Cybersecurity Workforce

It’s the dawning of the age of the Cybersecurity workforce. Everyone seems to be jumping onboard the train as it heads out of the station, and we appear to have more than our fair share of conductors. On any given day it seems an article appears about the Cybersecurity workforce. Everything from the Department of Homeland Security is hiring a 1000 workers to the new Federal Cyber Coordinator needs to be concerned about the Cyber workforce. Reports and studies abound not only on what people believe the workforce should look like, but also what issues must be addressed if we are to properly secure cyberspace for our use.

From the Federal level down to the Service level, studies and reports have been, or are being, prepared to document for leadership what the current workforce comprises and what skills and training are needed. As Max Stier, President and CEO of the partnership for Public Service said, “the new awareness of this problem is encouraging, but immediate action is needed.” Additionally, Congress is very concerned about cybersecurity, and there are multiple bills being presented – all of which include workforce language. In several cases there is even language requiring licensing and certification for the cybersecurity workforce.

The initiatives we see being discussed do not differ much from what we’ve seen when the Information Technology workforce was the buzzword, or from when the Information Assurance workforce was forefront. We still see development of a plan to recruit, hire and retain a skilled workforce; train and educate the workforce; create job classifications; develop career paths; and, develop workforce leadership. All of these areas are important and require attention. But what is changing?

The work, the environment and the missions are changing.
More importantly though – the workforce is changing. Much is being said about new generations and growing up wired and immersed in the Internet. Beyond IPODS, Facebook, and Avatars in their personal lives, people are using social media, advancing technology their own inventiveness to conduct work in ways not thought of even yesterday. This is true in war zones and business zones. The key though, is that because of these capabilities, the cyber security war zone overlays every piece of connected media. The workforce has adapted, and is adapting, to these changes. The questions are: has the organization adapted enough to support the workforce today, and what must the organization do in the future to meet the speed of change in both technology and the way the workforce works?

To begin to answer that we need to start by asking: what will the workforce look like, and how will it operate, when we have the highly trained, skilled and capable workforce everyone wants? What will the workforce need to look like when we can stop as close to 100% of the attacks as possible, not the 80% reported today?

While we must look at the foundation we have today – technologically and professionally, we must also envision the future workforce, its tools, its roles, its relationships, and its capabilities.

Questions that need answering before we can adequately address the details of the future workforce include:

(1) What is the definition of Cyber? Not just at the policy level, but what is the definition of Cyber to the people doing the field work?
(2) What kinds of skills and technology background do we think the future workforce will come to us with? We hire military based on aptitude to learn and civilians based on level of education/experience, but what social networking, IT and personal security, and technology knowledge and skills will they be ingrained with just by being a part of today’s wired society?
(3) What do we really think the cybersecurity force of the future will do?
(4) What are the key cybersecurity roles and relationships we need to transition to be an effective workforce?
(5) Is the cyber warrior of the future a Roman legionnaire standing with shields overlapped, or a cyber ninja – or something in between?

Do we have an idea what these answers might be?

Are these the right questions?