Main image of article Federal Cybersecurity Hiring: What More Needs to Be Done?

In July 2023, the Biden administration unveiled an ambitious plan, the National Cyber Workforce and Education Strategy (NCWES), which sought to revamp how federal agencies recruit and hire tech and security professionals to fill the thousands of open cybersecurity positions throughout the government.

There are currently 470,000 open cybersecurity positions in the U.S. across the private and public sectors, including federal, state and local government agencies, according to CyberSeek.

The strategy aims to diversify the federal workforce while inviting more workers and tech professionals to apply for open cyber positions within government agencies. The plan calls for additional money for scholarships and grants to encourage non-traditional students to explore security careers, giving what the White House called “access to good-paying, middle-class cyber jobs within their communities.”

Additionally, National Cyber Director Harry Coker Jr. announced in January that his office is working with the Office of Personnel Management to transition jobs that fall under IT management to a skills-based hiring process, a shift from the previous hiring process that required a degree, according to Axios. By diversifying the cyber workforce, the federal government can better compete with the private sector for talent.

Despite these and other White House cyber initiatives, closing the security skills gap remains elusive—both inside and outside the federal government. This requires additional work, experts and industry insiders noted.

“Programs like the ‘Scholarship for Service’ are excellent, but we need to ensure our students are aware there is support available to help them pursue a career in cybersecurity,” said Kate Terrell, chief human resources officer at Menlo Security, referring to one of the key components of the strategy that invests $24 million in scholarships over the next four years.

“Drawing more awareness about the opportunities and types of careers one can have in security and understanding how the government will invest in this type of skill building can help new and prospective students embrace the education to build a successful career,” Terrell added.

While reviews are mixed, experts and insiders noted that, by raising awareness of cybersecurity careers and opportunities, the federal government can drive additional interest in the overall security field, which can also benefit tech pros in the private sector.

Making Headway in Cyber Hiring

As the White House’s Workforce and Education Strategy enters its second year, several experts noted that the program has helped raise awareness of opportunities for tech professionals to work in cybersecurity for the federal government.

In a recent report on the nation’s cybersecurity posture, the White House noted that about 90 organizations have committed to the Workforce and Education Strategy, which includes promising to hire 13,000 workers for cyber jobs and spending $280 million toward teaching security skills.

“Positive trends related to increased hiring and educational programs exist as organizations become more aware of the critical need for robust cybersecurity programs and begin to invest in talent accordingly. This is creating demand for qualified professionals as the number of job postings steadily increases,” George Jones, CISO at security firm Critical Start, told Dice.

While one initiative cannot erase the cybersecurity skills gap and drive more talent into the field, there are some signs that the strategy is raising awareness, Jones added.

“As a response to the increased demand, many educational institutions have expanded their cybersecurity programs, but the impact is lagging,” Jones said. “There is a rise in cybersecurity bootcamps and certification programs, but the quality of these programs can vary widely. Despite the increase in hiring, the skill gap remains a significant challenge with employers often struggling to find candidates with the specific skills and experience required to fill advanced cybersecurity roles.”

By emphasizing non-traditional routes and opening up opportunities for those without four-year degrees, the strategy can start bringing in talented workers who normally wouldn’t apply for these positions, said Darren Guccione, CEO and co-founder at Keeper Security.

“These developments are encouraging, reflecting a collective effort to address the persistent cybersecurity talent shortage,” Guccione told Dice. “Non-traditional routes into cybersecurity, such as bootcamps, certifications, apprenticeships and community college courses, are gaining momentum and proving to be effective. These programs provide viable pathways for individuals looking to switch careers or those who may not have access to traditional four-year degree programs.”

Additionally, by opening the hiring process to workers who have skills but not necessarily degrees, more U.S. military veterans have opportunities, especially those who have honed their cybersecurity skills for years, said Robert Hughes, CISO of RSA.

“Today, the cybersecurity training that military personnel receive can be just as meaningful to the armed services as it is for civil society,” Hughes told Dice. “I’d have just as much faith in someone who has done the work to repel threat actors as I’d have in a college graduate who knows the theory of cybersecurity. There are other ways into a cybersecurity career that the government should consider—whether that’s openings in IT, networking, or even support desks, which is where I got my start.”

Creating Career Paths

When it comes to attracting talent, especially next-generation workers finishing their studies or only entering the workforce now, Terrell said federal agencies or even private-sector HR departments have to focus on three issues:

  • Creating a strong connection to the purpose and impact: employees must understand how their work contributes to making a difference.
  • Developing an environment where employees have interesting and challenging work, as well as an atmosphere that allows them to be their best selves and continue to grow and learn.
  • Understanding competitive earnings: the best talent knows their market value and will seek compensation that matches or exceeds it. Competitive earnings demonstrate how an organization values its employees' skills and contributions.

Keeper Security’s Guccione agrees that these types of government-led initiatives need to consider career development—giving tech workers the skills and abilities to expand their careers and move up the leadership ladder: “Equally important is career development. Candidates are looking for clear career paths, professional development opportunities and flexible work arrangements that allow for remote work when possible.”

There’s More Work to Do

Not everyone is seeing the results of the workforce and education strategy. One of the biggest issues not addressed is the compensation differences between public sector jobs and their counterparts in the private sector, which pay substantially more.

“There continues to be a major shortage of an experienced cyber-qualified workforce,” said Gary Bradt, vice president for the public sector at Zimperium. “The government and industry cannot hire or retain highly qualified people. We can hire people who are newly skilled in cyber, but we continue to see a huge shortage of qualified experienced cyber workers. There are plenty of “cyber talkers” but there are not enough qualified technical people. There is a huge deficiency at the top level.”

Other observers, such as Omri Weinberg, co-founder and chief revenue officer at DoControl, believe that these types of government initiatives need to focus on specific technologies such as cloud computing and SaaS. “The government's cyber initiatives need to reflect this reality. Training programs should include robust modules on cloud security, API integrations and the unique risks associated with SaaS environments,” Weinberg told Dice. “It's not just about firewalls anymore—it’s about understanding how data flows between dozens or even hundreds of interconnected cloud apps.”

For RSA’s Hughes, the federal government should aim its sights even higher, creating a “Manhatten Project” for cybersecurity that recruits talent and educates all workers about threats and how best to respond.

“Every person should be a security person: If you have access to data, work with enterprise systems or if you receive a phishing email, you need to have some security background,” Hughes said. “We all need to uplevel our security. If businesses put more emphasis on that across the organization—and if they have security baked into all their business processes and departments—then they can re-evaluate how to manage their security workload.”