video.

“We’ve put together basically a 90-second commercial to sell folks on the HHS mission,” explains Lisa Dorr, the agency’s former director of IT and cybersecurity workforce planning.

HHS protects the personal health information of one out of every three Americans, so filling cyber positions is critical. The first job posting that included the video garnered enough response that the surprised HR department alerted Dorr.

“We and the rest of the federal government are trying to attract folks who are used to literally hitting the ‘Apply Now’ button for a job from their phone and almost immediately getting a response,” says former CIO Beth Killoran. “That’s a real problem, because we have to work within a much slower, much more onerous hiring process.”

MORE FROM FEDTECH: Learn about how the Department of Homeland Security will launch a new cybersecurity risk score for agencies!  

Take Creative Approaches to Cybersecurity Recruiting and Training 

HHS took other initiatives to speed up the months-long process. The agency co-piloted a hiring event in which HHS cybersecurity teams worked with the Office of Management and Budget’s HR teams to review resumes, classify candidates and interview them on the spot.

With the Federal CIO Council, HHS tested non-IT professionals and recent college graduates for competency and aptitude, and then trained them for specific cyber jobs after they were hired. The agency also retrained current, non-IT workers interested in a cyber career.

“If we can take a more 21st-century approach and push for changes within the process, we might be able to tap into employee markets that are more technically savvy,” Killoran says.

Cybersecurity is often seen as a solo job that can be performed only by “cyber ninjas” with an impossible-to-teach, innate technical instinct. Not even close, says Rodney Petersen, director of NICE. 

“Cybersecurity is a team effort and requires a lot of different skills and experiences,” he says. “We need people who can communicate in writing and orally, and who can work as part of a team. We need problem-solvers and creative thinkers. We do need domain and technical expertise, but it still needs to be interdisciplinary.” To help agencies better identify ­specific needs, NICE developed the Cybersecurity Workforce Framework, which provides a taxonomy and a ­common lexicon to define and describe cybersecurity work. 

The framework contains seven categories broken down into specialty areas and specific work roles, along with the knowledge, skills and abilities (KSAs) required for each of those roles.

The “operate and maintain” category, for instance, contains the specialty areas of customer service, data administration and network services. Under customer service, the work role of technical support specialist needs someone who can define problems, develop operating procedures and find solutions.

Feds Must Explain Cybersecurity Job Descriptions Better

Relying on the NICE framework can also help agencies overcome another hurdle to success: writing effective job descriptions. Agencies haven’t been doing a very good job of it, says John McCumber, director of cybersecurity advocacy, North America, for (ISC)², which issues certifications for information security workers.

Cybersecurity professionals responding to the 2018 (ISC)² job seeker survey say they are turned off by poorly written job descriptions, especially those that are vague, excessive or don’t accurately reflect the details or responsibilities of the position.

Agencies should also take time to better understand what cybersecurity prospects want in a job. Salary, while important, isn’t the priority. 

The (ISC)² survey found that 68 percent of workers want their opinions to be taken seriously; 62 percent prefer jobs “where I can protect people and their data”; and 88 percent want employers willing to invest in training and certification.

“This is really where the government could win over industry in competing for talent and the differences in salary,” says McCumber. 

“You can get a longer-term view in a federal position, and have the opportunity to train and learn and move to areas where you’re going to be most needed and most effective.”