Prospective federal employees might be turned off by cybersecurity jobs being classified as IT.
Working in cybersecurity goes far beyond information technology, but classifications in place at the Office of Personnel Management might have limited incentives agencies can offer talent that might not appreciate being pigeonholed that way, according to a new white paper out from the congressionally mandated Cyberspace Solarium Commission.
“This impacts recruitment particularly because job titles align with OPM occupational series, and many job candidates well-suited to this interdisciplinary work may hesitate to apply to a job labeled ‘IT Specialist (Security),’” the document reads.
Recruitment is one of five elements the white paper says should guide development of a federal cyber workforce strategy. The strategy should be established by a national cybersecurity coordinator, which is the subject of another of the commission’s recommendations.
The other elements that should underpin a strategy to finally overcome one of the most intractable challenges in cybersecurity—one in three government cyber posts remain vacant, according to the commission—are organization, development, retention and the stimulation of growth.
“We need to focus on growing cyber talent among those in the earliest stages of their K-12 schooling, but we also need mentors—diverse mentors—who allow our young people to envision a fulfilling career for themselves in the cyber workforce,” Rep. Jim Langevin, D-R.I., a member of the commission, said in a press release Tuesday. “We can’t post an entry-level cyber job and expect individuals applying to have three years of experience.”
Allowing agencies flexibility on how they hire and pay cybersecurity workers cuts across multiple elements identified by the commission, including the government’s ability to retain staff who could ostensibly be making up to $50,000 more by doing similar work in the private sector.
The commission is embracing an approach of expanding the pool of people who are equipped to do cybersecurity work, instead of fighting with the private sector over the limited resource of eligible talent.
"The federal cyber workforce is not independent of the national workforce; they share a common problem—it is literally the same problem,” John C. Inglis, a former deputy director of the National Security Agency and another member of the commission, said in the release. “The federal workforce cannot just figure out how we get a bigger slice of a fixed-size pie of national cyber talent. We need to build a bigger pie.”
That would mean sustained investment in education. But there might be a quicker organizational fix that could help agencies overcome limitations they face in deciding who they hire for cybersecurity work, and what they can pay them.
OPM’s information technology categorization, referred to as series 2210, is one of few that grants exceptions to rules regarding where officials can post openings and the compensation they can offer.
“Cyber roles outside the 2210 series (and a very few other technical occupational series) may not have access to the same flexibilities, regardless of inclusion in the NICE Framework,” the white paper states, referring to the National Institute of Standards and Technology’s catalogue of cybersecurity roles.
Some agencies, such as the Department of Homeland Security, have implemented their own talent management systems to overcome miscatergorazations and limitations.
But the commission says there are tools to gain exceptions for cybersecurity and suggests it might be easier to reform the current system, rather than having agencies build entirely new ones.
“If external evaluation—for example by [the Government Accountability Office]—finds that this system is still not effectively ensuring that hiring authorities, pay flexibilities, and other personnel management tools are consistently available and utilized to strengthen the cyber workforce across all federal departments and agencies, the Commission recommends the implementation of multiple OPM occupational series designations specific to cyber.”
The commission also recommends establishing metrics to assess the success of cyber workforce efforts. That specific proposal is also part of national defense authorization legislation that will be hammered out this fall.