High-profile departures widen federal government’s security talent shortage

Respected and influential government cybersecurity veteran Jeanette Manfra announced this month that she is leaving her position at DHS to join Google as its global director of security and compliance as part of a new security team at Google Cloud. At Google, Manfra, who currently holds the title of Assistant Director for Cybersecurity for the Office of Cybersecurity and Communications at DHS’ Cybersecurity and Infrastructure Security Agency, will spearhead an “Office of the CISO” initiative at Google Cloud to help customers improve their security postures.

Manfra’s departure is just the latest in a string of high-profile departures from the ranks of well-regarded cybersecurity experts from the federal government. Google recruited at least two other prominent government cybersecurity officials to join its ranks. Kate Charlet, who served as acting Deputy Assistant Secretary of Defense for Cyber Policy at the Department of Defense, left in 2017 and is now Director of Data Governance at Google.  Daniel Pietro, who was Director for Cybersecurity Policy on the staff of the National Security Council, left his role in 2017 to work at Google as an executive for Public Sector Cloud at Google.

In 2018, the Trump administration eliminated the top White House cybersecurity role when then-national security advisor John Bolton cut the cybersecurity coordinator role at the National Security Council prompting, Rob Joyce, the first coordinator, to return to the NSA. Tom Bossert, another highly regarded cybersecurity official, left his position as White House Cybersecurity Advisor, reportedly pushed out by Bolton.

Joe Schatz resigned as White House CISO in August 2019 to join technology consulting firm TechCentrics.  In October 2019, Dimitrios Vastakis, Branch Chief of the White House Computer Network Defense and staff member of Office of the Chief Information Security Officer (OCISO) at the White House released a scathing resignation memo saying that OCISO staff are “systematically being targeted for removal from the Office of the Administration (OA) through various means.”

Brain drain hampers security efforts

Vastakis said in the last paragraph of that memo that given the turmoil among cybersecurity personnel in the White House “I foresee the White House is posturing itself to be electronically compromised once again” in a reference to a 2014 breach of White House systems by Russia. “Allowing for a large portion of institutional knowledge to concurrently walk right out the front door seems contrary to the best interests of the mission and the organization as a whole.”

As the number of departures from the administration’s ranks suggest, a lot of institutional cybersecurity knowledge has walked out the government’s front door. Manfra’s impending departure sparked concerns among cybersecurity professionals as just the latest evidence that the ranks of much-needed information security professionals across the government are growing perilously small.

Upon news of Manfra’s departure, Alex Stamos, former CSO of Facebook and currently at Stanford University’s Center for International Security and Cooperation, said in a tweet “Manfra is one of the handful of people in the US government you can thank for any movement being made on election security.” He added in a follow-up tweet “The NSC cyber function was gutted, and in the meantime there is a handful of assistant/under/deputy secretaries/directors in DHS, FBI, NSA and DNI who have McGyvered together some kind of response.”

Churn impacts recruitment, retention

Given these signals from the upper echelons of the government, the question arises whether churn among cybersecurity specialists will further exacerbate the chronic inability for federal agencies to hire the cybersecurity talent they need and protect the government and nation’s digital systems. As the acting director of OPM Beth Cobert said in 2016, “…federal agencies’ lack of cybersecurity and IT talent is a major resource constraint that impacts their ability to protect information and assets.”

“Hiring and retaining cybersecurity professionals is difficult for the federal government under normal circumstances, because supply remains low and demand high across our entire economy,” Michael Daniel, the former special assistant to the president and cybersecurity coordinator at the White House and now president and CEO of the Cyber Threat Alliance, tells CSO.

“In fact, the main reason cybersecurity professionals work for the government versus the private sector is for the mission and the sense of accomplishment. Anything that weakens those factors will negatively affect recruitment and retention,” Daniel adds.

Despite what appears to be an inhospitable environment for information security specialists, the Trump administration has taken several steps to address the years-long chronic problem the government has in recruiting cybersecurity talent. In May, Donald Trump signed an executive order that addresses the shortage of qualified employees for cybersecurity jobs and lays out a number of steps to recruit more cybersecurity professionals into the federal government.

Yet there can be little doubt that the federal government’s efforts to adequately staff up in the cybersecurity arena are hampered by the ongoing exodus of cybersecurity personnel, particularly at the highest levels. “Although not limited to cybersecurity professions, perceptions about churn at the top and inconsistent policy toward our key adversaries in cyberspace undoubtedly reduce the federal government’s ability to recruit cybersecurity professionals,” Daniel said. “In this situation, organizations like the Cybersecurity and Infrastructure Security Agency (CISA) within DHS deserve a lot of credit for making progress on certain issues despite the lack of prioritization from the White House.”