Workforce is the key to tight security on a tight budget

SAN FRANCISCO—Developing and maintaining a professional workforce is the key to maintaining cybersecurity, especially when budget dollars are scarce, a panel of government chief information security officers said.

 “If 80 percent of my budget is labor, I am not going to be able to deal with a 10 percent budget cut with just technology,” said Matthew McCormick, CISO of the Defense Intelligence Agency.

A panel discussion on Feb. 28 at the RSA Conference on providing cybersecurity on a government budget quickly focused on the workforce. While budgets are shrinking or at best static, agencies are competing to acquire experienced workers. and struggling to keep them.

Hord Tipton, executive director of ISC2 and former Interior Department CISO, cited Labor Department statistics showing a zero percent unemployment rate in cybersecurity.

“You can’t afford to lose the people you are depending on today,” said Patrick Howard, outgoing CISO at the Nuclear Regulatory Commission.

The NRC prides itself on having a good work environment, but it is not immune to budget challenges. “We haven’t had a budget increase in three years,” said Howard, who will begin working at the National Science Foundation in March. The NRC is working with unions on a workforce restructuring that could include lowering the government worker grade structure to allow hiring more workers for the same cost. That is not expected to happen before 2016.

Restructuring, both networks and jobs, is essential to better use of a limited workforce, the CISOs said.

Brent Conran, former House of Representatives CISO and now CSO at McAfee, said while at the House he consolidated 800 Active Directory domains and built an internal cloud to consolidate file servers and domain controllers. This simplified management and made more people available for other work.

State governments also are being squeezed. Nevada CISO Christopher Ipsen said his office began suffering budget cuts five years ago. He has relied on organizational changes and new security requirements to help simplify and streamline his work. Some of the changes included legislation requiring encryption of data on mobile devices, improved incident reporting for state agencies, penetration testing and continuous monitoring. These changes let him better use his limited staff and required the support of top management.

Getting management buy-in for needed change is essential to doing more with less, the panelists said.

“Take every opportunity you have to communicate the challenges you are facing,” Ipsen said.


 

About the Author

William Jackson is a Maryland-based freelance writer.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.