“We’re basically hiring people from one federal agency to another. We’re stealing people from each other, that’s what it’s come down to,” Mendes told FedScoop.
“It’s a very, very tough situation with cybersecurity hiring. It’s extremely difficult getting the right people with the right skills right now,” said Mendes who spoke at the FedTalks tech conference on Wednesday, hosted by FedScoop.
The hiring challenges are likely due to a tight labor market and a severe shortage of skilled cyber engineers and analysts.
CyberSeek, a recruiting website for cybersecurity jobs in the U.S., funded by the Commerce Department, estimates there are currently 714,548 open cybersecurity jobs nationwide, which includes positions in the public and private sector.
In the public sector or the government, the website estimates there are almost 39,000 vacant cyber jobs and 69,322 cybersecurity experts currently employed.
There has been a huge surge in cybersecurity job openings in the past year, following a series of massive attacks in the the last two years on the computer systems of the federal government, the Colonial Pipeline, and the meat producer JBS that have brought mainstream awareness to the need for increased cybersecurity within the government and the private sector.
Alongside difficulties hiring cybersecurity experts, Mendes also said the federal government has struggled with holding its tech vendors and contractors accountable for cybersecurity flaws and issues.
“All federal agencies have to hold their vendors accountable in terms of susceptibilities. So that when you sell a product to the federal government, you have to give some assurances that the product performs as indicated, and does not unduly expose you to cybersecurity attacks because of flaws that are inherent in its scope,” Mendes said.
The President’s National Security Telecommunications Advisory Committee (NSTAC) on Tuesday put forward proposals that would require all executive civilian branch agencies to monitor operational technology systems in real-time.
Mendes said the presidential proposals would help improve cybersecurity but would receive strong pushback from the tech industry and IT vendors.
“The administration has just started with the process and there will be an enormous amount of lobbying against it by vendors trying to minimize its effect. Vendors will do their best to minimize their exposure to change because they don’t want to have the accountability, they haven’t had accountability in the past, so why should they have it now? But the reality is that in the current environment, we can’t afford not to have accountability,” Mendes said.
Shortly after becoming the Commerce Department CIO in 2020, Mendes said that he would like to see greater accountability within the federal government regarding agency IT budgets due to “black hole” spending related to regulatory frameworks or modernization.
Mendes said he has worked in the past few years to use his almost $4.0 billion a year budget in a more efficient manner with less spending on IT tools and resources.
“We can show definite cost avoidance to a large degree by virtue of more collaboration within the agency in the past couple of years,” Mendes said.
“We’re leveraging those dollars elsewhere, where they’re more driven towards the mission of the Commerce bureaus and official business and less towards IT infrastructure,” he added.
Commerce spends approximately 30% of its budget on IT driven by heavy users like the National Oceanic and Atmospheric Administration, National Institute of Standards and Technology, U.S. Patent and Trademark Office, and Census Bureau.
Mendes, however, drove the International Trade Administration, where he served previously as CIO, to spend only 10% of its budget on IT because of its cloud-first environments and abstraction layers.
This allowed the agency to automate more processes and freed up employees for work more tied to mission areas like tariffs.