Data on the cybersecurity workforce is fragmented and inconsistent. A top White House official is looking to change that.
The White House’s Office of the National Cyber Director has a plan meant to address urgent problems in cybersecurity education and workforce development, according to officials.
The national cyber workforce and education strategy includes initiatives meant to close a gap between demand for cybersecurity talent and available workers, a push to connect underrepresented communities to cybersecurity jobs and more, but one top priority for the deputy national cyber director for technology and ecosystem security, Camille Stewart Gloster, is data about the cyber workforce itself.
“The hard challenge that I'm excited to start to tackle is the data piece,” she told Nextgov/FCW in a recent interview. “I don't think there are any easy answers, but we're not going to shy away from trying to answer that question…what's the right apparatus to intake the data and then how do we use it?”
The problem, as the strategy describes, is the difficulty in obtaining cohesive data to provide a full view of the cyber labor market.
“Currently, state or federal longitudinal data do not completely describe the national cyber workforce in ways that enable workforce development, economic development and education agencies to track the demand for cyber skills and labor market trends,” the strategy says.
The evolving definition of what constitutes a cyber worker is part of the challenge, as is a lack of alignment on how it's defined by different people, said Stewart Gloster.
“And so as the digital ecosystem evolves, and we recognize just how multidisciplinary the space is, … how do you create a system for getting the numbers where the environment is that dynamic? That's the challenge we have ahead of us. And what makes this so hard,” she said.
The strategy itself designates that the Office of the National Cyber Director and National Cyber Workforce Coordination Group — an interagency group that’s implementing the strategy — “will assess systems and processes that collect, analyze and share data to improve our ability to describe the state of the national cyber workforce by industry and occupational classification.”
The strategy also taps the Bureau of Labor Statistics and the Census Bureau with the task “to refine and map cyber-related economic and employment statistics to provide ecosystem stakeholders with insights into current and anticipated cyber workforce needs.”
One idea the White House office is set to “explore” is setting up “an independent National Center for Cyber Data to serve as an authoritative resource,” the strategy says.
The Cyberspace Solarium Commission has previously recommended that such a center or bureau collect information on cyber breaches, and lawmakers have also previously introduced proposals to create such a bureau.
The federal government also has its own unique challenges in terms of cyber workforce data.
“The federal government has inconsistent, bordering on irrelevant data,” Mark Montgomery, director of the Cyberspace Solarium Commission successor CSC 2.0, told Nextgov/FCW.
Different agencies and departments report cyber workforce data differently, and often inconsistently, to the Office of Personnel Management, he said.
At the core of the problem is outdated occupational series and position classifications used by the government to categorize jobs, said Karen Evans, former national director of U.S. Cyber Challenge and former chief information officer at the Department of Homeland Security, who now is the managing director of the Cyber Readiness Institute.
The strategy “includes a strong commitment to the holistic integration of” work roles as laid out by the National Initiative for Cybersecurity Education, or NICE, workforce framework “into existing federal workforce management practices, and the deployment of strategic initiatives based on cyber work roles instead of the outdated occupational series.”
The strategy taps the Office Personnel Management, Federal Cyber Workforce Working Group and NICE program office itself to “evaluate ways to strengthen the use of work roles derived from established workforce frameworks.”
A 2015 law — the Federal Cyber Workforce Assessment Act — required departments and agencies to tag on a NICE framework code to IT and cybersecurity jobs and report areas of “critical need” to OPM. But “inconsistent application of the NICE Framework across agencies reduces the utility of the resulting data,” the strategy says. The law expired in 2022, although a July bill introduced by Sens. Maggie Hassan, D-N.H., and John Cornyn, R-Texas, would extend the law through 2027.
Montgomery said that even with the law, the data was “inconsistent” at best. He emphasized the need for more training for government HR professionals on cybersecurity hiring and talent management in particular.
OPM unveiled a cyber workforce data dashboard earlier this year, but both Montgomery and Evans both said that it has the same data quality problems as the underlying data in it.
The strategy says that using work roles could give a more granular look at the talent pool, showing the “size, disposition, composition and developmental needs of the federal cyber workforce.” Quality data could also help agencies look into the future about what types of employees they’ll need and plan for those needs.
“You have to have a target staffing plan and your current staffing plan, and when you have [both], then you would see the gap,” said Evans. “Then, how are you going to recruit for that gap? If you don’t have good data, then you’re shooting in the dark about what your target is.”
As for exactly what to expect from the White House on data moving forward, Gloster said that they are still collecting information and input on how to move forward.
“Part of the work we have ahead of us is figuring out what is the best way to get the data and then, based on that, we'll know what action we need Congress to take, what things we do ourselves, and then we'll go from there,” she said.