Government Hiring Practices Hamper Cybersecurity Efforts
Federal agencies find it difficult to hire unconventional but well-qualified talent to battle cyberattacks, experts say.
Domestic Drones: 5 Non-Military Uses
(Click image for larger view and slideshow.)
Government cybersecurity practices remain hobbled by rigid human resources policies that must be changed if agencies are to more effectively recruit, train, and keep talented IT professionals, a group of experts said at a forum on cybersecurity.
"We spend a lot of time in the CIO Council talking about the lack of flexibility in hiring," said Karen Britton, special assistant to the president and CIO, Executive Office of the President.
"We're trying to get out in front" in describing the IT security skills agencies are looking for, but "we do rely on HR for position descriptions," and often, the processes for defining and recruiting IT talent don't yield the results agencies need.
Britton made the remarks May 15 at a forum hosted by the Association for Federal Information Resources Management (AFFIRM) and the US Cyber Challenge, a group attempting to develop future cybersecurity talent.
Gregory Wilshusen, director of information security issues at the General Accountability Office, agreed. "[We have] the government hiring practices of the 1940s and '50s in the 21st century," he said.
Within the broad term "hiring practices," there are a whole range of issues. Wilshusen said part of the problem has been that agencies such as the Department of Homeland Security, the National Institute of Standards and Technology, and the US Office of Personnel Management, among others, have not had a common terminology for positions or a common expectation of the skill sets that a given position should include. The National Initiative for Cybersecurity Education, or NICE, program being led by the NIST is "beginning to coalesce" these differences into a shared definition, Wilshusen said.
US Naval Cyber Defense Operations Command (Image: US Navy)
The length of time it takes to fill a position, which can stretch out for months, and the challenges even government-savvy candidates face in completing the necessary paperwork, are part of the problem. The lack of autonomy in government jobs -- real or perceived -- is seen as another challenge.
Another is that many of the most skilled cybersecurity people don't always fit the profile of individuals agencies typically look for: They may be college dropouts, or they may have gotten in trouble in the past for hacking exploits, which often disqualifies them from consideration, even though they might have the ideal experience for certain jobs.
Steve Bucci, former deputy assistant secretary for homeland defense and defense support of civil authorities at the Defense Department, said one of the biggest unnoticed consequences of classified data leaks
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?