The federal government wants to hire 3,500 cybersecurity professionals by January 2017. Given there aren’t enough qualified professionals to fill the current open positions, that’s a tall order
The US federal government has spent 2016 investing a lot of money in cybersecurity, and expects to spend even more next year. This year has already seen the introduction of the President’s Cybersecurity National Action Plan and a 30-day cybersecurity project (that IT professionals like to refer to as a “sprint“), which highlighted cybersecurity gaps throughout the federal government.
And now the government wants to hire more people with last month’s release of the Federal Cybersecurity Workforce Strategy (pdf).
The strategy lays out an ambitious plan for expanding the federal cybersecurity ranks. It includes long-term efforts such as education and training at academic institutions, and ploys to retain and develop the current workforce.
Not Enough to Go Round
The plan also includes more immediate measures, such as the “Cybersecurity Surge Corps” to meet short-term demand. But the most aggressive element of the strategy is a plan to hire 3,500 more individuals into cybersecurity roles by the end of this year.
Hiring that number of employees into the government in less than six months would be a challenge in a favorable labor market, let alone the strong seller’s market that cybersecurity professionals are curently enjoying. For key cybersecurity roles — analyst, incident responder, architect, and others—the number of open positions nationwide currently outpaces the number of qualified applicants, according to CEB data. And that’s not even including the government’s hiring expansion.
How the Government Can Compete with the Private Sector
Given this market, cybersecurity professionals can currently command a salary that far exceeds the federal pay scale. Federal agencies should take three steps to compete with private sector companies for top talent.
Recruit from alternative sources: The federal cybersecurity workforce strategy includes some exploration of alternative recruiting practices, including a proposed cybersecurity track in the Presidential Management Fellowship program and an expansion of the CyberCorps scholarship.
However, to recruit qualified talent at government pay levels, hiring managers should look outside of traditional degree programs to identify qualified candidates without a four-year degree, looking to coding academies, community colleges, and the military. Government recruitment teams can use the tactics and tools in CEB’s Employer Playbook, developed as part of the White House’s TechHire Initiative, to expand their recruiting efforts.
Focus on what makes government unique: What government can’t offer in salary, it can make up for in the offer of a mission. No private sector company can appeal to a cybersecurity professional’s desire to make the country and citizens secure like the federal government can.
To emphasize this unique draw, government recruiters should clearly articulate the employment value proposition of working at their agency — mission, benefits, and development opportunities.
Assess for fit and competencies, not certifications: Most cybersecurity certifications aren’t a good predictor of high performance, according to CEB analysis. A Certified Information System Security Professional certification, for example, may be a good indicator of basic knowledge, but doesn’t guarantee success in role.
Instead, government agencies should hire people with competencies that do indicate the potential to perform well: someone who cares about the agency’s mission, decision-making ability, the ability to influence others, and an understanding of the organization.