DHS makes cyber hiring more flexible, less certification-based

Dive Brief:

The Department of Homeland Security is modernizing how it hires cybersecurity practitioners by using the new Cybersecurity Talent Management System (CTMS), effective Monday. Elements of the CTMS move away from traditional hiring practices of other federal agencies, the rule said.
DHS has the freedom to determine how it wants to categorize cybersecurity work and ways to define roles.In doing so, the agency has the ability to adjust positions through new compensation structures, part of a congressional mandate to allow DHS to better compete for cyber talent.
DHS has the authority to create new talent management exempt from existing government federal civilian talent management rules. The secretary can hire individuals without regard to other laws related to the appointment, number, classification or compensation of employees.

Dive Insight:

The federal government is competing with the private sector for security talent, an uphill battle when the private sector can offer higher compensation.

The government employs 10% of the total cybersecurity workforce, which is equal to financial services. IT services is the top cybersecurity employer, representing 24% of the cyber workforce, the (ISC)² Cybersecurity Workforce Study found. The survey is based on responses from 4,753 global cybersecurity employees, conducted between May and June 2021.

DHS is open to entry-level positions, and is primarily focusing on openings within the Cybersecurity and Infrastructure Security Agency (CISA) and the department's Office of the Chief Information Officer.

CISA is working to fill vacancies within the agency, and CISA Director Jen Easterly is working on analysis of where hiring can be accelerated. "Having just come from four and a half years in the private sector, I think it takes way too long to be able to bring people into the federal government," she said during a House Homeland Security Committee earlier this month.

"I want to make CISA the place where the nation's best cyber defenders and security professionals want to work," she said. "CTMS will help CISA cut time to hire, reduce bias and ensure that we're assessing the right skills while enhancing workforce diversity."

CTMS is meant to give CISA the ability to hire based on "aptitude and attitude," not degrees or certifications, Easterly said, while still compensating closer to market.

Before taxes, the average salary in cybersecurity in North America is $119,898, (ISC)² found.

If a candidate is certified, the average global salary is $91,727, whereas uncertified candidates are paid about $58,775, (ISC)² found. One certificate can earn a candidate about $33,000 more in annual pay in the U.S. compared to individuals with no certifications.

The CTMS personnel system was established from a $49 million investment between FY2016 and FY2020. DHS is requesting another $16 million for FY2022 to launch and administer CTMS.

DHS analyzed the more than 20 steps it takes candidates to go through the hiring process, "which is way too onerous," to develop CTMS, according to Easterly. In doing so, DHS reduced the number of days it takes to hire someone by 13% — though it still takes more than 200 days.

"In the private sector, I could bring somebody in in like 60 days, and so we need to fix all of that," Easterly said. In 2021, DHS hired 500 individuals, compared to 200 last year. Easterly might seek support from Congress if the hiring process remains slower than it should be.