Governance & Risk Management , Training & Security Leadership
US DHS Launches New System for Hiring, Retaining Cyber TalentDHS Secretary Majorkas Announces Program Focusing on Competencies, Pay Flexibility
The U.S. Department of Homeland Security on Monday launched a new personnel system that it says will enable the department to "more effectively recruit, develop, and retain cybersecurity professionals." Those recruited through the system will join the ranks of the DHS Cybersecurity Service, a federal team of cyber experts working to protect U.S. critical infrastructure, department officials said.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The Cybersecurity Talent Management System, or CTMS, will focus on filling mission-critical cybersecurity positions by screening applicants based on competencies, offering competitive compensation, and reducing a lengthy onboarding process, DHS officials said.
"The DHS Cybersecurity Talent Management System fundamentally reimagines how the department hires, develops, and retains top-tier and diverse cybersecurity talent," DHS Secretary Alejandro Mayorkas said Monday. "As our nation continues to face an evolving threat landscape, we cannot rely only on traditional hiring tools to fill mission-critical vacancies.
"This new system will enable our department to better compete for cybersecurity professionals and remain agile enough to meet the demands of our critical cybersecurity mission."
A senior DHS official told reporters on Monday that the department has around 1,500 cybersecurity-related vacancies, and nearly two-thirds of them are CTMS-eligible, according to The Hill.
"This new program from DHS is an encouraging indicator that the U.S. government understands the biggest hurdle in cybersecurity, which is identifying talent while building and maintaining a robust cyber workforce," says Frank Downs, a former offensive analyst for the National Security Agency.
DHS officials say the new program will first focus on "filling high-priority jobs" at its Cybersecurity and Infrastructure Security Agency, or CISA, and the DHS Office of the CIO. Then, in 2022, it will expand to addressing jobs "across several DHS agencies with a cybersecurity mission," the officials added.
The new program provides more flexibility to DHS in the hiring process - moving beyond its traditional General Schedule classification method, which is a government-regulated pay scale for federal employees.
Experts at the firm Duo Security say in a blog post that the hallmarks of CTMS include a new compensation system that ranges from $56,950 to $84,755 for entry-level security professionals and goes as high as $240,800 for executive-level positions.
Downs, who is currently the director of proactive services for the security firm BlueVoyant, says, "Yearly studies on the state of cybersecurity, from organizations such as ISACA, state that identifying, attracting, and maintaining cyber talent is the biggest security struggle for most organizations worldwide.
"Creating this program shows that DHS is aware of this need and is trying to address it. If it is enacted properly, it could become one of the most valuable tools in strengthening our national cybersecurity posture."
Another expert says the program highlights the U.S. government's long-standing commitment to growing the cyber workforce.
"It's important to keep in mind that the CTMS has been in development for over seven years before launching this week. So the real place it fits relative to the government's wider approach to security is that it demonstrates [its] commitment to security for the last decade," says Simone Petrella, a former targeting analyst for the U.S. Department of Defense who is currently CEO of the cyber workforce development company CyberVista. "It's just taking a long time to get there piece by piece."
Hiring Success in 2021
The new program builds off of Mayorkas' July announcement noting that the department had brought on nearly 300 cybersecurity professionals - with another 500 job offers pending. Officials said at the time that the efforts exceeded departmental goals by 50% - and came as part of a "60-day sprint" to diversify the department's workforce.
Mayorkas said at the time: "DHS is dedicating significant energy toward exceeding our cybersecurity hiring goal by recruiting talented experts, investing in diverse talent pipelines, and ensuring equitable access to professional development opportunities at every level."
Announcing the 60-day hiring initiative in May, DHS officials said the effort was "grounded in diversity, equity and inclusion best practices" - with targeted outreach to underserved communities and communities of color.
On the Heels of Major Attacks
The hiring efforts, of course, come during a year in which the U.S. has seen a meteoric surge in cyberattacks - particularly high-profile ransomware attacks that have crippled corporate networks, including Colonial Pipeline Co., JBS, and Kaseya. It also comes as federal agencies move to modernize their systems following the monthslong SolarWinds campaign first detected in late 2020.
In the SolarWinds attack, threat actors allegedly backed by the Russian government pushed out a malicious software update and breached some 100 organizations globally, along with nine U.S. federal agencies - including the Treasury, Commerce, State, Energy, and Homeland Security departments.
New CISA Advisory Committee
In another development related to cyber talent, CISA Director Jen Easterly last week indicated that the agency will lean on members of the hacking community to form a new, 35-member advisory committee at DHS.
Enabled by the National Defense Authorization Act of 2021, the committee was added to the Federal Register on Friday in a document that reads, in part, "The primary purpose of the CISA Cybersecurity Advisory Committee will be to develop, at the request of the CISA director, recommendations on matters related to the development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of the agency.
"The CISA Cybersecurity Advisory Committee will operate in an advisory capacity only and is in the public interest."
Speaking at a Wired event last week, Easterly said she is reshaping the agency's efforts on outreach to gray hats who may be willing to share new vulnerability information with the federal government.
Easterly said she hoped to "ignite the power of hackers and researchers and academics" and "tap into the brilliance and the goodness of that community to help us identify and to close vulnerabilities."