How to create the best federal cybersecurity workforce

Cybersecurity is perhaps one of the most important, and fastest growing, job fields in the country.

President Barack Obama has declared it to be “one of the most serious economic and national security challenges we face as a nation.”

But how can the federal government take a leadership role and attract the best and the brightest cyber workers into federal service?

Booz Allen Hamilton and the Partnership for Public Service recently completed a report, Cyber In-Security: Strengthening the Federal Cybersecurity Workforce.

The report found that there is a dire need to attract more highly-skilled cyber experts if the federal government wants to successfully protect the country’s networks and infrastructure.


Jeff Akin is a principal at Booz Allen Hamilton and says the initial hurdle has to do with the fact that there are a number of different needs when it comes to cybersecurity. This means that a good, component cybersecurity worker must often ave a wide variety of skills.

“It can get pretty cumbersome. I’ve heard of agencies, as they start to get into their diagnostic and development of some of these skills — I’m hearing numbers of anywhere between 8 skills — and I know when Booz Allen did it, we came up with 23 . . . and within each of those skills, you [have] to talk about [defining] proficiency levels.”

23 skills for one individual is a lot. Akin says Booz Allen Hamilton defines their needs at the organizational level and then maps combinations into individual role expectations.

Still, that’s complicated, and the other problem is that a lot of people aren’t studying cybersecurity yet in college, mainly because ‘cybersecurity’ — as a major and a job description — hasn’t been clearly defined yet.

“I think we need to know what we’re asking for before we can identify what the level . . . is to meet those expectations. Once we can better define that, I think we can look at the pipeline in a different way. Many organizations, private and public sector both, are kind of looking at the up and coming talent. Who are the folks in college, and in high school even, who are demonstrating a proficiency in securing networks and programming. That’s all good, but the problem is, the threat is here and now.”

Booz Allen Hamilton has done a number of studies for different organizations within the federal government, examining their requisitions for cybersecurity workers.

Akin says between 30 and 50 percent of those are for manager-level talent or above, but some don’t know how to reach out and grab the available talent.

“Helping organizations figure out the right marketing vehicles to use, the right professional industry organizations to go to and develop relationships with, that’s an important step in trying to find the right candidates to bring into your organization and stand up that cyber capability.”

Components of almost any organization’s cyber mission aren’t all new at this point. Akin says the integration of these components into an entire organization can be the challenging part.

“The way that we did it at Booz Allen is, we went out and, through a series of focus groups, interviews and online surveys, we touched probably 1,000 people doing cyber-related work across the firm and gathered their input on — ‘What are the requirements that you’re seeing or need to complete your work? Don’t be focused, by the way, on the things that you have in terms of skills you bring to the table, but think about, in an ideal world, what would your team be comprised of?’ From there, we dissected [those answers] and started the iterative process to agree on language . . . that we could use to define not only requirements of work, but requirements of people, and then map those back to requirements of people by level.”

Another problem for federal agencies has to do with the hiring process itself. Though President Obama and the Office of Personnel Management have vowed to change the way the federal government hires, there are still barriers.

“Our message on that topic was — don’t let the the process [over] which most agencies have very little control — don’t let that prohibit you from making progress in other areas. You [have to] kind of take the pipeline from candidate application until until the generation of assert from which you make hiring decision — you [have] to take that in isolation and say, — how do we increase the effectiveness of the pipeline on the front end to get better quality people coming through . . . in the first place, and then, once they get there, that they’re onboarded and given a career path that’s meaningful to them?”

Agencies should also be looking ahead, he adds. As government organizations start to hire and retain more and more cybersecurity analysts, they will need to make sure that these cyber-managers are highly effective, not just highly skilled.

“One of the things that we look at is, you’ve got to distill cyber skills across, basically, three spectrums. One of them is, anybody who’s on the network; the second one is anyone who’s in the profession — their daily job is doing cyber work and there’s a combination of core skills that all cyber professionals need to have; and the third is, what do the leaders and managers need to have? That’s a combination of some of the core skills, but also some of the managerial skills that maybe get a little more emphasized in the cyber mission context.”

So how can the federal government revise its process to make this happen, or at least make it easier for agencies to be able to look for these traits?

“[OPM] is taking a lot of the right steps. I think some of the hiring authorities that have been granted recently to various agencies, and overall, are definitely [moving] in the right direction. When you can allow agencies to be able to evaluate candidates off of a resume, for example, that’s a good thing. . . . But, I think it’s not just on OPM. It’s also on agencies to make sure that they are doing all of the little things that will help them be successful in their candidates exploration efforts. Some agencies have active outreach programs. . . . They reach out and they tag into candidates regularly. I know OPM just recently released some standards that they’d like to see in terms of that . . . But it’s got to be even more than that. What we’re talking about here is, in some cases, a multi-month process when you factor in clearances and the like. So, you’ve really got to make sure that these folks who are in such high demand know that you’re an important asset to them and that that’s coming through in every touch point that you have with them.”

Do you think there is too much ‘hype’ around cybersecurity? DorobekInsider wants to hear from you! Vote here.

Email the author of this post at

This story is part of Federal News Radio’s Cybersecurity Update – Tune in weekdays at 30 minutes past the hour for the latest cybersecurity news on The Federal Drive with Tom Temin and Amy Morris (6-10 a.m.) and DorobekInsider with Chris Dorobek (3-5 p.m.). cybersecurity issues here.