Cyber Reskilling Academy Attracts New Federal Security Pros

OMB Launches a Popular Pilot

In an effort to beef up the cybersecurity workforce, the government last year launched two Cybersecurity Reskilling Academy pilots, organized by the Office of Management and Budget, the Education Department and the federal CIO Council. One, a more traditional program, was aimed at upskilling current IT staff; another aimed to train workers who had a high aptitude and a passion for learning but little or no IT experience. 

Among the latter group, who were a less sure sell than those who already had the skills, the response was enthusiastic. About 1,500 applicants submitted personal essays and took aptitude tests. In interviews, candidates explained why they’d be a good fit for the program, described their career goals, and talked about why they’re passionate about cybersecurity, for example.

From there, the list was whittled down to 50 candidates and, based on practical considerations such as getting their manager’s buy-in, 30 were selected to participate in the intensive four-month program run by SANS, an online cyber and information security training and certification company. Over 30 years, SANS has gathered a lot of data on what it takes to be a good cybersecurity practitioner, says James Yacone, SANS director of mission and partnerships. 

“What we think is the missing piece, not just in the federal government, is there are a lot of people walking around that have the psychometric makeup to be very good IT security practitioners,” he says. “They have aptitude, but they don’t have any skills, and therefore they’re intimidated and probably sometimes reluctant to come forward. So we really want to focus on finding them.”

DISCOVER: Which IT skills are most sought after in the federal government? 

Cybersecurity Academy Graduates Return with Valuable Skills

Aptitude is measured by a number of traits, Yacone says, including passion, tenacity and inquisitiveness. Other useful talents include a knack for logical extrapolation, comprehension and technical problem-solving, and parsing information quickly. They’re the kind of people that, as children, might have taken apart their toys to figure out how they work, he adds. 

But they don’t have IT experience, not even as hobbyists. The point of the pilot was to grow the cybersecurity workforce, and that meant discovering hidden IT talent. 

Participants came from a variety of government roles and had different career goals, such as technology acquisition professionals who wanted to get more hands-on, Kent says. “Some folks would even tell you librarians and paralegals make some of the best cybersecurity analysts because of the way their minds work.”

The first 2019 program kicked off with a four-day workshop in April, with participants taking 120 hours of online learning modules and labs in a live environment, where they learned the building blocks of cybersecurity: VMware, CPUs and computer hardware, plus Linux and Windows operating systems, for example. 

Advanced courses focused on cyberdefense hacker tools, incident handling and exploit. Then they spent another 80 hours preparing for and taking certification tests. A second cohort graduated in September.

“It is a very full four months,” Yacone says. “OMB and the Department of Education did the right thing by working with managers to give participants time away from their normal duties so that they could really focus on their work.”

Although not all of the graduates transitioned into cybersecurity roles, Kent and others said the program was still a success, as graduates brought critical skills and awareness back to their jobs and to their department coworkers. 

“One of our biggest lessons learned was that we need to support the individuals after they finish the courses and find the right role for them, whether it’s inside their agency or outside,” Kent says. “When we do these programs in the future, we’ll have a tighter linkage between what you learned and the experience or the next opportunity to apply that.” 

That said, some participants are using the skills they gained in their current roles, says Max Shuftan, director of SANS’ CyberTalent program. “Some move into temporary details, some into long-term positions, but others are still in their budget analyst position or policy analyst position and can’t leverage their cyber skills.”

It’s a lesson that will be applied to future efforts. “We’ve run a number of these academies here and overseas, and we have deployed these people into the workforce very successfully in a short period of time,” Yacone says. 

READ MORE: Find out how to use analytics to find hidden IT skills. 

How Reskilling Efforts Improve Retention

But even graduates who don’t change roles can bring the skills they learn back to their current roles and departments. They’re more aware of the importance of cybersecurity and can pass their knowledge on to coworkers. “There’s almost no area where those skills can’t be applied,” Kent says. 

“It’s not just the education that the participants received and the upskilling or reskilling — it’s really about how that influences the other work that they’re doing,” says Jason Gray, Education Department CIO. “We all know that cybersecurity is absolutely critical for everyone. And often, one of the weakest links is the employee who inadvertently does or says something or clicks on something they shouldn’t.”

Cybersecurity is mission-critical in every department across the government, he adds. “We’re enhancing the foundation that employees will need to have anyway and giving them a better appreciation for what goes into it.”

Reskilling opportunities can also improve employee satisfaction and retention. Supporting personal growth and professional development shows that the government is willing to invest in employees who have themselves invested in the government, Gray says. 

Across industries, solid workforce development programs equate to better retention rates, Yacone says. “If an employee thinks that they’re going to be given structure over the lifetime of service to that department, agency or company, they’re much more likely to stick with them,” he says. “But if it is a scattershot approach and people are going after certifications and it’s haphazard, then you see a lot of job hopping.”

The two pilots allowed agencies and teams to test hypotheses and learn what works. Now, some agencies are considering running programs of their own, not only in cybersecurity but also to develop other high-demand skill sets in data science, Kent says. 

“I think it’s important to continue to do pilot programs and proofs of concept to explore where there’s opportunity. When we first started with the reskilling approach, it was to test to see if there was an interest,” Gray says.

“That was an opportunity to make sure that we’re constantly looking at ways to improve and enhance the workforce of government. And I would encourage all agencies to look at other ways to strengthen and enhance our workforce.”