Workforce is the key to tight security on a tight budget

SAN FRANCISCO—Developing and maintaining a professional workforce is the key to maintaining cybersecurity, especially when budget dollars are scarce, a panel of government chief information security officers said.

 “If 80 percent of my budget is labor, I am not going to be able to deal with a 10 percent budget cut with just technology,” said Matthew McCormick, CISO of the Defense Intelligence Agency.

A panel discussion on Feb. 28 at the RSA Conference on providing cybersecurity on a government budget quickly focused on the workforce. While budgets are shrinking or at best static, agencies are competing to acquire experienced workers. and struggling to keep them.

Hord Tipton, executive director of ISC2 and former Interior Department CISO, cited Labor Department statistics showing a zero percent unemployment rate in cybersecurity.

“You can’t afford to lose the people you are depending on today,” said Patrick Howard, outgoing CISO at the Nuclear Regulatory Commission.

The NRC prides itself on having a good work environment, but it is not immune to budget challenges. “We haven’t had a budget increase in three years,” said Howard, who will begin working at the National Science Foundation in March. The NRC is working with unions on a workforce restructuring that could include lowering the government worker grade structure to allow hiring more workers for the same cost. That is not expected to happen before 2016.

Restructuring, both networks and jobs, is essential to better use of a limited workforce, the CISOs said.

Brent Conran, former House of Representatives CISO and now CSO at McAfee, said while at the House he consolidated 800 Active Directory domains and built an internal cloud to consolidate file servers and domain controllers. This simplified management and made more people available for other work.

State governments also are being squeezed. Nevada CISO Christopher Ipsen said his office began suffering budget cuts five years ago. He has relied on organizational changes and new security requirements to help simplify and streamline his work. Some of the changes included legislation requiring encryption of data on mobile devices, improved incident reporting for state agencies, penetration testing and continuous monitoring. These changes let him better use his limited staff and required the support of top management.

Getting management buy-in for needed change is essential to doing more with less, the panelists said.

“Take every opportunity you have to communicate the challenges you are facing,” Ipsen said.


 

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.