Workforce is the key to tight security on a tight budget

SAN FRANCISCO—Developing and maintaining a professional workforce is the key to maintaining cybersecurity, especially when budget dollars are scarce, a panel of government chief information security officers said.

 “If 80 percent of my budget is labor, I am not going to be able to deal with a 10 percent budget cut with just technology,” said Matthew McCormick, CISO of the Defense Intelligence Agency.

A panel discussion on Feb. 28 at the RSA Conference on providing cybersecurity on a government budget quickly focused on the workforce. While budgets are shrinking or at best static, agencies are competing to acquire experienced workers. and struggling to keep them.

Hord Tipton, executive director of ISC2 and former Interior Department CISO, cited Labor Department statistics showing a zero percent unemployment rate in cybersecurity.

“You can’t afford to lose the people you are depending on today,” said Patrick Howard, outgoing CISO at the Nuclear Regulatory Commission.

The NRC prides itself on having a good work environment, but it is not immune to budget challenges. “We haven’t had a budget increase in three years,” said Howard, who will begin working at the National Science Foundation in March. The NRC is working with unions on a workforce restructuring that could include lowering the government worker grade structure to allow hiring more workers for the same cost. That is not expected to happen before 2016.

Restructuring, both networks and jobs, is essential to better use of a limited workforce, the CISOs said.

Brent Conran, former House of Representatives CISO and now CSO at McAfee, said while at the House he consolidated 800 Active Directory domains and built an internal cloud to consolidate file servers and domain controllers. This simplified management and made more people available for other work.

State governments also are being squeezed. Nevada CISO Christopher Ipsen said his office began suffering budget cuts five years ago. He has relied on organizational changes and new security requirements to help simplify and streamline his work. Some of the changes included legislation requiring encryption of data on mobile devices, improved incident reporting for state agencies, penetration testing and continuous monitoring. These changes let him better use his limited staff and required the support of top management.

Getting management buy-in for needed change is essential to doing more with less, the panelists said.

“Take every opportunity you have to communicate the challenges you are facing,” Ipsen said.