How do you keep your security workforce?

GAO evaluates federal cyber workforce incentives

Recruiting and retaining important IT staff -- particularly in the burgeoning security arena -- is a challenge for every organization and one that is only going to tougher. 

The federal Government Accountability Office this week took a look at the IT security recruiting and retention practices of eight federal agencies with the highest IT budgets, including the largest at the Department of Defense, to get a sense of what works in the face of mounting security attacks.  The GAO reported recently that in the past 5 years, the number of incidents reported by federal agencies to US-CERT (United States Computer Emergency Readiness Team) has increased from 5,503 incidents in fiscal year 2006 to 41,776 incidents in fiscal year 2010 -- including a more than tripling of the volume of malicious software since 2009.

More on IT trends: Gartner: 16 long-held IT business practices you need to kill

From the GAO: "Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies. Although most agencies used some form of incentives to support their cybersecurity workforce, none of the eight agencies had metrics to measure the effectiveness of these incentives."

Some of the key findings from the GAO report were:

  • The DoD offered the broadest range of incentives to recruit and retain cybersecurity professionals. For example, it offered scholarship programs, student employment programs, and recruitment incentives that can be offered to cybersecurity professionals or individuals who are studying to become cybersecurity professionals. In addition, DOD is seeking new authorities and incentives in order to improve its ability to recruit cybersecurity talent. These authorities range from expanded scholarships to retention incentives that are dependent on cybersecurity certifications.
  • Other agencies made targeted use of existing incentives in order to attract the individuals with the skills that they needed. For example, The Department of Homeland Security reported using incentives including recruitment and relocation incentives, superior qualifications and special needs pay setting authority, and annual leave enhancements, and plans to offer student loan repayments when negotiating with potential employees.
  • The Department of Justice reported using incentives including recruiting, relocation, and retention incentives; superior qualifications and special needs pay setting authority; student employment programs; student loan repayments; and annual leave enhancements.
  • The Treasury department is permitted to use incentives, but have generally not found it necessary to employ them or do not have sufficient funds to use them. The Internal Revenue Service uses retention incentives and superior qualifications and special needs pay setting authority in lieu of other recruitment incentives.
  • Several other agencies reported not using incentives, or using them sparingly. For example officials from FBI and the National Security Agency (NSA) told the GAO that the unique missions of the organizations serve as a strong incentive for potential employees and compensate for lower salaries. Officials at VA said they were developing an incentive program.

The GAO added that government-wide evaluation of incentive effectiveness is limited. During calendar years 2005 through 2009, Congress required the federal Office of Personnel Management to produce annual reports on the use of recruitment, relocation, and retention incentives. However, since cybersecurity responsibilities do not necessarily correspond to the way the government defines jobs it's hard to track.  In August 2011, OPM reported that in calendar year 2009, federal agencies paid approximately $14.2 million in recruitment, relocation, and retention incentives to 1,269 IT workers in what's known as 2210 occupation series or IT Management, under which many, but not all, cybersecurity employees are classified. Still, inn this report, OPM stated these incentives are important tools to help agencies attract and retain employees, the GAO said.

More IT news: Gartner: The top 10 strategic technology trends for 2012

The report went on to note that in the federal realm there are a number of programs designed to enhance the cybersecurity workforce.  They include:

  • The National Initiative for Cybersecurity Education (NICE) is an interagency effort coordinated by NIST to improve the nation's cybersecurity education, including efforts directed at the federal workforce.
  • The CIO Council, NIST, OPM, and DHS all have separate efforts to develop a framework and models outlining cybersecurity roles, responsibilities, skills, and competencies.
  • The Information Systems Security Line of Business is a government-wide initiative to create security training shared service centers. The effort is led by DHS and administered by DOD, the National Aeronautics and Space Administration (NASA), Department of State, and Veterans Administration.
  • The IT Workforce Capability Assessment, administered by the CIO Council, is an effort to gather data on government-wide IT training needs, including cybersecurity.
  • DHS and NSF's Scholarship for Service program provides funding for undergraduate and graduate cybersecurity education in exchange for a commitment by recipients to work for the federal government.

Follow Michael Cooney on Twitter: nwwlayer8  and on Facebook

Layer 8 Extra

Check out these other hot stories:

Another SCADA threat? Well, only if you count white-lightning as a hazard

High-tech potty talk: Pee-and-play gaming system hits the toilet

Feds seize 150 website domains for selling fake goods  

Successful, effective IT project tips

Energy company wants to be first to mine the moon

NASA turns up ocean of water, and possibility of life, on Jupiter's moon

US Marshals selling autographed Bill Clinton saxophone, trove of other bling

DARPA wants powerful, secure wireless system to link space satellites

IBM: Analytics, mobile, cloud, social apps drive future IT development

10 petaflop Japanese supercomputer world's fastest

DARPA program looks to radically change security authentication techniques

US snapshot of broadband world finds disparity and dial-up

FBI takes out $14M DNS malware operation

DARPA gets serious with Internet security, schmoozes the dark side

"Mudge" Zatko shaking up DARPA's security software routine

US cyber chief says cloud computing can manage serious cyber threats

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022