Tracking how education initiatives translate into cybersecurity jobs remains a challenge.
A key recommendation of the widely well-regarded Cyberspace Solarium Commission is to diversify and strengthen the federal cyberspace workforce. In service of this, commissioners make an “enabling recommendation” of improving cyber-oriented education, and a key stakeholder would like more work to be done to track the connection.
“This is where we have to lean on what we're asking of the [Centers for Academic Excellence] as a deliverable,” Kevin Nolten, executive director of the National Integrated Cyber Education Resource Center, told Nextgov.
CAEs are higher education institutions that may be eligible for funding from institutions such as the National Science Foundation if subject matter experts validate their degree programs include a certain number of “cybersecurity-related knowledge units.”
The Solarium Commission’s report calls for Congress to expand the cyber defense-focused CAE program “to encourage cyber coursework in fields such as business, law, and health care.”
To fill the 300,000-person gap in the cyber workforce, the commissioners also recommend Congress increase funding for the CyberCorps: Scholarship for Service program, standardize tools such as the National Initiative for Cybersecurity Education’s cybersecurity framework, and explore ways to expand programs such as the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Education Training Assistance Program on a national scale.
NICERC has been the sole recipient of the CETAP grant, initiated in 2012. The $4.3 million per year award, which puts cyber curriculums in classrooms K-12, will continue going to the organization at least through 2023.
Nolten praised the program’s efficiency, noting the impact works out to about $8 per student and $1,000 per teacher. But he said while tracking onramps to working in cybersecurity is important, so is monitoring offramps.
Due to privacy protections, tracking students’ movement into cyber careers has been a challenge, Nolten said. NICERC has done some work to infer that high schools teaching NICERC content look to be sending four times as many students into a two- or four-year cyber degree program. The next question is how many of those degree holders actually make it into cybersecurity jobs.
“What I want to know is what programs do we have that are feeding the CAEs and then what's their output,” he said.
CISA as a Model
While education enables a long-term strategy, CISA is putting measures in place now to chip away at its own shortfall in cybersecurity workers—the agency has about 150 cybersecurity vacancies to fill—while thinking about its role in assisting the government at large with the issue.
Among other things, the Solarium Commission recommended potentially extending a new Cyber Talent Management System at DHS across the federal government.
“Workforce, workforce, workforce,” CISA Director Christopher Krebs said Wednesday during a hearing on the agency’s budget and how he will prioritize implementing the Solarium commission’s recommendations.
“To be successful in this space, to be truly a customer-centric organization, I have to have personnel out in the field,” Krebs said, “not just engineers here in D.C. but customer service professionals out where our partners are, and that’s going to require significant investment in personnel.”
But apart from the dollars that will be needed, Krebs is also thinking about how to overcome institutional barriers, such as security clearances, that have traditionally prolonged the hiring process.
“In the past, we’ve looked at cybersecurity jobs requiring top secret [sensitive compartmented information] clearances,” he said, “we’re challenging those assumptions.”
Krebs said for that person out in the field, “secret [clearance] might be fine.” He noted other parts of DHS are involved in the clearance review process, so there may be some policy issues, but said, “let’s take a stab at that.”
“The [top secret] is a significant additional time lag in the hiring process, so we’re going to change the way we write [position descriptions],” he said.
Krebs said a task force CISA established in the last two weeks is also examining ways the hiring process itself can be streamlined by having individuals dedicated to writing the position descriptions, a role currently treated as a “collateral job,” or “other duties as assigned.”
“I have someone who is a program manager and an engineer, but also has to do a hiring manager job,” Krebs said. “So we’re saying, OK, maybe we relieve them of the hiring manager responsibility and have full-time hiring managers whose jobs, maybe on a 6-month cyclical basis, would be to just work position descriptions, just work the interview process.”
“We think we’ve got processes in place that will dramatically cut the hiring process,” Krebs said.
Asked by House Homeland Security Ranking Member Mike Rogers, R-Ala., whether the current salary and benefits package is sufficient, Krebs noted CISA’s ability to offer tuition reimbursement and retention bonuses, in addition to suggesting the inherent virtue of “the mission.”
“I can actually, I think, generally compete in the market,” he said. “Certainly not on the top top top, but we can provide, between mission, and pay, and quality of life, we think we can do a pretty good job here, so it’s just about getting out there, and making sure we’re using smarter platforms, really hitting some of the online [sites] like LinkedIn and things like that aggressively while recruiting.”