At TechNet Cyber 2023 in Baltimore, Mark Gorak, principal director for resources and analysis for the Department of Defense's deputy chief information officer, talked about the Pentagon's massive cyber workforce shortage and its goal to implement a cultural shift in hiring for cybersecurity and infosec roles.

WHY IT MATTERS

With more than 30,000 cybersecurity and infosec positions, DoD is changing how it has historically hired for these roles.

"We've been at this about a decade trying to fix this problem, and it's only growing worse," he said. 

The agency is developing an implementation plan for a cyber workforce strategy released last month. That plan has a five-year horizon and is due this summer, Gorak told GovCIO's CyberCast at the Armed Forces Communications & Electronics Association International’s cyber conference on Tuesday. 

While the strategy is based on identifying workforce needs – for both its military and civilian cyber workforces – and recruiting, developing and retaining talent, DoD is looking more practically at what makes a candidate qualified to provide cybersecurity.

"If you can walk in and demonstrate that capability to perform the job, than you’re qualified. That’s where we should be, and that’s going to take some time to get there, but that is where we’re leaning forward," Gorak explained.

DoD will use its existing cyber workforce framework to classify employees by their work roles rather than occupational codes, which Gorak previously called "adaptive, flexible and responsive to the workforce," in its larger effort to apply enterprise-wide talent management to its cyber workforce.

For the implementation, Gorak said the agency will shift away from its focus on the infosec skills acquired prior to hiring, and pivot to evaluating critical candidate capabilities and fostering ongoing technical training on the job, as it does in other specialist fields, such as law and medicine.

"It’s not a new thing, but we’ve never done that in our technical workforce," he said. 

THE LARGER TREND

TechNet Cyber is a flagship event for whole-of-government efforts to advance the capabilities needed to meet global security challenges and successfully operate in a digital environment, and includes all sectors.

Infosec workforce challenges cut across numerous industries. Healthcare systems across the U.S. that are plagued with cyberattacks are challenged to get a reign on the sector's significant attack surfaces, because of the dearth of a cyber workforce.

"The battle for talent in healthcare today is broader than the shortage of physicians and nurses. Health IT teams are facing many of the same workforce challenges as others across the healthcare industry, including a shortage of talent in cybersecurity, digital, cloud and data," Brad Reimer, CIO at Sanford Health, told Healthcare IT News in January.

To deliver on a $350 million virtual care initiative and modern data ecosystem challenges facing the large health system serving the Dakotas, Iowa, Minnesota and Nebraska, Reimer noted the demand for all health IT roles is increasing at a pace faster than the rate of new college graduates entering the workforce, and there's competition for talent "with every other company that has a technology need."

Add to that the national call to improve improved critical infrastructure cybersecurity, and both the government and critical infrastructure sectors are competing for a talent supply that does not yet have enough to go around and must adapt the way they hire and retain talent.

ON THE RECORD

"The training pipeline -- we need to expand that, so we have more," Gorak said at the conference.

With the new implementation plan, "If you have passed a cyber range assessment instrument, you should be qualified for the job."

To keep the cyber workforce up-to-date, "We are looking at annual assessments on that." 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.