I read a story today about how HR at US Cyber Command is having trouble attracting and retaining candidates. The story notes that HR can use some incentives to offer additional pay to recruit members. But I think the story falls short of addressing the real problem.
I know what I'm talking about here. I used to work for a group within US Cyber Command and I can testify that pay wasn't the only issue there (by far). Sure, it's a component of what keeps people happy but it's not the only thing. Since the article focuses on pay, let's examine that for a moment.
A GS-12 step 1 in the DC area makes $77,490. A GS-12 is something I've had to fight to get qualified candidates hired in at. Which is ridiculous. Freaking ridiculous. What do I mean by qualified? At least a 4 year degree, preferably a master's degree in a technical topic. HR was usually more accommodating for getting people in at GS-12 if they had at least one certification. Note, these are people I was hiring that had 3-5 years or more in information technology and/or information security. New college graduates were almost always give GS-9 or in very rare cases GS-11 assignments.
So what about pay incentives? Under the current law, the maximum incentive pay for an individual is 25% of base pay. For a particular group of highly specialized people you can offer 10% bonuses under the current law. I understand that since I left, certain elements in the government are offering 10% bonuses for certain highly specialized cyber operators, but it's not an entry level thing so it won't work for recruiting. And sadly, when your salary is only 65-70% of industry, a 10% bump on that doesn't really help much for retention.
I was a GS-14 when I left government service. And I was a pretty rare animal when it came to network exploitation operators. There are many smart people competing for a very few promotions to GS-13. GS-14 was virtually unheard of within the technical ranks. Even with a 25% bonus (the maximum allowed under current law) my salary would have been a pittance compared to private sector salaries in senior infosec (the job I was performing there).
It's not just the $$
But it's not all about money. The US Cyber Command structure doesn't reward innovation. At it's heart, Cyber Command is a military organization. And military loves structure. A privileged few set the operating procedures that all others will follow. Thinking and acting outside the box are not only not rewarded, they are actively discouraged. This is VERY unfortunate, because the true infosec professionals want the challenges associated with solving complex problems, not just following a flow chart.
Of course I'm not saying all cyber operations can be reduced to a flow chart, but believe me US Cyber Command is trying to get there. And that's not really a bad thing. It's the only way to scale out their CNE operations. It's just that the methodology is bad for retaining top tier talent who wants a challenge.
Many employees, and most of those in leadership positions, at Cyber Command are either current or former military. That's not a bad thing. It's a military organization after all. But it does cause some problems when it comes to attracting personnel who often sport blue mowhawks, tongue rings, ear discs. Of course drugs (including marijuana where it is legal) are also off the table. And we've recently seen how much trouble the FBI is having recruiting due to it's position on the wacky weed. Bottom line: in order to be really accepted at Cyber Command you have to play the military game, something that many in infosec simply aren't willing to do.
The bottom line is that while pay is an issue for attracting top talent for Cyber Command, it's not the only issue by far. Pay will help get some people in the door (though even with incentives, Cyber Command pay doesn't come close to industry norms). Unfortunately, pay is very unlikely to keep those people there. The culture will have to change and adapt to those workers who dominate the information security field.
Does everyone in infosec have strangely colored hair, body piercings, and smokes pot? Of course not. But enough people fall into one of those categories that Cyber Command really needs to take notice if it wants to retain them. Somehow, those leading Cyber Command will have to figure out how to do this without simultaneously losing it's own military roots. The bottom line is Cyber Command only has its battle cry of "awesome missions" to fall back on. Presently they don't pay people commensurate with the rest of the very understaffed industry. And when it comes to autonomy and problem solving, well they simply don't offer much else there.
I know what I'm talking about here. I used to work for a group within US Cyber Command and I can testify that pay wasn't the only issue there (by far). Sure, it's a component of what keeps people happy but it's not the only thing. Since the article focuses on pay, let's examine that for a moment.
A GS-12 step 1 in the DC area makes $77,490. A GS-12 is something I've had to fight to get qualified candidates hired in at. Which is ridiculous. Freaking ridiculous. What do I mean by qualified? At least a 4 year degree, preferably a master's degree in a technical topic. HR was usually more accommodating for getting people in at GS-12 if they had at least one certification. Note, these are people I was hiring that had 3-5 years or more in information technology and/or information security. New college graduates were almost always give GS-9 or in very rare cases GS-11 assignments.
So what about pay incentives? Under the current law, the maximum incentive pay for an individual is 25% of base pay. For a particular group of highly specialized people you can offer 10% bonuses under the current law. I understand that since I left, certain elements in the government are offering 10% bonuses for certain highly specialized cyber operators, but it's not an entry level thing so it won't work for recruiting. And sadly, when your salary is only 65-70% of industry, a 10% bump on that doesn't really help much for retention.
I was a GS-14 when I left government service. And I was a pretty rare animal when it came to network exploitation operators. There are many smart people competing for a very few promotions to GS-13. GS-14 was virtually unheard of within the technical ranks. Even with a 25% bonus (the maximum allowed under current law) my salary would have been a pittance compared to private sector salaries in senior infosec (the job I was performing there).
It's not just the $$
But it's not all about money. The US Cyber Command structure doesn't reward innovation. At it's heart, Cyber Command is a military organization. And military loves structure. A privileged few set the operating procedures that all others will follow. Thinking and acting outside the box are not only not rewarded, they are actively discouraged. This is VERY unfortunate, because the true infosec professionals want the challenges associated with solving complex problems, not just following a flow chart.
Of course I'm not saying all cyber operations can be reduced to a flow chart, but believe me US Cyber Command is trying to get there. And that's not really a bad thing. It's the only way to scale out their CNE operations. It's just that the methodology is bad for retaining top tier talent who wants a challenge.
Many employees, and most of those in leadership positions, at Cyber Command are either current or former military. That's not a bad thing. It's a military organization after all. But it does cause some problems when it comes to attracting personnel who often sport blue mowhawks, tongue rings, ear discs. Of course drugs (including marijuana where it is legal) are also off the table. And we've recently seen how much trouble the FBI is having recruiting due to it's position on the wacky weed. Bottom line: in order to be really accepted at Cyber Command you have to play the military game, something that many in infosec simply aren't willing to do.
|
Does everyone in infosec have strangely colored hair, body piercings, and smokes pot? Of course not. But enough people fall into one of those categories that Cyber Command really needs to take notice if it wants to retain them. Somehow, those leading Cyber Command will have to figure out how to do this without simultaneously losing it's own military roots. The bottom line is Cyber Command only has its battle cry of "awesome missions" to fall back on. Presently they don't pay people commensurate with the rest of the very understaffed industry. And when it comes to autonomy and problem solving, well they simply don't offer much else there.
Your comments are on point and I think they are applicable across a much greater segment of society- in fact, I think that every organization right now, from financial services to the military to complex manufacturing are all coming to the realization that they need to be technology companies at heart. Software is eating the world- it's just eating some parts of the world faster than others.
ReplyDeleteGen Lord addressed this very issue years ago in AFNetOps, but the message didn't filter down very well when I was there. I about had an aneurysm when a midgrade officer called blogs and bloggers "not real news, not real journalism" in an newspaper interview regarding web site blocking. Yes, let's try to recruit the people with the skillset and mindsets we need, then kick them in the nethers in interviews!
ReplyDeleteJake, please send me your address. I will send you an MRE with a Snickers Bar. You know how you get when you're hungry. I think we've all stated the obvious. CYBERCOM will put butts in seats before building the most trained and proficient Cyber force. The need for contracts for SME will always persist and those "holier than you" mission statements will keep the budgets rolling. When in Rome Jake, when in Rome.
ReplyDeleteI'm not hangry, I don't need your charity. The bottom line is adapt or die. As Liam points out above, this isn't just USCC. It just happens that they have less willingness/flexibility to fix the problems than private organizations.
Delete