Recruit, Train & Retain our Cyber Warriors to Maintain Dominance and Overmatch

By Colonel Brad Rhodes & Captain (Dr.) Matt Morris

April 27, 2023

Introduction

The cybersecurity industry is continuing to advance at a rapid pace with innovations and a marketplace of new technologies. The industry is experiencing a shift from on-premises to cloud centric organizational workloads, incorporation of machine learning and artificial intelligence, and introduction of new frameworks to support risk management and security control implementation and evaluation. All of these changes require new skillsets and expertise and matching opportunities in the job marketplace. This prompts the question of how do we recruit, train and retain our cyber warriors to maintain dominance and overmatch?

Current Landscape

The attraction, evaluation, and retainment of a cyber workforce in today’s organizational landscape is a requirement to the defense of our critical infrastructure. Although the task is no small order, we have the ability to leverage current processes and resources to ease the task and create efficiency. The current landscape includes the standard of the Department of Defense Manual (DoDM) 8140.03 with resources such as a certification index, role definition with associated qualifications, and a sample work qualification matrix. The updated DoDM takes cues from DoD 8570.01-M which included resources such as a certification table which was the de facto standard for government organizations and DoD contractors when creating labor categories and requirements for positions.

In addition to the DoDM 8140.03 we have regulatory frameworks which have been updated and introduced, namely the tried and true National Institute of Standards and Technology (NIST) Risk Management Framework, and the DoD Cybersecurity Maturity Model Certification (CMMC) 2.0 program which looks to improve the cybersecurity defenses of the Defense Industrial Base. NIST also has introduced the new Artificial Intelligence Risk Management Framework 1.0 which aims to assist organizations to govern, map, measure and manage the use of Artificial Intelligence within their organizations.

From a broader perspective, decisions by the DoD and the rest of the Federal Civilian Executive Branch (FCEB) are shaping the cybersecurity workforce of the future both in government service and in contractor organizations.  The competition for talent is growing and employees are now more willing than ever to leave work situations for the next great “gig”.  With the Federal Government having to directly compete with the commercial sector for a shrinking pool of capable candidates, it fuels the problem that threat actors are looking to exploit.  In short, without defenders, organizations are vulnerable.  Factor in the pandemic and continued workforce desire for hybrid or full-remote opportunities to support work-life balance, employers seeking cybersecurity talent in every industry vertical need to re-orient their perspectives.

Problem

In order to keep up with the pace, organizations have faced multiple problems including properly scoping budget for headcount, defining requirements of the workforce, and identifying an appropriate talent pool. Budgets are approved by the Board and CFO within an organization; however, the cybersecurity leadership must have the proper perspective on the technology roadmap and how to propose a new cybersecurity budget to keep up with the pace. The relationship with human resources within the organization is critical to identify new requirements, define what the ideal candidate would be, and which talent pool to engage to identify new talent. The cybersecurity leadership must lead these efforts with human resources and provide a healthy feedback loop once recruitment operations are underway.  Recruiting efforts should span apprentice to journeyman to master levels (see figure 1), with consideration for specific positions to be coded for training and growth since the “unicorns” everyone wants to hire are not magically endowed with specialized skills.

Figure 1 – Cybersecurity Skills and Levels.

Potential Solutions & Call to Action

Setting up the organization for success in the recruitment, training and retainment of cyber talent can involve multiple solutions, however, one must not only look outward for new talent, but you must also create opportunity within the organization to allow for training and transfer of current employees. A talent pipeline which incorporates external hires as well as internal transfers all require position postings which must incorporate the following components to ensure maximum effectiveness: 

1. A common lexicon includes how you are posting the position and what you are communicating – NIST 800-181, the National Initiative for Cybersecurity Education (NICE) framework combined with DoDM 8140.03 proved a great basis and starting point (see figure 2).  

2. Standardization of requirements for positions and evaluation of candidates is critical to provide a common baseline for selection and hiring processes. Critical Infrastructure Security Agency (CISA) National Initiative for Cybersecurity Careers and Studies (NICCS) has developed a tool which provides KSATs (Knowledge, Skills, Abilities and Tasks) which are mapped to specific job roles/positions, combine this with the DoDM 8140.03 Job Role Matrix to determine how you should scope the job postings (Figure 3). 

3. Additionally, employers looking for personnel across multiple industries to fill cybersecurity roles need to build realistic job requisitions. For example, writing a role for a Certified Information Systems Security Professional (CISSP) with 3-5 years of experience and 20+ years of hands-on with a technology that has only been around for maybe two years is both discouraging and confusing for the applicants who might be perfect for such a role.

Figure 3: Sample DoDM 8140.03 Job Role – Cyber Defense Analyst

4. Collaborating with organizations such as CISA, NIST and the DoD Chief Information Officer (CIO) Cyberspace Workforce Management group to provide feedback on the tools and resources, what has worked and how they can be improved, is critical to the improvement and update to accommodate new technologies.  The recent published DoD Cyber Workforce Strategy includes four goals to help deliver the talent needed (figure 4). 

While goals like these are a good starting place, establishing and ensuring consistency across the military services – including service members, civilians, and contractors – is the challenge that will shape the DoD’s ability to defend against cyber threats across the spectrum for years to come.  The 2020 Cyberspace Solarium Commission’s (https://www.solarium.gov/) report included Strategic Objective #4 “Recruit, Develop, and Retain a Stronger Federal Cyber Workforce”.  Every document discussed previously – NICE, DoDM 8140.03, and the DoD Cyber Workforce Strategy are a part of meeting the Commission’s charge to the government.  Ultimately, recruiting, training, and retaining our cyber warriors must be tied to employers across all sectors starting from a reasonable understanding of education, skills, and on-the-job qualifications needed for each role while allowing apprentices to grow into masters of their craft!

About the Author

Colonel Brad Rhodes is the G6/Chief Information Officer for the 76th Operational Response Command (US Army Reserve) delivering communications for the Nation’s CBRN response mission. In his day-to-day, Brad is a Senior Manager at Accenture Federal Services in Denver, CO.  He holds numerous professional certifications with 25+ years of experience in the military, government, and private sectors. Brad's major research includes utilizing Open-Source capabilities to help organizations close security gaps, characterize their cyber operating environments, and gain visibility to stacks of data. He's been known to drown Lego people illustrating the reality of cyber effects.

About the Author