Cybersecurity hiringGAO reports problems in cybersecurity hiring strategy

An audit by the Government Accountability Office (GAO) has found that some government agencies have failed to effectively develop or implement cybersecurity workforce planning strategies. Agencies also reported problems in filling some cybersecurity positions, particularly those requiring specialized skills.

In 2010 the Senate Judiciary Committee asked GAO to study whether or not the federal government was adequately meeting its cybersecurity staffing goals and report on the status of government-wide cybersecurity initiatives.

The study encompassed the eight federal agencies with the highest information technology (IT) budgets, including the Departments of Defense, Homeland Security, and Justice.

One of the key problems according to GAO is that agencies had trouble even identifying which employees could be considered cybersecurity professionals.

“All agencies had defined roles and responsibilities for their cybersecurity workforce,” GAO said. “But these roles did not always align with guidelines issued by the federal Chief Information Officers (CIO) Council and National Institute of Standards and Technology (NIST).”

The Office of Personnel Management (OPM) uses a series system to identify specific occupations; however there is no single series used for cybersecurity specialists.

According to the report, “In many cases, employees with cybersecurity responsibilities also have other responsibilities, and some employees classified under a particular series may not have any cybersecurity responsibilities.”
GAO found seventeen different occupational series with at least some cybersecurity responsibilities.

It recommended that OPM coordinate with the CIO Council, the principal interagency forum on federal IT, to develop a government-wide strategy to track agencies’ cybersecurity workforce.

Some agencies are also having trouble filling available cybersecurity jobs.

DoD for example reported that for 2010, it failed to fill about 9,000 of the more than 97,000 open information assurance positions, while Treasury said that it was struggling to fill some highly technical positions such as those dealing with penetration testing and forensic analysis.

A number of factors were cited for the difficulty and responses varied by agency.

The Department of Commerce reported that it had difficulty finding candidates with the combination of federal experience, detailed IT security knowledge, and professional certifications.

DoD claimed that in addition to problems finding qualified candidates, the complexity of the federal hiring process and the length of time needed to obtain security clearances represented a barrier to filling all of its positions.          

GAO also found that agencies struggled to measure the effectiveness of incentives offered to attract the best candidates for cybersecurity jobs.

“Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives,” the report said.

Several federal initiatives are currently under way to define cybersecurity roles and improve workforce planning, but the different plans lack coordination.

“The Chief Information Officers Council, NIST, Office of Personnel Management, and the Department of Homeland Security (DHS) have also taken steps to define skills, competencies, roles, and responsibilities for the federal cybersecurity workforce,” the report stated. “However, these efforts overlap and are potentially duplicative.”

The GAO did say that positive steps have been taken; as officials from these agencies have begun efforts coordinate their activities.