The Department of Homeland Security hired only about 200 cybersecurity employees last year and plans to hire another 100 or so this year. (Department of Homeland Security)
The Homeland Security Department needs hundreds of information technology workers — especially in the cybersecurity arena — but it faces considerable obstacles in doing so.
Among them: Lengthy security clearance reviews, flat budgets under the extended continuing resolution, the need for a strong business case, noncompetitive pay scales for IT talent, and an archaic job classification system that hinders effective human resources strategic planning.
As a result, near-term IT hiring goals are modest at DHS.
Even though the department successfully sought approval from the Office of Personnel Management and the Office of Management and Budget to hire up to 1,000 cyber employees over three years, it hired only about 200 cybersecurity employees last year and plans to hire another 100 or so this year.
The new hires will be spread across the department: the Secret Service, Customs and Border Protection, Immigration and Customs Enforcement, the Science and Technology Directorate and the Office of the Chief Information Officer, among other bureaus. They will fill critical cybersecurity roles in areas such as risk and strategic analysis, incident response, and network and systems engineering.
DHS chief human capital officer Jeff Neal said projecting future hiring numbers can be difficult because of budget uncertainties.
"Budgets are in flux right now," Neal said, noting federal agencies are operating at 2010 spending levels under a continuing resolution.
There will be trade-offs of existing dollars, said Hord Tipton, executive director for (ISC)2, an information security certification organization.
Chief information officers and security people will have to make good business cases for how they are going to protect the enterprise, how the hiring will affect the bottom line and if they will save money.
Those concerns haven't stopped efforts at Customs and Border Protection to reshape its information technology work force. Since March, the agency has selected 780 IT workers and 500 have begun working, said Ken Ritchhart, deputy assistant commissioner in CBP's Office of Information Technology.
In total, about 90 workers will be dedicated to the agency's Security Operations Center once CBP hires about 1,000 federal workers. Many of the positions require some knowledge of information security.
At least 80 percent of the 780 hires came through insourcing, said Ritchhart, who also serves as deputy chief information officer.
Those workers are starting at grades 13, 14 and 15 on the General Schedule. The goal now is to hire more entry and midlevel workers to balance a mostly senior staff.
Cyber professionals make up a small community, and it's expected that competition for these workers will involve converting contractors into federal employees, said John Lainhart, who leads the cybersecurity and privacy service area for the firm IMB.
"We're robbing Peter to pay Paul," Lainhart said. "They're just going to put a new badge on people."
Ritchhart said hiring a federal worker instead of a contractor on average saves about $40,000 per year. He said this includes benefits, leave, subsidies and other costs.
His concern is getting positions filled quickly because "when the economy improves, folks won't spend six months waiting for a government job."
The clearance process for hiring cyber workers is the hardest part, he said. Some people have been cleared in three months, but that's not the norm.
"We've got to recognize the fact that cybersecurity really has to go beyond the norm," Lainhart said.
For years, the argument has been that government needs to increase the pay for cyber workers to compete with industry. That's not the only challenge.
Top government officials agree that far more cybersecurity professionals are needed to defend the nation's networks. But defining exactly what those roles are and what skills are needed is the challenging part.
"That's really the issue," said Nancy Kichak, associate director of strategic human resource policy at the Office of Personnel Management at the Executive Leadership Conference last fall. "Despite the fact that we all use the terminology cybersecurity, just what does it mean? And how do you definite it, and how do you identify these special skills that the cyber work force has?" Kichak said the government is still determining whether it can hire cyber professionals under the current pay structure and what job positions comprise the cybersecurity work force.
OPM hopes a cybersecurity survey, which wrapped up in October, will help answer those questions. The survey, which has not been released, looked at critical tasks and competencies for cybersecurity workers.
The agency also led focus groups for human resource managers.
Lainhart said it's likely that OPM will create a new series or a more defined role for cybersecurity workers because enough people have been talking about it.
And the need is there.
"It has gotten to the point where you can't really do our job without information security," Ritchhart said.