The U.S. government is in the process of hiring a small army of information technology specialists to bolster its efforts to protect data held at federal agencies from cybersecurity threats. The federal government hired 3,000 new cybersecurity and IT professionals in the first six months of the current fiscal year.
In addition, the government is “committed to a plan by which agencies would hire 3,500 more individuals to fill critical cybersecurity and IT positions by January 2017,” said Shaun Donovan, director of the Office of Management and Budget.
The hiring spree is just one component of a “first ever” Federal Cybersecurity Workforce Strategy revealed by the White House last month.
“The federal cybersecurity workforce has the exciting and challenging mission of protecting government IT systems, networks, and data from sophisticated adversaries; safeguarding sensitive data; supporting our Nation’s financial, energy, healthcare, transportation, and other critical systems; and securing our critical infrastructure and intelligence systems,” Donovan said in a joint statement with Tony Scott, U.S. chief information officer; Beth Cobert, acting director of the U.S. Office of Personnel Management; and Michael Daniel, special assistant to the President and cybersecurity coordinator.
“However, the supply of cybersecurity talent to meet the increasing demand of the federal government is simply not sufficient,” the officials added.
Scope of Program
The workforce strategy includes four major components:
Education and Training: The program supports the administration’s Cybersecurity National Action Plan, or CNAP, which calls for investing $62 million in fiscal 2017 to expand cybersecurity education in the U.S. Among the plan’s elements are competitive tuition scholarships for college students through the CyberCorps Scholarship for Service program; development of university-level cybersecurity programs; and grants to hire or retain professors.
Recruit Federal Talent: The strategy strengthens federal recruiting of cyberexperts through enhanced efforts to acquire talent from apprenticeship programs, colleges, universities and private industry. The program seeks both career employees and participation of presidential fellows to bring private sector talent into the federal service. Also, federal pay and hiring practices will be examined with the objective of improving recruitment.
Retain Talent: To improve retention and development, the U.S. Office of Personnel Management will work with agencies to develop cybersecurity career paths, badging and credentialing programs, and rotational assignments, as well as provide opportunities for employees to obtain new skills and become subject matter experts in their field.The strategy directs the development of a government-wide orientation program for new cybersecurity professionals, and efforts to improve pay and training.
Identify Requirements: The strategy directs agencies to adopt a new approach to identifying their cybersecurity workforce gaps by using the National Cybersecurity Workforce Framework developed by the National Initiative for Cybersecurity Education, or NICE, which identifies 31 discrete areas within the cybersecurity workforce. The effort will include meeting current requirements and anticipating future cybersecurity needs.
Program Embraces Outside Recommendations
The program conforms to many recommendations from cybersecurity organizations for addressing the federal response to data security. For example, ISC2, the international cybertraining and certification organization, recommended a number of reforms after conducting a survey of federal government cyberprofessionals. Results of the KPMG-supported survey were released this spring.
Among the findings ISC2 found disturbing:
- Almost two-thirds of survey respondents either disagreed or strongly disagreed with the premise that the federal government as a whole was capable of detecting ongoing cyberattacks.
- Federal cybersecurity executives were disheartened by the current environment, with 25 percent unsatisfied or extremely unsatisfied in their jobs and considering leaving their agency.
- Lack of accountability was a consistent theme, as 21 percent of respondents were unable to identify a senior leader at their agency whose sole responsibility was cybersecurity.
- Respondents indicated that certain units did not view cybersecurity as important to their departmental functions — notably human resources, procurement and public affairs.
ISC2 recommended that the government include human resources, as well as technological solutions, in developing cyberprotection; address cyberworker dissatisfaction, and give employees more authority; educate all workers — not just security staff — about cyberthreats; and improve retention of cybertalent.
“People doing this job are overwhelmed. An alarming 59 percent of our survey respondents said that their agency struggles to understand how cyberattackers could potentially breach their systems, with 40 percent of respondents unaware of where their key assets are located,” said Dan Waddell, managing director for north America and director of U.S. government affairs for ISC2.
“They simply don’thave enough cyberpersonnel to meet the demands of their mission,” he told the E-Commerce Times.
“The government’s newly released Cybersecurity Workforce Strategy demonstrates that the government is listening to the voice of ISC2, and to the many other organizations that have done the work to develop and provide sound recommendations,” Waddell said.
However, recruitment must include assurances that additional personnel are fully qualified, he noted.
“While it is tempting to throw bodies at the problem, if recruits are not properly vetted and have no proven track record, the government will have an even greater challenge on its hands than a workforce shortage,” said Waddell.
“Almost half the respondents of our recent survey indicated that people currently represent an agency’s greatest vulnerability to cyberattacks. Leaders are realizing that people can be their organization’s greatest cybersecurity asset or greatest liability. In an adaptive, fast-paced and complex field like cybersecurity, quality over quantity must be the mantra,” he urged.
“The added support and attention from the White House should signify the importance of the issue of talent shortages and help justify the focus on increasing the educational pipeline for CyberSecurity skillsets,” said Chuck McGann, chief cyber strategist in the Cyber Security Innovation Center at Salient CRGT.
“The education providers such as ISC2, ISCA, and CompTIA, and the colleges and universities should benefit from the CNAP initiative and the financial backing it provides as a solid indication of our national commitment,” he told the E-Commerce Times.
“This ramping up provides indications to the population of an area of significant opportunity with a future justifying the commitment to making cybersecurity a viable career. Attracting a qualified workforce is only part of the problem, however,” McGann said.
“Some of these systems are older than the personnel we are attracting to secure them. Old, antiquated architectures that never anticipated the threat environment we are in now, cannot be easily protected by the addition of talented cyberprofessionals alone. Technology modernization is critically important to cybersecurity management and overall success,” he emphasized.
Impact on Vendors
The addition of employees could result in better outcomes for both agencies and the IT providers who serve the government, especially providers who directly offer cyberprotection products and services, as well as vendors who find cyberprotection a key element within their offerings. The key factor, again, is the quality of personnel.
“Among the many competing priorities, carving out time to meet with vendors is tough. This is just another justification for prioritizing the quality of hires over quantity. When considering candidates, you want someone who already has a broad knowledge of the products and services available today, who can effectively communicate the business case, and who will help to ensure the agency spends money on things that actually move the needle forward,” ISC2’s Waddell explained.
“The added expertise of new talent with new ideas will spark the evaluation of entrenched products and security solutions,” noted Salient CRGT’s McGann.
“These deployed solutions may not have kept up with the changing threats and integration needs of the deployed toolsets. Most agencies have done as well as possible, but the procurement process can cause roadblocks for innovative technologies,” he pointed out.
“Private sector providers need to up their game as well,” McGann said. “We need to leverage that same expertise to automate the mundane and tedious wherever possible, eliminate redundancy — and create secure offerings that are not outdated at delivery, and have actionable, impactful results.”