The federal government is notoriously bad at hiring qualified cybersecurity professionals — and it’s not just because it doesn’t pay as much as Google.
Even before the Office of Personnel Management breach that compromised the personal information of 21 million federal employees, demand for sophisticated cybersecurity talent was outpacing supply.
The skills gap has created a fierce competition for talent that the private sector is unquestionably winning. Even when government agencies attract top cyber professionals, they struggle to retain them.
The federal cyber force has suffered a spate of high-profile departures, including at the FBI, where a high-ranking investigator decamped for the private sector just this week.
Federal officials most frequently cite budget constraints as their chief impediment to hiring talent, arguing they can’t compete with the huge paydays available at tech companies.
An April study by the Partnership for Public Service found that senior-level cybersecurity employees in government earn between $24,000 and $33,000 less than those in the private sector. Federal entry-level workers in the field earn $8,000 to $14,000 less than private entry-level workers.
But the challenges go beyond a disparity in pay, because people attracted to government work aren’t typically looking for a huge paycheck; some are drawn to public service and finding a compelling “mission” for their careers.
But in order to find their “mission,” those recruits have to survive a hiring process that is bureaucratic, arduous and slow, experts say.
In 2011, the hiring process for cybersecurity positions took an average of 50 days at the Department of Health and Human Services, and almost 130 days at the Treasury Department, according to a Government Accountability Office report.
The Office of Personnel Management (OPM) can grant direct-hiring authority, which allows agencies to speed up the process by eliminating some of the usual requirements when “there is a critical hiring need for a position or group of positions.”
The OPM has granted agencies direct-hire authority for information security professionals, but there are other positions of critical importance for the government to fill, some say.
Montana Williams, a senior manager of Cybersecurity Practices at the ISACA and former Homeland Security official, said many civilian agencies haven’t taken full advantage of the exemption to federal hiring rules.
“We have everything in place to do this the right way,” Williams said. “But agencies are failing to use existing rules that are already in place by OPM.”
The onerous background check process is also an impediment, especially for intelligence and military agencies.
Heather Lawrence, a young cybersecurity professional from the competitive University of Florida hacking team, said she considered public-sector employment. Lawrence told The Hill that based on the requirements these agencies presented at recruitment events, “many people were like, I feel like this is a waste of my time.”
There’s also the weed question.
Congress authorized the FBI last year to hire 2,000 new people, many of whom were earmarked for cyber jobs, but director James Comey told a Manhattan conference that he was hamstrung by the agency’s three-year moratorium on marijuana use.
“I have to hire a great workforce to compete with those cyber criminals and some of those kids want to smoke weed on the way to the interview,” Comey said.
Hiring experts are also concerned that the roles that agencies are trying to fill aren’t clearly defined, meaning that the government has no way to accurately assess the strengths and weaknesses of its workforce.
Without an accurate assessment, the government is often putting the right people in the wrong jobs, Williams said.
A generic job description will attract a vast swath of unqualified applicants, Williams noted. If one of those applicants has preference — if he or she is a veteran, for example — they might get hired even if “they don’t necessarily have the skills to do the job.”
This is also part of the reason the federal hiring process is so protracted: agencies have to wade through a huge swath of unqualified candidates. One official in human resources for the FBI described it as a “funneling process.”
And even if a high-quality candidate survives the screening process to land a federal job, he or she faces a unsure path to advancement focused on tenure — making the jump to the private sector much more attractive.
Some agencies are moving to address the lack of merit-based promotions in the system.
The Department of Defense, for example, is reviewing a broad personnel reform document that an official confirmed would emphasize talent over seniority — including a revision to the pay table that would reward high-performing individuals in critical areas such as cybersecurity on a merit basis.
Williams also says that while there is a lot of federal funding earmarked for boosting the cybersecurity talent pipeline, not enough is spent on continuing education for the workforce that’s already in place.
“This is critically important in cybersecurity because cybersecurity skills are perishing,” he said.