We know about how difficult it has been to fill the top job at DHS. It seems that the same is true of some of the career posts—especially the ones that deal with cybersecurity. According to a recent GAO report, the Office of Cybersecurity and Communications—the subcomponent within the National Protection and Programs Directorate that houses cybersecurity personnel—has a vacancy rate of 22 percent.
Of course there are plenty of good reasons for this. It’s hard to match private sector salaries in the government (heck, it’s impossible); there are often delays in getting top secret clearances for new hires (delays which will only get longer as clearance processes are tightened up in the wake of the Navy Yard shootings); and there’s a lack of a structured overall career path and occupational series for cybersecurity specialists. Indeed, the field of cybersecurity is so underdeveloped that a recently-issued National Academy of Sciences report, “Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision-Making,” concluded that while the field of cybersecurity requires specialized knowledge and intensive advanced training, it is still too young and diverse a discipline to introduce professionalization standards. Cybersecurity is still just a job. You can hardly blame OCC/NPPD for having a hard time filling the slots.
Nonetheless, despite these perfectly sensible explanations, it has to be somewhat concerning that one-fifth of the positions charged with protecting the .gov domain from cyber intrusions lie vacant.