On Monday, November 15th, the United States Department of Homeland Security announced a new personnel system titled “ Cybersecurity Talent Management System (CTMS)”. This program comes along right as an industry wide labor shortage is being exacerbated by an economy-wide shortage. DHS claims that this program will streamline their hiring, training, and efforts to retain cyber security professionals.
Typically, the Federal Hiring process is cumbersome and lengthy. DHS proclaims their new system “fundamentally re-imagines” these old out of date practices. A system more flexible and able to adapt to the ever-changing threatscape. According to the news release, the CTMS program, builds on previous efforts to fill the demands of their “critical cybersecurity mission”. Earlier in the year, DHS reported their “most successful cybersecurity hiring initiative” in the organization’s history. DHS claims they added 300 jobs and 500 tentative offers overshooting their goal by 50 percent.
Program Overview
Looking through DHS’s Cybersecurity Service Page, we gleam all kinds of details about the new program. If you like infographics, DHS has an overview of the program in a downloadable PDF file here. Screenshots have been provided below in case you don’t want/need another download. In the screenshots we can see that page 1 deals with providing additional information and program application. Page 2 seems to be an overview of the hiring process.
According to the provided PDF, it appears that DHS has compressed their application process into 4 steps. Step 1 is essentially what we are doing in this article, visiting the application portal and learning about the program. The rest of the application process is covered, giving you information on selecting the proper Career Track and Specialization. This appears to to be a way to more accurately hire individuals of varying professional experience and expertise areas. As for the hiring process that is covered it appears to be very standard, at least in how you would be hired at a private company.
Specialization and Career Tracks
When we click on the hyperlink to the program’s application portal, we can see that that we are taken to a subdomain of USA Jobs. This page has standard background information as well as including that they are specifically hiring for talent at the Cybersecurity and Infrastructure Security Agency (CISA) and the DHS Office of the Chief Information Officer (OCIO).
Home Page for USA Jobs CTMS Program
One thing we see mentioned on the program overview is that there are various cyber specializations being offered. We can see all the available specializations at the Jobs page in the Application Portal. We can see that DHS is pulling in all types of different cyber roles and in my opinion making very helpful/clear distinctions. Some of the different roles that are available include:
- Cybersecurity Architecture
- Cybersecurity Defensive Operations
- Cybersecurity Policy
- Cybersecurity Research and Development
- Digital Forensics
- Mitigation and Response
- Physical and Embedded, and Control Systems Security
- And MANY more
Please see my carousel below for screenshots I captured. These are but a few of the choices offered. They provide a description of the specialization and the technical competencies required. As a note, if this is your eventual career goal, you can use this information for career planning. Say you want to be a Threat Analyst, you can begin to focus your school work or career moves towards the required competencies. These shifts could take the place of extra curricular activities, like say starting a blog focusing on cyber threat news or partaking in either school funded or individual Capture the Flag tournaments. They can also take the form of taking on additional responsibilities at your current job. By the way, this method also works with standard job postings. You can find job postings that you sound interested in and capture the requirements they require for the position. You can use that to align your career and education goals!
Cyber Security Career Tracks
It is important to note that there are specific requirements to anyone who wishes to apply. Some of these items may deter talent from applying. Either because of directly not meeting to requirements or because of the stigma associated with Federal Service. These requirements include:
- A U.S. Citizen or national
- 18 years of age
- Registered for the Selective Service (if you are a male)
- Able to undergo and successfully complete a background investigation
- Able to submit to a drug test and receive a negative result
- Able to comply with ethics and standards of conduct requirements, including completing any applicable financial disclosure
- Able to comply with COVID-19 vaccination requirements
If you can meet these requirements, then you can then apply to different program tracks. These tracks range from experience specific to career goal specific categories. There is an Entry Track that only requires 0 to 2 years of work experience and will take college students and recent graduates. Another experience specific track titled the Developmental Track for professionals with 3+ years. Some of the goal specific categories are items like a Technical Track versus a Leadership Track. These specifications and broad experience levels allow for a diverse and well balanced work force to quickly be stood up and constantly replenished.
An Industry Wide Issue
It is important to note that it is just not just the Federal Government that is having hiring and retention issues in the cyber security industry. According to Cyberseek.org, the ratio between jobs available and professionals to fill them is sitting at 68%. This means that even if all the cyber security jobs were filled today, there would still be a job surplus of 32%! This job to labor surplus presents a problem for employers in both the private and government sectors. It demonstrates the need not only to create MORE perspective employees but the requirement for companies to create separate, aggressive recruiting campaigns. In order to properly tackle this supply problem both items will need to be addressed.
When it comes to developing specific recruiting programs we can look to DHS’s CTMS program as a model for others. Their program is definitely a step in the right direction to address the serious lack of cyber security professionals in our nation. Yet what are some steps the industry could take to increase the pool of potential employees? Looking through hundreds of cyber security job postings (on Indeed) over the last month or so I have noticed a few similarities that could potentially limit the pool of perspective employees:
- Degree Requirements – Many posting that were reviewed states a Bachelor Degree not only wanted but REQUIRED. Some postings stated that experience could be substituted for education especially when an associates degree was possessed. Yet it still appeared that an overwhelming number had a degree as a requirement. The IT industry stands apart from others with professional organizations hosting certifications. Many professionals recognize these as much more useful and specific to the real world. One must ask the question, should we really focus on a Bachelor when a certification is so much more useful?
- Excessive Certification Demands – On the topic of certifications, another item that was noticed was the excessive demand for certifications for the level of job that was being hired for. By this I mean a job that requires 3 to 4 years of experience (almost entry level) with a CISSP certification being required. Most of these positions also required a Bachelors Degree as well. This highlights the need for cyber security professionals to work with your local HR team to ensure they are writing up realistic requirements for positions in your department.
- Excessive Experience Listings – At the time of this writing, if you search “Cyber Security” in “United States” in Indeed you will get back nearly 42k open job hits. If you attempt to narrow this down and type “Cyber Security Entry Level” in “United States”, only 334 jobs hits are returned. Looking through these supposed Entry Level positions, not only are degrees required but so are experience. In some cases certifications are required on top of all of this. If we are attempting to fill the gap we need to get more realistic on required experience levels. Most jobs that are out there are for mid to senior level professionals. As we covered earlier in this post, we don’t even have the proper amount of these professionals to fill all these available roles. Since we need to expand the perspective employee base, perhaps a focus on On-the-Job Training programs could assist with recruiting and eventual retention into these roles.
- Vaccine Requirements (Contractor/Government Jobs Only) – This blog is not a political blog so apologies if this will offend anyone here. Yet the fact remains there is still vaccine hesitancy among the population. Not to mention the moral implications of having your employer REQUIRE a medical procedure. I have only seen this on Contractor and Government job postings but that doesn’t mean we won’t see this on postings for private companies in the future. Even with the suspension of OSHA’s mandate, this fight will probably not end here. Regardless with how you feel on the matter the fact remains, a vax mandate excludes a certain base of perspective employees in an already constricted labor market that was already experiencing manning issues.
Regardless of if you agree with the observations made in this blog, we can all agree that something needs to change. The lack of cyber security professionals not only hurts a company’s bottom line but affects our nation’s general security posture. For an example, you just need to look back a few months ago to the Colonial Pipeline Attack. Not only was the company affected, but all of our gas prices! As a nation, this cyber security professional shortage is an issue for everyone!