The federal government must craft a comprehensive cyber workforce strategy and offer greater pay and incentives if it wants to recruit and retain the cyber workforce of the future, according to a new report.

But while agencies have known for years about the obstacles in recruitment and retention they have struggled to make real progress implementing a better method, according to Cyber In-Security II: Closing the Federal Talent Gap, by the Partnership for Public Service.

The Partnership for Public Service interviewed 40 past and present federal cybersecurity executives and held a number of focus groups with cyber managers and younger cyber works, according to the report.

The report outlines a number of strategies for agencies, including:

  • Developing a comprehensive cyber strategy that will include all agencies to help recruit, train and retain talented cyber workers.
  • Create a new occupational job series for cybersecurity employees in order to offer better pay.
  • Expand agency direct-hire authority in order to reduce the overall hiring time and bring qualified workers on board quickly.

Ron Sanders, vice president at Booz Allen Hamilton, which sponsored the report, said even as the threats to critical infrastructure and agencies have gotten worse, the tools to hire talented cyber workers have not improved.

"We have handcuffed ourselves because we do not have the same tools that our private-sector competitors have," Sanders said.

Sanders said the administration should also build a federal training center for cyber professionals, much like the Federal Law Enforcement Training Center for law enforcement personnel. He said by setting high standards and offering federal certification in cyber skills, agencies could build a network of skilled employees.

Congress should place the entire cybersecurity workforce into the excepted service, so that agencies have greater flexibility to recruit talented cyber workers, Sanders said.

The government could also offer two-year education programs like the Reserve officer Training Corps to pay for educational expenses in exchange for a time period of dedicated service, Sanders said.

The report also found that the security clearance process took too long, discouraging potential cyber workers. These self-inflicted process delays hurt agency efforts to recruit a top-notch cyber workforce.

John Yelnosky, the technical director at the Associate Directorate for Human resources at the National Security Agency said while they have a reputation that helps attract cyber workers, they still lose employees to the private sector.

He said the agency tracks employees to see their promotion rates and performance evaluations and has discovered that the agency loses top technical people at higher rates because they were offered better pay elsewhere.

To combat that the NSA has offered as much money as it can, especially at lower levels, as well as better training and improved workspaces, but the losses continue, he said.

"We are throwing the kitchen sink at them from our standpoint and they are leaving to double their salary," Yelnosky said. "The competition out there is really fierce."

He said agencies need to engage in a "unity of effort" to help recruit talented workers, share information and coordinate recruitment activities.

Sara Ratcliff, the director of the Human Capital Management Office at the Office of the undersecretary of Defense (Intelligence) at the Defense Department, said good retention requires sustained leadership from within the agency.

She said the intelligence agencies within DoD rotate cyber job assignments to avoid stagnation and keep employees learning new skills and perspectives. While agencies should try and recruit good cyber workers they should also develop the ones they already have.

"We need to deal with our current workforce. What are we doing to help work on their skills, and divest obsolete skills," Ratcliff said.

She said ultimately every employee at an agency should have some level of cyber training, in order to avoid security breaches stemming from employees accidentally downloading malware or clicking on infected links.

"It's the productivity loss that we suffer when those things happen. And that's just as damaging as that advanced persistent threat in our networks that we are trying to thwart," Ratcliff said.