Would Pay Scales Close the Cybersecurity Workforce Gap?
A better understanding of what cybersecurity professionals do, along with implementing a graduated pay scale, could be two big steps in the right direction. By Aliya Sternstein
Federal agencies have long struggled to fill positions in the ever-growing ranks of the cybersecurity workforce.
But a question going back to at least 2011 remains unanswered: Should the feds create a job category and salary scale for government cybersecurity workers -- or is the profession too mercurial to assign pay grades?
The Government Accountability Office thinks carving out a wage rate would help attract more talent, but the Office of Personnel Management -- the agency responsible for classifying occupations -- has yet to come up with a description.
A new GAO report notes cyber skills are a "gap" area in the federal workforce partly because the pay system, called the General Schedule, "does not have a specific classification standard for the work performed in this occupation."
Still, it's hard to box in this line of work.
In the first years of the 21st century, the cyber labor force largely consisted of system auditors and administrators who monitored compliance with security mandates. Now, fewer inspectors are needed, as machines like sensors and anti-malware scans have taken over the task. The six-figure salaries increasingly go to ethical hackers, who poke around for security holes in software and systems so they can be fixed before the bad guys get in.
Federal auditors, however, maintain a cyber job standard would help plug the cyber skills gap.
A 2011 GAO audit found "implementing improvements to the GS pay and position classification systems may improve the government’s ability to recruit and retain employees, including cybersecurity employees."
Robert Goldenkoff, GAO director for strategic issues, now tells Nextgov, specifically, "what we are looking for are standards that would describe the position’s duties, responsibilities and qualification requirements, among other things, for purposes of setting pay and other functions.”
A Pentagon cyber workforce strategy seems to agree, explaining that more uniform criteria could help smooth out a way to rotate scarce talent among the military services, civilian agencies and the private sector.
To "create transition opportunities between and within military and civilian service," the Defense Department aims to "standardize the classification of work roles to facilitate the most appropriate, flexible, responsive and cost-effective allocation of functions among the total force of military (active or reserve), civilians, and contract support," the plan stated.
Last summer, OPM asked agencies to begin supplying information about their cybersecurity workforce to help build a new databank of cyber jobs across government.
But OPM's latest classification standards for occupational groups still largely sidestep cybersecurity.
The agency's July 18 guidelines on tallying roles within categories tell agencies to mix and match cyber-like positions from multiple categories.
"Cybersecurity is an evolving area and positions may be classified in a number of different occupational series based on the nature of the work," the guide stated.
OPM officials were not immediately able to comment for this story.