With a growing cyber workforce gap, Federal agencies need to get creative as they work to shore up their cyber defenses. What skillsets are most valuable for incoming cyber workers? And how can Federal agencies find talent in surprising places and nurture the talent they already have?
MeriTalk sat down with Pamela McComas, Program Manager and Solutions Architect at General Dynamics Information Technology (GDIT), to get her take.
MeriTalk: The Office of Personnel Management (OPM) and the Office of Management and Budget (OMB) first released the Federal Cybersecurity Workforce Strategy in 2015. Yet, there are more than a half million cyber job openings in the U.S. today, and some projections predict the shortage will reach 1.8 million unfilled positions by 2022. Obviously, this is a very tough multi-faceted challenge. What are some of the largest roadblocks specifically in the Federal government?
McComas: This is a challenge that continues to grow, specifically within the Federal government and other big organizations. Cyber moves really fast – and the number of vulnerabilities and attacks grows every day. While the need to hire more resources is pressing, you can’t just throw people at the problem. You need the right people with the right skillsets, and that challenge is compounded by government competing with private industry, where companies can typically pay much more for high-end cyber talent.
MeriTalk: When evaluating candidates, what are the requirements and key skillsets that sets someone apart?
McComas: In both government and industry, there are basic experience qualifications, degree requirements, years of experience, and oftentimes, certification requirements. And with work supporting the Federal government, you can also encounter clearance requirements.
However, there are some skills that are not considered “checkbox items” that organizations should consider when evaluating candidates. You have to ask yourself questions such as, “What else is this person doing to continue to grow their skill set? How are they going to maintain their certifications? What are they doing to look into new technologies and tools that are coming out in the foreseeable future?” And, you also have to consider if they are intellectually curious or a problem solver. It’s some of those non-tangible things that really start to set people apart. Being able to collaborate, communicate, lead teams, and brief the government client or your customers is also pretty critical.
MeriTalk: As we try to fill this growing gap – while competing with the private sector for talent – agencies need to look for candidates who might be a little outside the norm. What are some non-cyber focused skills that can easily translate to the cyber field?
McComas: This is something I’m really passionate about, because I’m in cyber, and I have a creative writing degree – so I am that nontraditional candidate. There are so many foundational and advanced skillsets that people can build upon when they are entering cyber from a different career path. We often see that people who have data or trend analysis skills easily translate to cyber. We also look for other skills that aren’t purely cyber focused such as problem solving. Additionally, if you can translate complex information into a story, whether you’re briefing leadership on an incident or making correlations across complex data sets, those skills can be very beneficial.
MeriTalk: A recent survey from CYBER.org found that less than half of elementary through high school students are receiving any cybersecurity education at school, and this rate is even lower at schools with lower-income students. How do we tackle this issue early on with STEM education?
McComas: I have a lot of friends who are public school teachers, so I see the challenges they face – one being strict budgets. Industry, government, and academia need to collaborate more to support our students and provide opportunities for that introduction to cyber, in an accessible and fun way. For example, looking at nonprofit organizations, like Girls Who Code, that have been successful in injecting cyber and IT security into the younger generation. It’s giving them that exposure early on and showing them not only a possible career path, but something that is a part of your every day. It really has to be a partnership across industry, government, and the school system, because schools often can’t do it on their own.
MeriTalk: At the same time, fewer than 25 percent of the current cyber workforce is comprised of women. How do we close that gender gap and bring more women into the field?
McComas We’re making some progress but still have a long way to go. I got into cyber eight or nine years ago, and in my first job, I was just one of a few women on a 100-person contract – and only one of those women was in a technical cyber role. That was eye opening.
Driving change starts with basic marketing – making the face of cyber more diverse, relevant, and accessible to women. There are a lot of job postings that include more male terminology than gender-neutral language. That needs to evolve. We have to start younger, show that there is a place for women in cyber, and change the perception. We also need to better promote the wide range of career paths within cyber, spanning the hardcore technical to roles such as governance and policy.
Another story from earlier in my career – several years ago, I attended my first real cyber conference. There was a panel specifically around how to get more women in cyber – and all of the speakers were men. People may see cyber as more accessible when they see common backgrounds or stories, and having more women out there as ambassadors speaking in conferences, or as a face in the cyber community is really important.
MeriTalk: What recommendations would you give Federal agencies aiming to find talent within their organization, rather than outsourcing?
McComas: Career progression is so important, especially as the Federal government continues to compete for talent. You have to work with your managers to make sure they’re having conversations with their teams about what the next step looks like. And as cyber continues to change, you have to consider what additional skillsets employees need to keep things moving onward and upward, or even laterally into a different role. As new tools come out and with the growth in automation, there are huge opportunities for upskilling. But making sure that managers are helping to nurture team members’ career progression to funnel that talent from within is key.
MeriTalk: Streamlining the cyber workforce to optimize efficiency and effectiveness is critical to any agency’s mission. What are some ways agencies can do this? Does it start with leadership, training, or something else?
McComas: Organizations should take a holistic approach as cyber continues to change. Public and private organizations must look closely at their technical strategy and roadmap. If they are creating efficiencies, optimizing networks, or implementing tools that drive automation, they should consider the people who were previously doing that manual job and provide training to help them to upskill.
The perception of people being replaced by technology is another hurdle we face as we try to continually evolve our technology and make systems more secure. However, people will be at the core managing and interacting with those systems. Instead of people performing a task, now they may now be managing the tool that is performing the task. People will still be supporting the technology to make sure it’s functioning properly and producing expected results.
MeriTalk: NIST’s NICE Cybersecurity Workforce Framework aims to cultivate a competitive cyber workforce from “hire to retire” to help protect our nation from current and future cybersecurity threats and attacks. How can Federal agencies use this framework to help their employees grow and mature as needs change?
McComas: The Cyber Workforce Framework should be a cornerstone of anyone’s workforce development plan. The framework helps define a role by the knowledge, skills, and abilities that the employee should have and tasks they should be able to perform within a work role. From there, you can look at your personnel and figure out where they fit and where they want to go with their career. While the framework doesn’t designate the roles such as an entry-level, mid-level or senior cyber analyst, there are natural work role progressions within the framework, which provides industry and government with a great description of what skills people should hold in each work role. The consistency really helps us work more effectively while helping our employees perform job requirements. And, it is a framework that can continue to evolve as the industry and cyber change.
MeriTalk: Additionally, the framework outlines the critical need for training as tools change, policies adapt, and technologies advance. How can a hands-on and work role-based approach to training aid employees to ensure consistency as cybersecurity evolves?
McComas: I’m such a proponent of providing hands-on, real-world experiences at all skill levels using the tools and techniques people would encounter in the field. This prepares them for the tasks and challenges they’ll tackle on a day-to-day basis, and they’ll be up to date on the current competencies and tools. Using current tools and relevant scenarios enables the workforce to be better prepared to hit the ground running when they arrive.
MeriTalk: In the July 2020 President’s Management Agenda update, OPM identified cybersecurity as one of the high-risk critical occupations that the Federal government lacks, and required agencies to provide an updated progress report in FY20 Q3. In your opinion, how will this aid the Federal cyber workforce in closing gaps? What steps can they take to show progress – is it more than just vigorous hiring?
McComas: There is a large gap in hiring qualified personnel, but it also depends on having a larger defined security and technology strategy – again, looking at the organization and its goals. When you’re looking at where you’re heading over the course of one, three, or five years, we can then start to break it down into the areas where an organization needs more support – whether it’s people, tools, or new capabilities – and then prioritize and address accordingly.
MeriTalk: Do you think having these policies that require organizations to show their progress will help, or do you think it will hurt them?
McComas: I think it helps from a perspective of establishing an organization’s current baseline and helping them determine where they want to be in the future, even if that future changes over time. It also allows agencies to measure their progress along the way and determine if they’re staying on the right track. As we’ve seen in the past few months, an unexpected external factor such as COVID-19 has radically changed the way many organizations operate, prioritize their projects, and also prioritize their cybersecurity. Acknowledging and tracking progress and the shifts an organization may need to take to respond to changing environments can help them continue to mature, grow, and provide a strong cyber workforce. Tracking progression also helps when you’re requesting additional funding to show where you want to head as technology changes and priorities change.
MeriTalk: What role does GDIT play in helping to advance the cyber workforce in government?
McComas: GDIT is a large government contractor, and we take providing a qualified cyber workforce to support our customers very seriously. We have a lot of internal training and career progression programs to make sure we’re providing and cultivating top-notch talent. In addition to formal training, we have fun internal events such as hackathons and lunch and learns. And we have STEM education partners directly linked to cyber, such as the Loudon Education Foundation, Black Girls Code, and Girls Who Code.
Outside of growing GDIT’s cyber workforce to support Federal missions, we also have programs where we provide cyber training to the government. Overall, our teams are dedicated to making sure our customers are aware of the latest tools and solutions that will help them conquer their toughest cyber problems.