How the federal government can overcome cyber staffing shortages

From apprenticeship programs to work-from-home flexibility, agencies across the government increasingly have to apply creative approaches to counteract the cybersecurity labor shortage.

While the workforce shortage affects both the private and public sector—federal data indicates there were 69 workers for every 100 job postings between May 2022 and April 2023—there’s evidence agencies are hit particularly hard.

A recent study from Swimlane found that more than one-third of surveyed US government security employees believe their agencies’ security teams will never be fully staffed. That’s partly because agencies are hampered with specific requirements—like the need for security clearances—and fixed budgets while they compete for talent with high-paying companies in the private sector.

“You’ve got a couple of factors pushing against the government from the civilian sector,” Ron Culler, VP of cyber development programs at IT trade association CompTIA, told IT Brew. He highlighted the regimented government pay and promotion schedules as well as a reliance on contractors with security clearances from previous jobs as key barriers.

Agency officials and government labor experts told us they’re eyeing a few out-of-the-box strategies to shift the employment incentives in their favor.

Considering nontraditional candidates. Agencies and their private-sector counterparts are now open to dropping the requirement of a four-year degree from their job postings, according to Culler.

“Some large organizations have finally realized that, you know, that unicorn of a college graduate with three years of experience that’s willing to work for that entry-level support desk position or entry-level cyber position for $50,000 a year just does not exist,” Culler said. “So, by dropping those requirements, they’re increasing the pool dramatically.”

Job pipeline efforts also aim to get new, sometimes overlooked, talent in circulation. For example, the Biden administration is investing in its cybersecurity apprenticeship initiative, which supports the creation and expansion of “earn-while-you-learn” programs in agencies like the Departments of Defense and Veterans Affairs. Similarly, the DOD in July released details on how it plans to implement its cyber workforce strategy for attracting and retaining talent over the next four years.

For recent grads, the US Digital Corps, launched under the umbrella of the General Services Administration, offers a two‑year fellowship “in critical impact areas including cybersecurity, with a competitive salary and benefits,” David Shive, GSA’s chief information officer, told us in an email via press secretary Rachel Davis.

“Through this program, we have been able to attract talented cybersecurity professionals to support mission-critical projects here at GSA and with federal partners across government,” he said.

Shifting the internal culture. Compared to Silicon Valley’s in-house chefs, puppy parties, and onsite swimming pools, government agencies can seem a little musty.

“Agencies, much more than industry, are very traditionally, culturally very risk averse,” John Slye, a government contracting analyst at Deltek, told IT Brew.

But that might be changing in some ways. Paul Blahusch, CISO at the Department of Labor, commented that work-from-home arrangements help make jobs at his agency more appealing.

“We offer a hybrid work environment, which means we can attract skilled security professionals from outside the Washington metropolitan area to the US government,” he wrote in an email to IT Brew via PR rep Ryan Honick. “Additionally, it provides optimal work-life balance, which allows us to retain staff.”

Acting National Cyber Director Kemba Walden told DEF CON 31 attendees in August that past or current cannabis users should still apply for federal cyber jobs, reflecting a shift in how the government views cannabis usage.

Slye noted that the message is broader than just cannabis use: “Don’t self-exclude, whatever it might be.”