Wanted: Accountability for Addressing the Federal Cybersecurity Workforce Challenge

Congress should increase its oversight of federal agencies’ efforts to recruit and retain cybersecurity workers by identifying specific benchmarks for success, according to testimony before a House Homeland Security Committee panel Thursday. 

“If you let agencies know that this is not about giving them an authority and then walking away, but rather that you have actually a plan, you intend to be able to have oversight on an annual basis with a planned set of performance metrics that you build into your thinking,” said Max Stier, president and CEO of the Partnership for Public Service, “I think that will change the incentives for agencies and the likelihood that you actually see more progress from the investments that you're making.”

Stier testified before the committee’s panel on cybersecurity, infrastructure protection and innovation along with representatives from organizations funded to provide cybersecurity education at the K-12 and college levels and specialized training on industrial control systems.  

Tony Coulson, professor, executive director and cybersecurity center lead at the National Centers of Academic Excellence in Cybersecurity Community—a program led by the National Security Agency—put the current shortfall in cybersecurity workers across the country at 500,000. 

With the government competing against the private sector on salaries for rare cyber talent, it’s important that they get everything else right, Stier stressed, but that is not what’s happening. His written testimony outlines several ideas for improving the government’s chances of recruiting and retaining an adept cybersecurity workforce and is rich with data curated from the Office of Personnel Management’s FedScope program.

The first thing Stier notes is that the federal government’s hiring for cybersecurity has been much more successful than its overall efforts to rejuvenate an aging workforce.

“The number of full-time federal cyber employees increased by 7.85% between September 2016 and September 2020. Over the same period, the federal workforce overall increased by 3.66%,” according to Stier’s testimony. 

But that progress was not shared across all agencies. 

“The Department of Agriculture’s cyber workforce decreased from 3,300 employees in September 2016 to 2,700 in September 2020, while at the Department of Labor it decreased from 750 to 660 employees in the same timeframe,” Stier said, suggesting that Congress highlight the work of agencies that have seen success from their recruiting efforts.

Stier also noted a difference in culture between the military and civilian branches of government. 

“The civilian side of government should take a lesson from the military side, where people are viewed as an asset, not a cost, and where investments in leadership development are critical to the strategy for success,” he said.

Training for human resources personnel and senior management was another recommendation that Stier stressed.

Almost half of people who quit working for the federal government leave within two years, according to Stier’s testimony. He said while exit interviews similar to those conducted for members of the senior executive service would be helpful for gaining insights to improve retention, data exists showing what is important to young cybersecurity workers. 

“If you look at our best places to work rankings, the number one issue for why people are actually leaving is their perceptions of their leadership from the first line supervisor to the more senior people in the organization, and it's not good,” Stier said. “It’s 10 plus points below what you would see in the private sector. [Young cybersecurity workers] are purpose driven, they want to be there, but if we give them bad management, they are not going to stay. And so that to me would be the most important thing to do is improve the management, hold them accountable, provide real investment in their growth and their responsibility.”