Soon, a cybersecurity professional at the Department of Homeland Security could make as much money as the vice president of the United States, $255,800 — or more, up to $332,100, if they’re in a geographic market where that salary makes the offer competitive.
It’s just one feature of a dramatic overhaul of how DHS hires cyber personnel rolling out on Nov. 15 after seven years in the making.
The Cyber Talent Management System dispenses with traditional federal job classifications in place since 1949, changes how applicants prove themselves, ties pay increases to something other than longevity of service and much more. At a time when private sector organizations and government agencies struggle to recruit and retain cyber personnel, DHS officials and outside observers alike are hopeful the system will deliver results.
It’s a priority not just for DHS Secretary Alejandro Mayorkas but for the chief of the Cybersecurity and Infrastructure Agency since July, Jen Easterly.
“I think I’m going to spend a huge amount of my time on people,” Easterly said at the Billington CyberSecurity Summit this month. “Because at the end of the day, you can have awesome tech and you can have really good process but if you don’t have great talent, you’re going to fail … It’s hard to find talent out there because we’re all competing for it.”
The success of the personnel system is far from assured, and experts say it could hit hurdles during implementation like most any government program. Nor will it solve all of the issues surrounding one of the most difficult problems in cybersecurity today: the gap between cybersecurity job openings and qualified candidates, standing at an estimated nearly 900,000 in the U.S. alone, by one estimate.
If the DHS plan is successful, though, it could serve as a model for other agencies looking to bring cyber pros into the federal government. There’s a lot riding on it: The SolarWinds hack that provided suspected Russian spies with a foothold into nine federal agencies showed once more how vulnerable the government is, and feds have had to respond to a rise in both the frequency and damaging effects of ransomware attacks.
“This could really be a game changer,” said Michelle Amante, vice president of federal workforce programs at the Partnership for Public Service. “Clearly, the federal government is losing the war on talent.”
What The Plan Does
Under the system, those hired for so-called “qualified positions” in the newly-labeled Cybersecurity Service will have their salaries tied to others in the market, rather than experience.
While the average federal civilian agency cyber employee’s salary in 2020 and 2021 was higher than the private sector’s average — $125,225 versus $121,161 —some industries far surpassed the pay of federal agencies, (ISC)2, a member organization for IT security professionals, told CyberScoop. Private sector consulting jobs, for instance, had an average salary of $147,817, and jobs at some IT services companies had an average of $145,544.
DHS will assess candidates’ qualifications using tools like simulations, or considering things like rewards from cybersecurity competitions that demonstrate their skills. DHS can bring someone in for a continuing or renewable appointment, which should make it easier for people to move between jobs. Pay increases are tied not to length of service but “mission impact.”
DHS will be able to forgo the usual required hiring processes and instead recruit as it sees fit, meant to accelerate hiring and allow the department to selectively target talent, with a stated emphasis on collaborating with professional organizations and universities to improve diversity.
Congress passed the bill authorizing DHS to create the Cyber Talent Management System in 2014. Its creation has spanned three presidencies. Sen. Tom Carper, D-Del., who sponsored that legislation, said he was “proud” to see it finally come to fruition.
In May, then-acting CISA Secretary Brandon Wales, now CISA’s executive director, explained the delay during a Senate hearing.
“We have to roll out a fairly significant new human capital system, completely doing away with the existing general schedule,” he said, referring to the traditional federal job classification and pay system. “It’s required a large scale rulemaking effort that’s finishing up now. It’s taken longer than anyone wanted but it appears we are on the cusp of getting the program live.”
The Defense Department has a similar “Cyber Excepted Service” that it has used to hire thousands of employees.
Views on the System
Despite the similarities to the Pentagon system, DHS’s stands apart in some ways.
“What makes the big difference here is using this very flexible and dynamic assessment to really gauge someone’s skillset,” said Amante, whose organization runs a cybersecurity talent initiative that places personnel in federal agencies for guaranteed terms before making them eligible for private sector jobs with the initiative’s industry partners.
The most impressive part of the DHS system is the information it will collect as part of its strategic talent management process, said Simone Petrella, CEO and co-founder of CyberVista, an organization that runs training programs for federal agencies. DHS will aggregate and use information on an ongoing basis to identify necessary qualifications, analyze cyber employment trends and for other tasks.
“You essentially create a massive database of what you have and what you need, and then you can match what you have to what you need, as well as see where you need to find more,” she said.
For Tara Wisniewski of (ISC)2, the best aspect of the system is the flexibility with which DHS will be able to “cycle people in and out from industry.” That kind of cross-pollination has long been viewed as key to fostering skills in both the private sector and government that in turn benefit one another.
But “the devil is in the details” of “how it’s going to be rolled out,” said Wisniewski, executive vice president of advocacy, global markets and member engagement. There’s skepticism it will go smoothly, she said: “That it’s taking this long to get rolled out speaks to some of the ongoing challenges.”
The regulation does nothing to deal with another factor that complicates the swift hiring of cybersecurity personnel, background checks and security clearances — matters largely handled outside DHS that can take weeks or months to process.
Nor does it get to the root of other woes bedeviling the cybersecurity hiring cycle. “It does not actually create all the supply to meet the demand that is available, and so there is a ceiling, by design,” said Petrella — meaning, that the system can’t materialize cyber pros who don’t exist, as everyone everywhere has difficulty finding talent. Nonetheless, the personnel inventory the system can create will at least help direct policy and resources for developing such pros, she said.
Feds haven’t contented themselves with the DHS personnel system as the sole answer. Earlier this year, DHS conducted a workforce sprint to bring on hundreds of new hires. A presidential council recently issued a report with recommendations for bolstering the critical infrastructure security workforce, including cybersecurity personnel.
But in the near future, the Cyber Talent Management System is “one of the things I’m most excited about,” Easterly said Tuesday at an event hosted by Auburn University’s McCrary Institute for Cyber and Infrastructure Security.