It would not be hyperbole to say that the federal workforce faces an enduring and widening cybersecurity skills gap going into 2021. Human capital management has been on the Government Accountability Offices’s (GAO) high-risk list for over two decades— and more work lies ahead. The 2.1 million federal workforce faces significant skills gaps, outdated technology in some situations and now faces changing agency workforce priorities.
The Closing Skills Gap Initiative (CSG), a collaborative OPM and Chief Human Capital Officers Council effort to mitigate skill and competency shortfalls, found nearly half of federal agencies cited IT and cybersecurity needs as a common challenge.
At the same time, while there has been measurable progress by federal agencies, cybersecurity remains a GAO high-risk issue. The harsh reality of recent cyber breaches exposed our nation’s ongoing security challenges — and spotlighted the damage caused by the nation’s growing cyber skills gap.
Addressing the Human Capital Management Crisis
To recruit and cultivate the next generation of cyber defenders, agencies should pursue novel HR strategies and capitalize on free industry and government training resources and practices to improve employee cyber performance and support a more robust national cyber posture.
A cybersecurity training model mirroring the approach taken to military occupational specialties (MOS) could foster the necessary skills and competencies linked to specific job types and levels of performance. To achieve transformation, we should look beyond the current model that draws heavily on formal academic or vocational training problems and examine alternatives such as the MOS that has worked well for the Defense Department in training large numbers of individuals to perform a broad array of job types at varying levels of expertise. This model has results that make it a potential model to emulate in other sectors.
Adopting a MOS-like cyber model could encompass greater diversity in the recruiting and training process and prepare organizations to cope with the growing convergence of physical security, information technology (IT) and operational technology (OT), especially in critical infrastructure (CI) sectors such as manufacturing and energy.
A recent alert by the National Security Agency and the Cybersecurity and Infrastructure Security Agency warned of the spear-phishing trend by threat actors who establish access to an organization’s IT network before pivoting to the OT network. Such changes in threat tactics heighten the urgency for changing our approach to recruitment and training of interdisciplinary teams that are better suited to deal with the growing convergence between IT and OT.
Improving our ability to defend critical infrastructure against adversaries who seek to leverage our IT and OT assets against us both increases our security and helps the industry stay competitive and ultimately grow stronger.
In addition to adopting a training model based on a MOS-like approach, the public and private sectors will benefit from leveraging enhanced security automation and integration to lower costs and complexity. The training model can be further strengthened if enrollees have better access to:
· Industry recognized certifications and program certificates of completion
· Mentorship opportunities and recommendation letters
· Interview coaching
· Professional networking opportunities
These aspects are key to a cyber education training model that is more comprehensive and better suited to developing professionals from diverse backgrounds.
Talent Identification and Team Building
There is not just a talent shortage but also challenges in talent recognition and development issue. High-performing teams should be built by pursuing out-of-the-box approaches to spot aptitude and develop problem-solving skills in non-traditional candidates. The alternative is continuing to compete for an inadequate supply of talent with two or four-year degrees in cybersecurity or IT.
A strong security team comprises team members with a diversity in background, education and core competencies. Team members differentiated by disciplines, traits and skill sets will stand a far better chance at keeping ahead of malicious cyber actors who grow more brazen every day. For example, a history major and a hard-core technologist may work well together on the same team, as they each have complementary strengths and skill sets.
OPM has explored cybersecurity aptitude assessments, with the idea that a structured series of tests would make it easier for potential federal employers to identify talent with an aptitude for a wide variety of cyber positions. These assessments included coding challenges, samples of written work, and standardized tests of problem-solving and adaptiveness. This approach is noteworthy because traditional testing, for the most part, focuses on narrow technical criteria and does not adequately measure the attributes that make for successful cybersecurity professionals.
Instead of relying solely on narrow technical assessments, employers will benefit from linking job types to credentials that reflect both hands-on test skills and theoretical knowledge. A blended approach like this can attract both cyber professionals with the specific training and understanding to make an immediate impact using today’s cybersecurity tools, as well as candidates with the foundational knowledge and problem-solving skills to deal with emerging problems and new technologies.
Building a Strong Cyber Future
A cyber talent ecosystem fueled by new approaches to recruiting and teambuilding will help the security workforce grow both in skills and qualifications. By focusing on developing measures to identify which areas of cybersecurity can benefit from which pockets of an increasingly diverse talent pool, we can begin to make strides in closing the skills gap and cyber workforce shortage we face in both the public and private sectors.
More diversity in the cyber industry leverages the breadth of worldviews and experience in the talent pool. Traditional approaches to filling the pipeline for cyber talent have failed, and it is time to think creatively about a long-term solution to address the rapidly growing cyber skills and workforce shortage. Leveraging diversity will be foundational to our success in addressing this problem.
Jim Richberg is public sector field CISO at Fortinet. He formerly served as the National Intelligence Manager for Cyber in the Office of the Director of National Intelligence, where he set national cyber intelligence priorities.