Government increasingly spends more time, money, and effort into strengthening cybersecurity. But is government getting the return on such investments that it should?
(ISC)2, the largest not-for profit membership body of certified information and software security professionals worldwide, recently released its seventh Global Information Workforce Study (GISWS) in partnership with Booz Allen Hamilton, Cyber 360 Solutions, NRI Secure Technologies, and Frost & Sullivan. The findings reveal that, despite significant investments in new cybersecurity policies and tools, the federal government’s state of security readiness continues to lag behind.
Dan Waddell, Managing Director for the National Region for (ISC)2, helped conduct this biannual study. In a recent interview with Chris Dorobek on the DorobekINSIDER program, he shared some alarming findings from the report.
The Need for Younger, Diverse Talent
First, he said that the cybersecurity workforce gap is widening. “Globally, we anticipate a shortage of about 1.5 million professionals by the year 2020. But when we asked this question specifically for the US government, a key percent of the responders say that, right now, they know they do not have enough information security personnel to meet the demands of the mission,” he said. “It really is kind of a wakeup call.”
One reason that cybersecurity is not measuring up for government is lack of young blood. “We sampled our workforce, looked at the statistics, and only six percent of the respondents are under the age of 30. We need to do a better job as an industry,” Waddell said. “When you look at the federal government landscape, we’ve got a graying workforce. We’ve got a lot of feds that are going to be coming up to retirement here in about five to ten years. When we talk to our members, they respond that there’s constant turnover.”
At face value, “information security personnel” does not sound as sexy as diplomat, White House Correspondent, or even the Marines. It also does not help that the federal hiring process can take so long. Often, when bringing in the best and brightest, it can take as long as six to nine months to hire, compared to private sector positions that are secured in two to three weeks.
Another apparent problem in the cybersecurity workforce is the gender gap. This not only creates missed opportunities for government, but also weakens the cybersecurity workforce altogether. “I think globally it’s about ten percent on average for women in our field of information security. When we look at the government numbers, it’s slightly higher at 14 percent,” Waddell said.
On the bright side, Waddell said the number of women interested in federal careers in information security is growing. However, there is still much progress to be made. “I’m pleased that we’re moving in the right direction, but we need to do so much more to educate and excite our younger people and get those other pockets, such as women and minorities,” Waddell said.
Incorporating the Latest Technology
In addition to tapping into the right workforce, government needs to tap into the right technological trends. Cyber threats and security breaches have advanced in sophistication, and it is more important than ever for government to advance its efforts against “bad actors.” “The primary methods that bad actors have been using to access government databases include spearfishing and targeting vulnerabilities in applications,” Waddell said.
Government has turned much of its focus to tackling these threats, and the Internet of Things (IoT) has played a significant role. However, Waddell said a more proactive approach to endpoint security must be taken. Therefore, his company is looking at: “What can we do to help build these applications from start to finish with security in mind versus the bolt on the very end?”
There are many methods to address cyber threats and utilizing current technological trends is one of the most important. Government needs to pay closer attention to the links between cybersecurity, data transparency, BYOD, and IoT trends.
What’s next for government cybersecurity and its diminishing workforce? These tips offer hope for the future.
Adjust the Hiring Process– Waddell suggested that governments, especially the federal sector, examine their hiring processes. The National Institute of Standards and Technology (NIST) has adjusted its framework to create job categories and classifications that show a career path specific to cybersecurity. While it may be difficult to speed up the hiring process, due to security concerns, try looking at how you’re presenting the jobs. Make the website appealing and easy to navigate, and try to reach out to diverse communities. Have a look at your mission statement, and if you are not inspired, then you know it’s time to readjust. Remember, working at your agency should be an easy sell.
From Risk Assessment to Risk Management– Waddell suggested that with the evolution of cybersecurity, risk assessment has really become risk management. When hiring vendors, it is critical to monitor the process every step of the way. Look at how the vendors are vetted, how the programs and services they offer are vetted, and seek a product or service that will help you every step along the way. Risk assessment boils down to acquisition.
Ensure that work descriptions relay the importance of information security and that acquisition personnel understand the nature of the work and know the security processes. Cybersecurity personnel can assist in crafting the language of RFPs and other acquisition materials so that security is the main priority.
Incentivize the workforce- Recently, (ISC)2 announced its 2015 winners for the annual Government Information Security Leadership Awards, which recognizes the ongoing commitment of individuals whose initiatives, processes, and projects have led to significant improvements in the security of an agency, department, or entire federal government. Awards and challenges, such as hackathons, have been a great way for government to tap into creative and technological talent within the community. If you have not looked into an awards program or hackathon, check out how app challenges can aid with cybersecurity and other technological advances. They can help inspire people to get involved at the government level.
The next challenge for government cybersecurity lies in building an effective workforce. Information security is not the easiest sell. But govies want to be challenged and solve the difficult problems that come with cybersecurity. They want to tackle the bad actors. So make sure your organization is advertising its message well, bringing in the talent, and creating a workforce that meets up to the challenges and demands of cybersecurity today.
Photo Credit: Flickr/Merrill College of Journalism/my.opera.com