When the Trump administration launched a new program in November 2018 to quickly retrain non-IT employees to become cyber defenders, much of the focus was on preparing those individuals to fill critical job openings in government — at least that’s what dominated headlines.
Although the Federal Cybersecurity Reskilling Academy website explicitly says that jobs are not guaranteed for participants, it does say that “participants receive career mentorship and soft skills guidance to help them prepare for re-deploying into the cybersecurity workforce.”
During a roundtable with reporters on Wednesday, Federal Chief Information Officer Suzette Kent gave an update on the program and explained what the administration hoped to prove by launching the Academy. “It wasn’t like we were out shopping to match this open role, this open role, this open role,” Kent said about participants converting to new cybersecurity positions. She noted that “we [government] struggle in many cases to say these are the cybersecurity things about which you need to be knowledgeable.” One month of promoting cybersecurity awareness training in October won’t cut it, she said, and the Academy appears to be the proof of concept for how government can elevate cyber skills across its workforce.
The big takeaway for the administration in the wake of wrapping up its first cohort of program participants in July 2019 wasn’t how quickly the inaugural class could fill open cybersecurity roles but rather if there is an appetite among the federal workforce for a cyber reskilling program, if a screening mechanism could be used to find those people and if this type of training delivery approach would be successful. The short answer to these questions is “yes.” Program participants that GovLoop heard from said their newfound skills are helping them in their current roles and also bringing valuable knowledge to their agencies.
“Our overall intent … under the PMA [President’s Management Agenda] with both IT modernization, cybersecurity and workforce was to find ways that we can reskill the current federal workforce in the direction of the things that are priorities,” Kent said. The program focused on certifications that align with cyber defense analysts because that’s where a lot of gaps exist in government today. Through the Academy, the administration was able to prove that this type of front-end screening for participants and intense coursework can work in the federal government.
When asked how many people have landed federal jobs, Office of Management and Budget Spokesperson Jacob Wood said it’s too premature to quantify those numbers. “The first Federal Cyber Reskilling Academy cohort graduated only three weeks ago with very encouraging results,” Wood said in an emailed statement. “It is entirely premature to quantify how many have secured cybersecurity-focused positions. What’s clear is that the inaugural class has achieved so much in a very short window. The Administration will continue its efforts to reskill our dedicated federal workforce to improve our national security.”
The SANS Institute, a cybersecurity training and certification firm that conducted the reskilling efforts on the government’s behalf, said the Academy’s first cohort achieved one of the highest passing rates ever anywhere and did so in a shorter than average timeframe, Kent explained.
Participants were tested for two certifications to measure their mastery: GIAC Security Essentials (GSEC) and GIAC Certified Incident Handler (GCIH). For the security essentials certification, 97% of participants passed on the first attempt, with an average score of 88% — well above the industry standard. One virtual student has not yet taken the test. For the incident handler certification, 91% passed on the first attempt, with an average score of 82% — both above the industry standard, according to SANS.
In a recent interview with GovLoop, SANS’ Director of Research Alan Paller said, “This program is informed by previous paralleled efforts in the U.K. and U.S., using the same resources. This program was not created anew. This is in fact the first U.S. government implementation.” (View the complete interview here, along with details about how the Academy works.)
Government Participants Share Successes and Suggestions
More than 1,500 federal employees applied to the program’s first cohort — with about 66% of applicants coming from the upper levels of the federal pay scale at GS-12 to GS-15. The Academy accepted 30 applicants (24 in-person and six virtual), who were tasked with completing an intense three-month schedule of self-study, classroom and hands-on training around topics such as handling cyber incidents and thinking like hackers to become better defenders.
During the roundtable with Kent, two participants of the program shared how the reskilling opportunity has benefited them, as well as suggestions for improving future iterations of the Academy. An early recommendation that the Academy quickly accommodated for its first cohort was adding a virtual component, as the majority of participants were from outside the D.C. area.
Mary Gabriel, who works in acquisitions for the Coast Guard and recently completed the program, said she has seen an increase in cyber-related requirements for cutter acquisitions. “I had really little understanding about where they came from, why they’re important, what’s the root cause [and] what’s driving them,” Gabriel told reporters during the roundtable. She credits the Academy with equipping her to ask better questions and to prioritize acquisition resources for the Coast Guard’s commissioned ships. She noted that her cyber certifications are a distinguishing factor that sets her apart from other acquisition professionals, but what that means for her future career is uncertain.
For now, Gabriel’s role in acquisition means she doesn’t get to apply the hands-on technical skills she learned, but she’s interested in finding a role with a greater focus on cyber. Part of the challenge, though, is she doesn’t qualify for cybersecurity roles that are equivalent to her current grade level — at least on paper. The best way forward seems to be finding a role that is cyber-adjacent, meaning related to what she does now but more closely tied to cyber.
Kent said the administration is evaluating things that can be done through the Office of Personnel Management to create opportunities for people who have the skills but perhaps not the years of experience, especially Academy participants who also bring a depth of knowledge from non-IT fields. That could mean using a combination of factors to evaluate someone’s readiness for a job, not just years of experience. Kent added that they’re also exploring mechanisms such as details, or a temporary assignment to another office or agency, to give participants exposure to cybersecurity roles.
There’s currently a second cohort underway as part of the Academy, but these participants are IT professionals. This will seemingly bode well for those in the group looking to transfer to cybersecurity roles. But as is often the case in government, the application process can be arduous, and navigating USAjobs.gov to apply for those opening has proven challenging for job seekers in general.
During the roundtable, reporters also heard from Shannon Riley, who’s in a privacy position at the Education Department. She currently works very closely with the department’s security operations center, or SOC, which monitors and responds to cyber incidents. She doesn’t have immediate plans to leave her role since graduating from the Academy, adding that she saw reskilling as a way to broaden her horizons and strengthen her agency’s privacy program. Bridging the gap between cyber and the public is challenging, and that’s the role privacy plays, she said.
Professionally, she is using her new skills on a regular basis and has a broader knowledge of what the department’s security operations center can view in the event of a privacy breach and what they’re capable of investigating, for example. In terms of feedback, Riley expressed that one of the challenges is most federal cybersecurity jobs are in D.C. For those who live outside the region, they have to consider relocation in addition to any other barriers.
Aside from the professional opportunities that may arise, there are also personal benefits from the program and greater awareness that came from understanding cybersecurity risks, Riley said. Seemingly small things such as creating a stronger password for her home router, she learned, can greatly reduce the risk of outside attackers gaining access. Gabriel added that in her personal life, having a foundational knowledge of what cybersecurity entails and what hackers are capable of has made her more conscious of turning off Bluetooth and Wi-Fi capabilities when they aren’t needed on her personal device.
What’s Next for Cyber, Larger Reskilling Efforts?
As the administration prepares for the Sept. 20 graduation of its second Academy cohort, Kent and the government team spearheading the initiative are considering ways to “industrialize” the process for attracting and reskilling interested federal employees so that more people can participate. That could mean launching an expanded number of similar reskilling programs at the agency level. That has yet to be determined.
But in addition to cyber, there is currently a pilot underway aimed at data science reskilling. The administration is also eyeing other areas that are ripe for reskilling in the future.
Kent explained that one of the most common areas of exposure to cyberthreats that agencies face is through improper use of email and information. By giving Academy participants exposure to cyber training, they are better equipped to serve in their current roles and new roles if they pursue that route. Participants also had networking opportunities with government security officers and officials at the Homeland Security Department’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to understand the broad range of cyber roles out there and what might be a good fit for them.
The Academy has proven there is an appetite for cyber knowledge and exposure to the field across government, as well as the government’s ability to offer training opportunities to interested federal workers. A big part of the success was getting federal managers on board to approve employee participation, rather than seeing the Academy as a stepping stone for their best and brightest to leave their current roles.
Kent said she wants agencies to see the program as an enabler that provides new skillsets and exposure for employees while also developing a pool of talented professionals that agencies can tap into to improve their operations. For employees, a new role in cyber isn’t a guarantee, but the program has proven valuable for employees looking to broaden their skills and position themselves for expanded opportunities.
Photo Credit: Women of Color in Tech stock images