Beefing Up the Cyber Workforce

Recruiting and maintaining a cybersecurity workforce is a complicated challenge for the government. According to the Information System Security Certification Consortium, 85 percent of cybersecurity professionals would consider leaving their current jobs. Information technologists do not need to search for positions that are exciting, respect their expertise, help them become more marketable and pay well because as many as 18 percent of non-active job seekers are contacted daily by employers seeking them out.

The realization that a cybersecurity workforce crisis was looming started during the Clinton administration. In 2000, the National Plan for Information Systems Protection noted the United States was failing to produce an urgently needed and most difficult-to-acquire workforce of trained computer science/information technology specialists.

Over the next several years, a number of initiatives sought to address the issue. The National Initiative for Cybersecurity Education (NICE) was established as a partnership between government, academia and the public sector. The National Cybersecurity Workforce Framework called on the government to define and describe cybersecurity work. The Federal Cybersecurity Workforce Assessment Act directed agencies to conduct a baseline assessment of the existing cybersecurity workforce, identifying preparedness of staff based on certifications and a strategy to fill the gaps. The Federal Cybersecurity Workforce Strategy identified the need to increase workforce education and training, recruit cyber talent and use the NICE Framework.

From 2015 to 2017, the U.S. Scholarship for Service (SFS) program invested $165 million in education; $40 million pays for approximately 1,500 students to complete their studies.

Executive Order 13800 in 2017 directed a national and foreign peer review of workforce development efforts and an assessment of the sufficiency of U.S. efforts to ensure an advantage in cyber capabilities. The departments of Homeland Security and Commerce recommended using direct hire authorities, funding centers of excellence, establishing apprenticeships, initiating more cyber challenges, increasing internships, supporting teaching programs, enhancing the high school career and technical education (CTE) program, increasing SFS monies, helping with loans and utilizing the NICE framework.

Last year, both the National Cyber Strategy and the U.S. Defense Department Cyber Strategy highlighted the need to invest in programs that enhance cybersecurity talent. Key actions under the national strategy included funding and improving primary through postsecondary education talent-building and promoting excellence through cybersecurity educators and professionals.

The Defense Department has been investing in various programs to retain technical talent. According to the U.S. Government Accountability Office (GAO), the department spent $3.4 billion in fiscal year 2015 on incentive pay for active-duty service. In the area of bonuses and hiring incentives, enlistment and re-enlistment bonuses are used to recruit and retain personnel in fields with shortages, including cyber.

The department is the nation’s largest employer; military and civilian pay and benefits represented nearly 50 percent of its budget in fiscal year 2016. However, according to the National Incentive for Cybersecurity Careers and Studies, the annual average salary for a cybersecurity professional in the private sector is $116,000. Incentivized pay can’t compete with this wage level; furthermore, increasing pay and benefits limits the monies available to fund other priorities such as modernizing equipment.

Other techniques to attract cyber personnel also exist but not often deployed. For example, hiring and pay flexibilities can be used for cybersecurity positions designated as excepted service, but this program’s usage is scarce. In December 2017, the GAO reported that less than 6 percent of employees received special payments.

Direct hiring also can be employed in conjunction with excepted service for promotion and based solely on qualification rather than only time in service. However, in May 2018, when the U.S. Cyber Command held its first major hiring event, more than 900 people attended online or in person and 70 on-the-spot interviews were conducted, but only 18 new personnel were hired.

So what does it take to recruit cyberspace professionals? According to an (ISC)2 report on cybersecurity talent, salary is not cyber professionals’ only top priority. Instead, 68 percent want their opinions taken seriously, 62 percent want to protect people and data, and 59 percent want a strong code of ethics from their employer.

Although there have been hiring success stories, the solution to the workforce problem requires large-scale action. The government needs to follow through on an objective of the 2018 National Cyber Strategy by investing in and enhancing programs that build talent from primary through postsecondary education. To avoid spending resources without gain, measures of effectiveness also should be developed.

While CTE research indicates that students benefit financially and motivationally from higher education, each additional year of advanced coursework can yield a 2 percent increase in wages, and CTE students are more likely to graduate. However, today, most states employ less than 1,000 CTE teachers in secondary education.

Investing in students throughout their learning career is a proven method to push a country forward in the technological world market. School systems built around a core curriculum adopted in 1893 need change, and experienced information technology professionals should be welcomed into the classroom.

Consequently, the Department of Education should promote a cybersecurity CTE track across educational institutions and put the information technology curriculum on equal footing with math, science and language arts. Time should be spent daily—or at least weekly—learning foundational information technology concepts. Exposure would increase cybersecurity postsecondary majors and the cybersecurity workforce pool.

But many school systems make it cumbersome for cybersecurity professionals to become CTE instructors. A cybersecurity professional would likely be required to obtain a CTE or alternate teaching certification within their states. These certifications are typically only valid for a specified period of time.

In addition, a cross-state analysis of CTE state directors revealed only 59 percent were aware of the option to tap industry for technical education. This is a poor construct for attracting information technology professionals who are in high demand, even professionals who want to educate future generations in the STEM subjects.

While taking these steps at the elementary and secondary schools levels sets the groundwork, the number of information technology scholarships also should be increased and the search for information about their availability made more straightforward. The hodgepodge of government incentive programs needs an intuitive and inviting application process.

For example, students currently seeking government scholarships for cybersecurity will likely find the CyberCorps SFS site. Useful information such as application deadlines is buried in the FAQ section, and participating institution links often give inconsistent information or broken links to universities. Government agency scholarship sites also either require persistent searching or only provide email contact information to obtain answers for basic questions. A well-advertised and funded one-stop, intuitive government application process should replace the scattering of information.

While the United States is struggling to acquire cyber personnel, other countries are excelling at finding qualified people to fill their technical jobs by introducing technology-related subject matter in early education. In preparation for a fourth industrial revolution centered around growing industries such as robotics and artificial intelligence, Japan is engaging students at a young age and is on track to make programming compulsory at all public elementary schools beginning in 2020.

Japan isn’t the only country that recognizes the importance of education to the future of a technologically skilled workforce. Like Japan, Israel’s approach to education is the likely reason for its success. Since 1998, Israel has worked toward universal computer literacy through a program called Tomorrow 1998, which emphasizes computer literacy on equal ground with reading and writing.

Cybersecurity education starts in middle school. Israel recruits engineers and programmers to teach. The government employs hackers to breach its systems and partners with industry. Technical high schools funnel students into military cyber units. Per the 2015 State of the Nation report, 40 percent of students are sent through technological and vocational tracks, 30 percent of which are distributed about equally between the engineering and technological tracks.

In addition to Japan and Israel, China is the number one producer of undergraduates with degrees in science and engineering, according to the National Science Foundation (NSF). This accounts for 49 percent of all bachelor’s degrees awarded in China, compared to 33 percent of all bachelor’s degrees the United States confers.

The U.S. government can turn around the cyber workforce shortage, but only with a concentrated and monumental revamp of the education system and an investment in postsecondary cybersecurity offerings. Without these measures, the government will continue to contend with industry for qualified science, technology, engineering, mathematics, computer science and cyber personnel. When the resource pool grows, both government and industry will win.

Janel Nelson is an engineer at the Naval Information Warfare Center and the senior Air Force reservist to the J-6 director at U.S. Special Operations Command.