"We still have the fundamentals wrong," says Office of Management and Budget's Trevor Rudolph.
Federal agencies face a rapidly approaching deadline to identify cybersecurity workforce shortages.
Boosting the government’s information security workforce is a key part of the Obama administration’s long-term strategy for securing federal networks. It follows a 30-day rapid action plan initiated this summer to tighten online defenses in the wake of the massive Office of Personnel Management hack.
By Dec. 31, agencies are required to report to the White House the top five areas -- network services, cyberthreat analysis, systems development, and others -- where they lack sufficient personnel.
OMB and OPM plan to publish a first-ever governmentwide cybersecurity HR strategy in April.
"We still have the fundamentals wrong, and what I mean by that is there's a major, major talent shortage inside the federal government today,” said Trevor Rudolph, the head of the cybersecurity unit with OMB, speaking Tuesday at a Carahsoft event produced by the custom events unit at Government Executive, parent company of Nextgov.
There are currently nearly 400 open information security positions posted on USAJobs.gov, Rudolph said. And those are just the open jobs specifically categorized as information security, he added.
“There are plenty of other jobs related to cybersecurity -- acquisition professionals, lawyers, you name it -- where we need this skill sets inside the government, and we can't get them in at scale right now," he said.
Rudolph’s boss, U.S. Chief Information Officer Tony Scott, previously estimated the government will need to fill about 10,000 openings for cyber professionals next year.
“This has been a long-neglected area where . . . we've got to focus on some new, innovative ideas on how to recruit and retain in this space,” Rudolph said.
Last month, OPM issued guidance to agencies for identifying their cyber skills gaps and provided a list of hiring shortcuts agencies can already take to fast track the hiring of information security professionals. OPM first announced plans in 2013 to build a new database of cybersecurity jobs to better track workforce shortages.
It’s too soon to talk specifics about the forthcoming strategy, Rudolph said, but early ideas being kicked around could include pay reforms and better cybersecurity training for all federal employees.
Some agencies -- those dealing with financial regulation, such as the Securities and Exchange Commission or the Consumer Financial Protection Bureau -- have been granted the authority to set higher levels of pay than comparable positions in the General Schedule.
“It's a very important consideration, one that we are thinking through,” Rudolph said in response to a question about similar pay flexibilities for cyber talent. “But I don't believe that that's the only issue or that's the only way you're going to get people.”
He added, “Folks know, obviously, how easy it is to run for the money in the private sector, but I think we actually have a brand that is quite appealing here in the federal government that we can sell interested candidates on.”
In addition, Rudolph said agencies need better security training that raises the cyber-savvy of rank-and-file federal employees, too.
"It is no secret that the training that all federal employees undergo for cybersecurity awareness is not helpful,” he said. “Just to click buttons through a video to get a certificate at the end is not helpful . . . We need more active training where we're actually learning through simulations where you've actually done something wrong and you're learning from it and you can actually act on those things in the future. Those are the types of things that we're looking at in this space."