We exist in an era of disruptive technologies that hackers are eager to exploit. Whether the innovations leverage the Internet of Things (IoT), artificial intelligence (AI), or cloud-enabled advancements, attack surfaces are expanding exponentially in real-time, increasing risk exposure for government agencies.
To respond, federal leadership is focused on boosting its cybersecurity workforce. The key to this strategy yielding positive results lies in building a formidable team of elite cybersecurity professionals, or “cyber warriors,” who will aggressively and effectively defend against modern threats and cyberattacks.
In order to develop a force of “cyber warriors,” federal agencies must adapt and shift when looking to attract and retain talent – unifying resources among government, academic, and certification organizations to empower the federal cyber workforce with a well-rounded and grounded combination of experience, education, and training.
There are many things that need to be done to get to this point. While there is a sizable pool of employees with quality degrees and/or certificates, many do not have sufficient real-world experience. There is also a population of candidates with great experience, but they lack the level of certification or education that directly speaks to the threats that agencies face. If the government does manage to identify candidates who meet all the aforementioned standards, the lucrative draw of the private sector often pulls them away from staying with the government long-term.
Agencies acknowledge that they are saddled with a serious cyber talent shortfall. Whether they struggle to recruit or retain these professionals, or lack an overall understanding of what’s needed to assemble a workforce to respond to today’s requirements, seven of 10 government agencies indicate that they have “too few” information security employees, according to the Global Information Security Workforce Study from the Center for Cyber Safety and Education.
The talent gap has emerged as the most critical of all cyber priorities. When listing the top factors in securing the government’s infrastructure, the hiring and retaining of qualified information security professionals ranks No. 1, as cited by 87 percent of agencies – surpassing the need to increase funding for security mandates and raise awareness of security issues among non-technical staff, according to the study.
The availability of training and security certification programs also ranks highest among the most-essential initiatives needed to retain information security professionals, as cited by 62 percent of agencies. Over the year, 27 percent of survey respondents indicated that their agency will spend more on security certifications and training/education, as opposed to just 7 percent who expect a decrease in certification spending and 10 percent who anticipate a reduction in training/education funding.
But, as we reach a turning point in our pursuit of a stronger workforce, we must proceed strategically to build an effective “cyber warrior” workforce. The grooming of these individuals should focus directly upon the threats they will have to monitor, identify, mitigate, and prevent.
That’s where the aforementioned combined effort – a newfound synergy of forward-thinking leadership among government, academic, and certification institutions – should take hold. Specifically, they should work together to ensure their experience, education and training initiatives reflect current federal cybersecurity challenges with emerging, disruptive technologies by adhering to the following legislation, programs, mandates, authorized operations, certifications, and accreditations:
- Federal Information Security Modernization Act (FISMA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Risk Management Framework (RMF)
- Defensive Cyber Operations (DCO)
- Offensive Cyber Operations (OCO)
- Committee on National Security Systems (CNSS)
We cannot rely solely upon certifications and college degrees designated for these programs, mandates and operations, either, because they do not address the experience needed. Just as future doctors must complete residency and commercial pilots undergo hundreds of hours of flight time to get certified, so too should those in the cyber field be required to gain experience in a similar program or internship. The synergistic government, academic, and certification institution coalition would have to develop similar, hands-on tutelage for federal cyber professional candidates.
There are a few different strategies that agencies can implement to ameliorate the skills gap. First, establishing realistic minimum requirements for job candidates is crucial. Many positions call for years of experience far beyond the responsibilities of the job.
Another critical element to strengthening the workforce is offering incentive programs for companies that utilize grants for IT certifications and training. These programs could also be made available to employees following a fixed time period, i.e. after 1-2 years.
Lastly, and perhaps most importantly, we must introduce and promote the industry early on in schools. Creating excitement for the next generation will foster a steadier stream of worthy candidates. Advertisements for the IT field are often directed at the wrong audience. Marketing efforts directed at younger kids will ultimately establish IT as a more common job aspiration for elementary school-aged students, cultivating a new wave of “cyber warriors” from the ground up.
The government is hardly alone in its workforce struggle. The overall, global cybersecurity employee shortage is projected at 1.8 million by 2022, according to research from Frost & Sullivan and (ISC)². Yet, the gap between federal requirements and the recruitment and long-term retention of a workforce capable of satisfying the requirements presents unique challenges. Indeed, we are looking for extraordinary people, i.e., “cyber warriors,” because we are engaged in intensive combat every day with adversaries. But we will never see these extraordinary candidates without extraordinary efforts from our government, academic and certification leaders. With this – along with the compensation issue finally resolved – we can expect continued victories in our cyber wars.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected] Our editorial guidelines can be found here.