Workforce is the key to tight security on a tight budget

SAN FRANCISCO—Developing and maintaining a professional workforce is the key to maintaining cybersecurity, especially when budget dollars are scarce, a panel of government chief information security officers said.

 “If 80 percent of my budget is labor, I am not going to be able to deal with a 10 percent budget cut with just technology,” said Matthew McCormick, CISO of the Defense Intelligence Agency.

A panel discussion on Feb. 28 at the RSA Conference on providing cybersecurity on a government budget quickly focused on the workforce. While budgets are shrinking or at best static, agencies are competing to acquire experienced workers. and struggling to keep them.

Hord Tipton, executive director of ISC2 and former Interior Department CISO, cited Labor Department statistics showing a zero percent unemployment rate in cybersecurity.

“You can’t afford to lose the people you are depending on today,” said Patrick Howard, outgoing CISO at the Nuclear Regulatory Commission.

The NRC prides itself on having a good work environment, but it is not immune to budget challenges. “We haven’t had a budget increase in three years,” said Howard, who will begin working at the National Science Foundation in March. The NRC is working with unions on a workforce restructuring that could include lowering the government worker grade structure to allow hiring more workers for the same cost. That is not expected to happen before 2016.

Restructuring, both networks and jobs, is essential to better use of a limited workforce, the CISOs said.

Brent Conran, former House of Representatives CISO and now CSO at McAfee, said while at the House he consolidated 800 Active Directory domains and built an internal cloud to consolidate file servers and domain controllers. This simplified management and made more people available for other work.

State governments also are being squeezed. Nevada CISO Christopher Ipsen said his office began suffering budget cuts five years ago. He has relied on organizational changes and new security requirements to help simplify and streamline his work. Some of the changes included legislation requiring encryption of data on mobile devices, improved incident reporting for state agencies, penetration testing and continuous monitoring. These changes let him better use his limited staff and required the support of top management.

Getting management buy-in for needed change is essential to doing more with less, the panelists said.

“Take every opportunity you have to communicate the challenges you are facing,” Ipsen said.


 

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.