Suzette Kent is only five months on the job as federal CIO, but she’s quickly learned what’s at the heart of the government’s cybersecurity challenges.
Testifying Wednesday before the House Oversight and Government Reform Committee on the federal government’s struggles safeguarding its information, Kent repeatedly pointed to the lack of tech talent as the root of agencies’ perennial cybersecurity woes.
Asked how lawmakers could be of assistance in helping agencies better secure their IT infrastructures, Kent pointed immediately to a “continued focus on workforce activities.”
“In many cases, we still have almost a 25 percent gap in the number of cybersecurity resources we need across federal agencies and what we actually have in place,” she said. “And particularly we have some gaps in leadership and places where we have open positions that are key leaders. In many cases the individuals, when we get them in, their tenure is less than 12 to 18 months. There are multiple workforce actions, both at entry level and at leadership, and there are things that we continue dialogue with the private sector to see if we can fill those gaps.”
Kent — who had not worked in the federal government before joining the Trump administration — said there are still about 15,000 unfilled IT and cybersecurity positions around government. It has been a grueling battle for agencies, with the leadership of the Office of Personnel Management, to catalog those positions to get a better idea of exactly what they have and what they need. OPM just recently renewed its efforts on that front, saying it will survey agency hiring leaders and possibly offer new direct-hire authorities for IT and cyber roles.
Gene Dodaro, head of the Government Accountability Office, said it’s OPM’s current classification system that’s the problem.
“That system was created many years ago, it didn’t contemplate cybersecurity, they haven’t adapted over time and so right now the phase one of what the current administration is currently doing is to take stock of what cybersecurity skills exist across the government,” Dodaro said. A recent report from Dodaro’s GAO team found that OPM is struggling to meet its goals in the initiative. “We should’ve known this for years earlier and developed new systems in place,” he said Wednesday.
And he doesn’t think, necessarily, that throwing more direct-hire authorities at agencies will alone fix the issue.
“Congress has been very good here — they’ve given a lot of special authorities to the agencies,” he said. “But we found that they have over a hundred special hiring authorities, but they only use about a dozen or so. And so it’s OPM hasn’t really looked at whether these special hiring authorities are being effective or not. This needs more attention. I’m very glad the president reorganization proposal is focused on cybersecurity workforce.”
However, Kent said progress is being made, “clarifying the specific positions, as well as common nomenclature.” She referenced her office’s recent release of the CISO Handbook, which is meant to “ensure that we are holding our cybersecurity teams accountable for the same standards of behavior across all of the agencies.”
“But we still have work to do to fill those positions, and particularly in the entry levels to ensure that potentially we are identifying other skill sets in the federal government that we can move into some of those positions,” she said.
Still, finding and assessing the gaps is only step one in improving the situation, and perhaps a much easier task than figuring out how to compete with the private sector for in-demand cybersecurity talent.
“The primary drivers of the vacancies is that cybersecurity skills are one of the hottest skills in the industry right now and we are competing with the private sector,” Kent said. “As well, these cybersecurity professionals have an expectation of quick mobility, large challenges and some ability to move very quickly in their profession. And some of those things don’t align well” with government bureaucracy. And while the federal government can attract some with its variety of “exciting missions,” she said, “so many times it’s a question of compensation.”