Expect Pentagon's Cyber-Worker Strategy 'Any Day Now'

The imminent release of a cyber workforce strategy and implementation plan will buttress new Pentagon initiatives to recruit and retain skilled cyber workers, a Defense official said Thursday. 

Mark Gorak, the principal director for resources and analysis in the DOD chief information officer’s office, said the Pentagon expects the cyber workforce strategy—which DOD has been working on for almost a year—to be finalized “literally any day now.” Speaking at a webinar hosted by Billington Cybersecurity, Gorak said it will include four main pillars to guide DOD’s cyber-related staffing efforts, which include identification, recruitment, development and retention. 

Gorak said the accompanying implementation plan is “even more important,” since it will help put into place the strategy’s broader pillars by outlining specific initiatives to meet current training, retention and recruitment challenges. 

Both the public and private sectors are experiencing cyber workforce shortages, with the number of trained professionals across the country failing to meet the high demand for cyber expertise, amid an increase in ransomware attacks and other digital threats. 

A report on the state of the federal cyber workforce, released last October by a federal working group, found that there were “more than 700,000 cyber jobs to fill nationwide and nearly 40,000 in the public sector as of April 2022.” And the cyber talent shortage is impacting the Pentagon’s operations as well, with DOD noting in a November memo that “attracting cybersecurity professionals continues to fall short of demand.”

Gorak said the Pentagon is working to enact a strategy and implementation plan that addresses its total cyber workforce—which he said includes civilian, military and contractors—noting that each component “has certain challenges” when it comes to carrying out their work. This overall approach will also rely on leveraging data, through the use of predictive analytics, to more effectively identify which type of cyber professionals or cyber workforce roles are lacking within DOD, and then work to incentivize hiring for those positions to meet high-risk needs. 

To meet both its recruitment and retention challenges, Gorak said the Pentagon is also working to change its requirements for cyber professionals—both for bringing new talent into the agency, as well as for ensuring that current DOD employees remain knowledgeable about evolving digital threats and vulnerabilities. This will include a greater reliance on performance assessments and hiring assessments, and less of an emphasis on degree requirements and certifications, to guide hiring decisions moving forward.

“Now we'll get after some of the population that aren't so great in school, but spend their time on apps or development or software engineering on their own time,” Gorak said. “I want that population to join the department as well, as it's good for the federal workforce, and I also want that population in my contractor pool.” 

As for current DOD cyber professionals, Gorak said the implementation plan will require “an annual type of assessment performance, where we then measure each individual, based on their level of skill that’s based on the current requirements.” He said this approach, coupled with the adoption of mentorship and apprenticeship programs to bolster digital skills and offering additional incentives, will help the Pentagon’s cyber workforce better adapt to changing threats and vulnerabilities—particularly DOD’s non-military employees.

“Right now, part of the problem we have is our workforce, on the military side, is really good with training,” Gorak said. “The civilian side, once you're hired, you're hired. There’s not much incentive to continue your training besides personal incentive. So I want to incentivize that, and then change it over time.”

And while Gorak said that DOD may ultimately lose some of its more trained military cyber professionals to the private sector after investing significant time and money in their education, he said he viewed it as “a win and a loss,” since this high-skilled talent can ultimately help foster stronger partnerships between the private sector and the Pentagon moving forward. 

“From a DOD perspective, that could be a bad thing, but I think for national cybersecurity, that's a good thing,” he added. “We're producing a lot of talent for not only the federal government, but also for the nation as a whole.”