The $1.7 trillion omnibus spending bill recently signed into law by President Joe Biden shows that the federal government is poised to spend millions more on improving cybersecurity—but hiring and retaining enough talented tech and cyber pros to fulfill the administration’s goals remains a significant challenge.
A look at the bill, which Biden signed on Dec. 29, shows major increases in cybersecurity spending across the federal government over the next year. For instance, the U.S. Cybersecurity and Infrastructure Security Agency is slated to receive $2.9 billion as part of the bill, a more than $300 million increase from the agency’s previous annual budget.
Additional increases in cybersecurity spending contained in the bill include:
- $200 million for the Energy Department’s Cybersecurity, Energy Security, and Emergency Response department
- $100 million for the Treasury Department’s Cybersecurity Enhancement Account
- $422 million for the Office of Personnel Management for cybersecurity and hiring
- Nearly $22 million to help fund the Office of the National Cyber Director
- $50 million to address cyber threats from Russia and other overseas advisories
While earmarking these funds sets priorities and focus for cybersecurity across the federal government, the administration still needs skilled tech and cybersecurity pros to carry out these various initiatives. Here, the administration faces a significant shortfall.
In September, the Federal Cyber Workforce Management and Coordinating Working Group published a report stating that, of the 700,000 open cyber positions in the U.S., 40,000 of these jobs are in the public sector. As the paper also notes, the Bureau of Labor Statistics found that the cyber job market will “grow 13 percent from 2020 to 2030, faster than the average for all occupations.”
According to the U.S. Government Accountability Office’s December report, the Pentagon spends hundreds of millions of dollars on cybersecurity training, but the armed forces do not have uniform requirements to ensure that its personnel remain in service to guarantee the U.S. Defense Department receives its return on investment and retains its talent.
“This year we will continue to see the workforce gap increase both within the industry and the government,” Jim Hoppe, senior vice president for the Americas at security firm Delinea, told Dice. “The additional funds will lend tremendous support, but the government must do a better job at getting more new talent and diversity to join the cybersecurity workforce. How we attract new talent into the cyber industry and accelerate hiring must evolve, as hiring the right people is no longer just about core technical skills but rather a diverse set of skills that also include communication, collaboration, marketing, design and psychology.”
Driving More Cyber Talent to Government Work
While the pay difference between those working in private-sector cybersecurity and their equivalents in the public sector is well documented, industry experts note that the U.S. government still has unique opportunities to offer those interested in starting and advancing a cyber career.
One way is to appeal to a unique sense of mission and government service, especially as the U.S. continues to build its cyber capabilities, said Hoppe.
“Never underestimate the power of the mission and the desire to be part of something greater, but building a solid security-first culture takes time, insights and action. It requires a shift in mindset that creates a shared, value-driven approach,” Hoppe added. “Agencies should also consider allocating a ‘cybersecurity champion’ for each department who understands the unique security and compliance challenges a department faces, who can assist with enforcing security policies, and can authentically vouch for extra security resources and training when required.”
Another way to attract more cybersecurity talent to the government is to appeal to entry-level candidates who want to build a cyber career but need experience, said Sounil Yu, CISO at JupiterOne.
“The government can beat the private sector when it comes to hiring and training entry-level talent. As such, it should consider significantly increasing the budget for the CyberCorps program, which provides scholarships for students that commit to working for the government after graduation,” Yu told Dice. “The omnibus bill increases the CyberCorps budget by about 10 percent, but that amount needs to dramatically increase if the government wants to create a meaningful pipeline of talent that eventually remain in government.”
While salary is one area where the private sector has a clear advantage, industry watchers note that the government’s overall hiring practices—which many see as a morass of endless red tape and paperwork—also hinder hiring the best tech and cybersecurity talent.
Federal agencies also put less emphasis on hiring those with specialized skills, which can drive talent away, said Dr. Stephanie Carter, principal of the FedRAMP advisory services at consulting firm Coalfire.
“The top issues with recruiting and maintaining federal employees are all the hoops and red tape you must go through just to get the job,” Carter told Dice. “The requirements for these jobs are too extensive where if you don’t know someone on the inside, you will not be able to be successful at being selected as a candidate. And these requirements are not the industry requirements for certifications and trainings in cyber, which the civilian sector does recruit for these special skills and are successful at recruiting and retaining talent.”
Addressing the Skills and Talent Gap
To drive more tech and cybersecurity pros into public-sector careers, the government needs to ensure that agencies can offer training for those who want to take this career path as well as help build a better culture.
There are three specific areas where government agencies need to invest some of their newfound cyber dollars to help build up a skilled workforce, said Kyle Dewar, the director of technical account management for federal at security firm Tanium. These include:
- Hard programming skills, including the ability to solve complex problems, and critical thinking skills.
- Experience in data analytics, including how to discover, identify, exploit and leverage data in meaningful ways.
- Experience in using industry-standard tools to help accelerate IT operations, security, compliance and risk activities.
Dewar, who has also been responsible for talent management for the U.S. Marine Corps Forces Reserve, added that the federal government also needs to keep up with the pace of how the cybersecurity industry is changing.
By doing this, the government can better recruit and retain talent. “Both government and industry want high-quality talent. The belief is that—like baseball or basketball or other sports teams—the highest payroll will win,” Dewar told Dice. “Government organizations need to understand how their cyber missions are changing. Understanding the skills dynamic of a cyber workforce will inform investment decisions on what skills to buy within a strategic talent management plan. A football team needs one quarterback, but it needs five offensive linemen, etc.”
Even with the additional funds from Congress, Darren Guccione, CEO and co-founder at Keeper Security, still believes the government needs to work harder to recruit and train the cyber and tech talent it needs to improve its defenses. He added that his company’s survey shows even the private sector, which has the funds to pay top talent, struggles to keep up with hiring needs.
“Just as business leaders are challenged with sourcing the necessary cybersecurity talent to keep their organizations secure, so is the federal government,” Guccione told Dice. “While businesses have the financial upper hand, government agencies offer other incentives such as an entry into the field, top-notch training and federal benefit programs, as well as intangible draws such as patriotism and service to the country.”