Latest Cyberspace Solarium Commission 2.0 Report focuses on cyber workforce

The Cyberspace Solarium Commission 2.0 released its most recent report on June 02, 2022. This iteration re-affirmed the continued need for public-private partnership in cybersecurity, including the development of shared resources and increased investment in a cyber workforce. Additionally, the report included a plethora of recommendations for the U.S. national cyber director’s action concerning educating and developing the national cyber workforce, as well as expanding the hiring authorities for cyber positions, and establishing “special pay rates for the most in-demand roles.” The 43-page report included seven fulsome recommendations for the national cyber director, U.S. Congress, and the private sector, which if adopted would serve to enhance the recruitment, retention, and performance of the nation’s cyber workforce in both public and private sectors.

The report’s review of the current state of affairs highlights what every CISO in both government and private entities knows: There is a talent shortage. The lack of talent, however, doesn’t always equate to less being accomplished. One may envision Lucille Ball and the chocolate confection conveyor belt as an accurate analogy, as over time more and more is expected.

The lack of personnel has and will continue to create a national security concern, “particularly when they occur in critical-infrastructure systems or supply chains upon which that infrastructure exists,” said the report.

For over a decade the forecast of shortages and the impending impact has been the topic of many a story. In its report, the Commission notes that over 600,000 cybersecurity positions across all sectors, including government, remain empty. Not mincing words, the Commission notes, “the cybersecurity community is out of time.”

National cyber director cybersecurity recommendations

• Establish a process for ongoing cyber workforce data collection and evaluation.
• Establish leadership and coordination structures.
• Review and align cyber workforce budgets.
• Create a cyber workforce development strategy for the federal government.
• Revamp cyber hiring authorities and pay flexibilities government-wide.

Congressional cybersecurity recommendations

• Amend the Federal Cybersecurity Workforce Assessment Act of 2015.
• Increase support for the CyberCorps: Scholarship for Service Program.
• Provide incentives to develop entry-level employees into mid-career talent.
• Strive for clarity in roles and responsibilities for cyber workforce development.
• Exercise oversight of federal cyber workforce development in each department and agency.
• Establish cyber excepted service authorities government-wide.
• Expand appropriations for existing efforts in cyber workforce development.

Private Sector cybersecurity recommendations

• Increase investment in the cyber workforce.
• Develop shared resources.

CISO takeaways from the Solarium Commission report

Referencing manpower shortages, the Commission highlights the tendency to count open billets as the primary means to determine understaffing as a shortcoming is spot-on. CISOs will be well served to take on board the recommendation to include in their measurements of the actual need. In doing so they will need to identify what is the optimal number of employees to conduct the tasks at hand. This may create a delta, between the actual number of positions and desired number of positions, thus putting underfunding as a measurable shortcoming. Whether within the government or private sector such a discussion might be contentious as every organization has internal battles for resources.

While my time within government was many moons ago, the feeling was always that within government, largely due to the long administrative tail and complicated procurement paths, the private sector was always a generation or two ahead. There may not be opportunities for CISOs to directly participate in the intra-governmental working groups and committees, yet several national cyber workforce evolution opportunities are available, and CISOs are encouraged to participate.

The report highlights the general lack of diversity within the federal government’s cyber workforce, particularly at the leadership level, characterizing “the average federal worker is more likely to be older, male, and possess a college degree relative to the rest of the U.S. labor force.” This characterization should not be taken as a signal that diversity within the private sector is where it should be, but rather as an observation that the U.S. government is trailing. There is much which can and should be done to keep diversifying the national workforce.

CISOs have enjoyed the existence of the “pay gap” in the race for talent, as only limited parts of the government have the means to create pay flexibility to bring in needed talent. With the recommendation to change the status quo and bring the pay for cyber employees closer to that of the private sector, CISOs may wish to ensure their total compensation packages for their current and future employees are complete. Working for the federal government will be more attractive, as “service to the nation” does fill the narrower pay gap for many individuals. 

The report also calls for congressional action to support the national cyber workforce. While many companies engage lobbyists to bring their corporate messages, wants, and desires to the legislative branch of the U.S. government, direct outreach from practitioners, the CISO, and their staff, provide legislators with a ground-truth view as the lawmakers take on various actions designed to enhance, grow, and sustain the national cyber talent pool.