White House releases Federal Cybersecurity Workforce Strategy

zxbane

https://www.whitehouse.gov/blog/2016/07/12/strengthening-federal-cybersecurity-workforce

Interesting read for those currently in Federal service or considering it in the future.

widget101

Nice, thanks!

coffeeluvr

Thanks!

Pmorgan2

Didn't see much in the way of specifics. It'll be interesting to see what comes out of this.

kiki162

OMG...My eyes just glazed over looked at this. I would love to have an in-depth conversation about this whole subject. When I went to a SANS conference early this year, they were talking about this subject and what gov't agencies need to do to hire/retain top talent.

If you look at #11 and #12 on the Scholarship page, most of the jobs are in DC AND IF you get hired, you'll start at a GS-7 (BS) or GS-9 (MS). So starting salary in the DC area for 2016

GS-7 = $43K
GS-9 = $53K

Now all of us know that isn't much for the DC area. For those of you that have or are currently working for the gov't in the Competitive Service (GS positions), you know about the military preference rules, PPP lists, and so on. If they are so into hiring top talent, lets start changing some of the current hiring laws in place and add a preference for cyber security folks. I've come across MANY people that have working for the gov't and left for better paying jobs and included training benefits as well. Also they got tired of the lack of mgmt support and not taking IT security seriously, and the lack of motivation from co-workers wanting to do their job.

The other thing that really bothers me is the lack of mandatory security policies in place. Each gov't agency seems to have a separate framework or set of policies in place. Military installations for the most part certainly have a good framework going, however each branch seems to have slight variations. However, it's the lack of set policies across the board that should come from the top down that bothers me. Several years ago, I left one job where it had strict policies in place that I was comfortable with, and was shocked when I moved into a new position. Pretty much everything you could think of that shouldn't be enabled or allowed was, and had no support from mgmt. Personally, I've love to go back to a gov't gig as I have several years of time in, however things need to seriously change.

I feel like the infosec arena is a competitive field by nature. In order to survive in this field, you have to keep your skills set updated. If you truly love what you do and are working in an environment where things aren't taken seriously what's the point in sticking around? Working along side ppl that care about what they are doing and feel like they are learning something valuable makes all the difference in the world.

the_Grinch

I have to laugh because the whole idea of these reports are to role out larger contracts. The federal government is not going to make the necessary changes in order to actually hire people in a full government spot. Much easier to post a contract (I mean they spent all that money on lobbying) and then hire a somewhat technical government employee to babysit (at a low salary). I once interviewed for and got an offer for a federal job, but was surprised by the lack of technical questions in the interview. The manager very bluntly (thankfully) told me that the contractors would do the work and I would only be there to be sure what they did/said made sense in the context of the technology.

Cybersecurity is a lot like the war on drugs, we want to pour billions into it and hype up how important it is, but when push comes to shove it's about money and contractors. I see it in my position with the State as we are one of the few "labs" left out there. Everywhere else everything we do would be contracted out and that means let's just "check the box" and get an approval. There isn't a sense of pride or an invested interest in making sure things are done properly/working properly.

Cyberscum

Retain and hire top talent at what, the GS7 level. Even top level GS13/14 jobs are not competitive with what the civil side offers. Calculate the crappy retirement when they switched to FERS and you have a HUGE business that does not care about technology, does not care about upward mobility, does not care about its employees and is saturated with GS14/15/SES that are collecting their second retirements and could give a crap less about the new technology or security feature you have an idea for.

FillAwful

Cyberscum wrote: »

Retain and hire top talent at what, the GS7 level. Even top level GS13/14 jobs are not competitive with what the civil side offers. Calculate the crappy retirement when they switched to FERS and you have a HUGE business that does not care about technology, does not care about upward mobility, does not care about its employees and is saturated with GS14/15/SES that are collecting their second retirements and could give a crap less about the new technology or security feature you have an idea for.

I was hired in at GS-11 with a Bachelors. I consider myself fortunate. I also agree with this sentiment. However, the reason I am here and will be here for at least the next 5-8 years is two fold. One, the amount of money they have and are going to spend on training for me is outstanding. This includes SANS training in August and pretty much any other Cert I want. Second, the experience here, of being the only SOC/CNDSP for a huge enterprise that spans the globe will prove very valuable to me in the future when I go to the private sector. Currently I am in Tier 2 Network Forensics and being exposed to SPLUNK and other valuable tools. I can also move laterally to malware analysis and other fun stuff so the opportunities to learn are really great for being this early in my career.

Cyberscum

@Fill,
Wait until you hit the GS13 level, I am sure your perspective will change drastically.

kiki162

Grinch - Yeah they love throwing $ at contracts so they don't have to pay for retirements down the road. I had a job offer at the top end of the GS-12 pay scale, and was going to scan the network for vulnerabilities and monitor their in house web proxy for sites to block. Glad I didn't take that, because there was no room for lateral movement as the position was capped.

Cyber - Don't you love those little bumps in your salary every year? Woohoo!

Fill - I like the "when I go to the private sector" comment. It's good you have the $ to do the training, question is do other employees around you actually do the training and get the certs? You type of job is RARE, and eventually you will come to a point where your skills and salary just don't match up anymore. My advice, don't spend too long in your current job.

FillAwful

Scum - Yeah, that's the disgruntled sentiment around here from the 13s.

Kiki - And that is exactly my plan. Benefit from the large CNDSP Enterprise environment and training and take my skills to the private sector in 5-8.

It seems to be about half and half around here. Some people just **** the exams and check a requirement 8570 box. Others really take advantage of it but then, like the topic of this thread, they don't stay long. The real shame is when you see the exceptionally brilliant people around here being squashed by bureaucracy.

I think one of the few things that keeps people here is the choice to defend people's lives (i.e. soldiers) or defend people's livelihoods (money.)

the_Grinch

I think the military illustrates the problem very well. My buddy is in the Navy Reserve and has worked in government agencies which utilized military personnel. Most were button pushers, they could execute a program that was designed for them, but the how or why was beyond them. I've spoken with a lot of government people or contractors who either had the clearance or the certs (probably both), but when push came to shove they weren't going to be a ton of help to you.

I was a training about a year ago and was talking to some people who were taking a CISSP course. The one gentleman was very young (probably 20 if he was lucky) and was there for the Army. As we talked I realized he was working in one of the new Cyber MOS's and I asked how he chose it. He went on to say that he scored high on the ASVAB and wanted to be special forces so was going to enlist as an 18x (allows an entry level person to start in the Army Special Forces pipeline, but if you fail you become an infantryman). His parents freaked out and would not allow him to do it so the recruiter says, "well I have this new cyber job that they need bodies for and it's like the special forces of cyber" so he took it. Now he hates every minute of it and doesn't even like computers, yet he has to attend all this training and ultimately doing a job he has little to no interest in.

Those of us in security know that it is a commitment. You have what you do day in and day out, but on the flip side you have a ton of outside work things you need to do. If you aren't spending two to three hours a night just looking at the latest trends or at news stories related to new attacks you won't be affective. I quite literally get in trouble for taking time off also my boss and I can't be out at the same time.

zxbane

Very interesting perspectives in this thread. I am prior service military and then worked briefly as a contractor and now a civil service employee. I am currently in a GS13 equivalent position but I work for a command where a 13 is not necessarily a supervisory role so I am regularly still involved with technical aspects of the projects in addition to working as a PM on some projects as well.

I am still relatively young, 30 years old and I know I have quite a few years of service ahead of me. Currently I'm in a position where I get to go to 1-2 SANS courses a year and I also get 10K TA a year. My current plan is to complete DSU's MSIA program in 18 months and then begin a DSc Cyber program. At that point I will be 35 +/- and I'll make my decisions from there.

If I'm able to still enjoy the work I do and feel like it makes a difference and I am able to make it to the 14 and/or 15 level while also eventually potentially teaching part time I will be earning a salary I would be more than comfortable living on.

I can't say I share the resentment I see in the posts above but I certainly can agree that there is a lot of dead-weight and people who aren't energetic about the work as well. With that said, in the organization I'm in, those individuals don't seem to make it very far either though.

the_Grinch

Don't take my comments as resentment towards government employees. Every company has dead weight and in my experience the private sector is no better than the public sector. My annoyance comes from articles such as this where the government claims it can't find people to do the job. What they can't find is people with the advanced skill set that they want. I know many hungry professionals and new grads who, if given the ability, could most definitely fill these "unfillable" roles. They have two options: raise the pay and hope the professionals come or take the new grads/professionals without the security experience and build them up. You'll definitely have some melt, no question about that, but right now their only option is to hope that someone with the skills they want is feeling really patriotic.

TranceSoulBrother

The new SECDEF and other high profile government types seem to be concerned about the pay vs experience level in their discussion and reported decisions about enhanced hiring for cyber and other.
The thing is that I see a lot of reliance on contractors (with a fluctuating pay scale depending on the bidding company) which clashes with a rigid pay scale for military and government personnel. You have a lieutenant or captain that would work in the same office or supervises a contractor who might be paid double at times. Yes, the contractor might be hired for his expertise and certifications but we could always off load some of that money in better salaries and training classes for the gobermint types.
I personally know officers at Fort Gordon who are part of these cyber protection brigades, and rack up experience and/or training with much of the ISC2/GIAC/ISACA tthat they can stomach. When you couple that with the current downsizing efforts in the military, you have guys rolling out of the door into the arms of waiting companies. One acquaintance has the usual certs (CISSP, 3 GIAC and the COMPTIA), ABD on his PhD but non-select for promotion. He is not concerned about that as he can manage his career on the contractor side.

mindcrank

I wonder if they are going to start getting competitive with their GS rates to compete with Security Contracting companies? That's the only way you are going to pull in decent talent.