The government’s technology problems are largely staffing problems. For years, workforce concerns were ignored. But high-profile data breaches have shifted the focus. Government’s technology problems are as complex and difficult to address as any in the world. Agencies need to be able to hire the best.
That’s true in other fields as well—medicine, science, engineering, etc. Fortunately, many of the best minds already work for government. However, it’s clear that government has not assembled the IT expertise it needs, as evidenced by the continuing problems at the Office of Personnel Management.
The important step last year was the creation of the National Cybersecurity Workforce Framework and the posting of the Cybersecurity Workforce Development Toolkit. This is a unique investment to increase government’s cybersecurity workforce that highlights the importance of the staffing problem. It’s the foundation for a talent management strategy.
The business community has similar problems. A February article in Harvard Business Review, “Why Boards Aren’t Dealing with Cyberthreats” discussed the reasons.
But the potential damage and the cost of data breaches and hacking has to be far larger for government than in corporations.
Recent testimony of Internal Revenue Commissioner John Koskinen before the Senate Appropriations Committee highlights the issue. IRS has had problems hiring technology experts as far back as 1990. I learned then in pay reform meetings that IRS wanted to hire artificial intelligence experts but federal salaries were far below what those specialists commanded. They claimed experts in AI could command salaries above $200,000. That was the reason the Critical Position Pay Authority (CPPA) was included in the Federal Employee Pay Comparability Act. CPPA salaries can be as high as $207,800.
IRS had its own special hiring authority but that expired in 2013. Koskinen’s testimony included a request to have the authority renewed. That request was first made in 2015 and repeated in 2016, but it hasn’t happened. If it’s not renewed soon, the six specialists covered by the old statute will be out of jobs at the end of September.
The most striking statement is in a report from the IRS Inspector General in a recent Government Executive story, “IRS Asks Congress to Renew Expired Authority to Exceed Salary Cap.” It confirmed that IRS has never used the CPPA authority and that in 2015 “only four individuals were hired as CPPA employees per the latest annual report from the OPM.” That’s across all of government.
But even if agencies were taking advantage of the hiring authorities they already have—and clearly they’re not—there’s no strategic vision or even a system for managing IT personnel across government, or even within agencies in some cases.
The job market for top IT security talent is a sellers’ market. Reports on cybersecurity salaries all show the average specialist earns over $100,000. The prominent 2017 Global Information Security Workforce Study reports an average $125,000 salary. That includes specialists at all career stages.
That salary is not out of reach for government but it’s important to keep in mind that it’s an average, which in salary planning is assumed to be the pay of an average worker. It’s the same in sports where superstars are paid significantly more than average players. The question for government is: Can government afford not to employ superstars?
All the documents related to the Cybersecurity Workforce initiative are strangely silent on compensation. A word search produced virtually nothing on pay, salary or compensation management, except references to “existing flexibilities.”
Currently government’s IT specialists (most are in series 2200) are on special rate schedules. However, the effective special rate ceiling is $100,000. A few agencies have separate authority that permits higher salaries.
Those salaries may not be adequate to attract and retain the country’s best cybersecurity talent. A report on an IT job board last year showed lead software engineers were paid as much as $233,333. That’s above the $207,800 cap on CPPA salaries. Another website reports the average Chief Information Security Office in a large organization is paid $273,000 (including bonuses). A few are paid more than $300,000 in major cities. The highest reported for Washington DC is $380,000.
Recommendation—A STEM HR System
As long ago as 2001, the CIO Council asked the National Academy of Public Administration to develop a new HR system to enable agencies to compete for IT talent. Unfortunately, 9/11 ended that project shortly after it was started. (Had the project resulted in recommendations, it’s highly likely Congress and President Bush would have approved the new system. Imagine the impact that could have had.)
Cybersecurity jobs are the tip of the proverbial iceberg. It should be apparent that the General Schedule system is not suited for managing knowledge workers. The value of specialists who think for a living depends on how much they know. It’s their ability to use their knowledge that determines their market value, not their years of experience or even their education.
While the focus currently is on cybersecurity jobs, the talent management problems are the same for other technology specialties as well as the other STEM occupations—scientists, engineers and mathematicians. Government should emulate the practices of leading companies. Government’s workforce includes roughly 270,000 specialists in those fields. Many are among the world’s true experts.
At some point, a separate talent management or HR system is inevitable. There are a number of precedents. The Federal Wage System was created half a century ago. Federal law enforcement officers have a separate salary system. The congressional staff agencies have separate HR systems. The financial regulatory agencies also have separate HR systems. Healthcare specialists have separate systems. The Senior Executive Service is another system.
A separate STEM HR system should be planned to manage those specialists as they progress up their career ladders. Each agency should be able to add the expertise needed to achieve its mission. The added costs would be nominal. (For the IRS, the higher salaries cost $1.7 million over four years, 2010 to 2013.) The cybersecurity framework is an effective answer for each of these job families.
A uniquely government issue is that agency heads are responsible for budgets in the billions but are not trusted to add highly paid experts to their staff. Commissioner Koskinen is illustrative. He is responsible for a $12 billion budget, roughly 85,000 employees and agency operations that affect every taxpayer. He has managed in both the private and public service. He could be trusted to oversee an HR function that works with line executives to recruit and retain needed expertise. That argument applies to all agency heads. They should not need prior approval to hire needed talent.
Pay is the element missing from the Cybersecurity Workforce Strategy but the solution is not as simple as raising salaries. To become an employer of choice, government needs to be able to offer career opportunities commensurate with employees’ abilities.