Can federal programs address cyber training?
The government is beginning to tackle the need for cybersecurity professionals through training and education efforts aimed at all levels.
The government is trying to increase the pool of talented cybersecurity professionals with programs aimed at education and training. (Stock image)
The constantly evolving landscape of cybersecurity makes it difficult to stay ahead of the recruiting curve for skilled cyber professionals, but the dearth of such experts in the federal government has roots in the earliest levels of education. Now a handful of federal programs are tackling the issue, from elementary-school education to advanced professional training, with the hope of eventually alleviating a top worry of security executives across the government.
Despite significant growth in the cybersecurity workforce in recent years, managers are still feeling the personnel pinch, a new study from Frost and Sullivan and (ISC)2 indicates. According to the report, more than half – 56 percent – of information security professionals who responded believe there is a workforce shortage. It is creating a burden for existing personnel that stems from a narrow career pipeline, the report noted.
"You can spend a billion dollars on security hardware and software, but the problem is human," Montana Williams, director of the National Cybersecurity Education and Workforce Development Office, said at an (ISC)2 event on May 7. "So where does education and training come into that? How do we set a national standard that gives people a pathway of success, taking them from hiring to retiring?"
Williams said one issue is demographics, noting that 79 percent of federal IT workers are over the age of 40, while only 5 percent are under the age of 30.
To confront the issue, his office is focused on increasing awareness, broadening the pipeline and growing the profession, Williams said. Among the initiatives is a National Initiative for Cybersecurity Careers and Studies portal, launched in February, that Williams hopes "will become one-stop shop for the nation when it comes to cybersecurity careers and opportunities." Other plans involve academic centers of excellence updated for modern standards and requirements, and collaboration with educators to incorporate cybersecurity into early learning.
"It's hard for the federal government, even Department of Education, to dictate formal education all the way down to elementary level," said Williams, who stressed the need for engagement in STEM education at local and state levels. "We're teaching teachers to integrate cybersecurity into math, into history, into government, into biology – where is the nexus of cybersecurity in those basic disciplines?"
The efforts also include higher levels of education, including in college, but federal officials and others involved also are ramping up workforce-targeted plans.
The National Institute for Standards and Technology is making measurable progress with its national cybersecurity workforce framework, which has created a reference point for federal agencies working to identify gaps in skills in their workforce and to hire accordingly.
"It uses language that's general enough that government, private sector, military or academic can relate to it...we're seeing a lot of synergy," said Dr. Ernest McDuffie, lead for the National Initiative for Cybersecurity Education at NIST. "For the first time this allows federal managers to go in and look at job codes for IT specialists in the federal government...and identify exactly what those people are doing so then they can help establish a baseline to do some real gap analysis."
The framework, along with a new cybersecurity maturity model and diagnostic tools for determining staffing and security requirements – including risk assessments that Williams said agencies sorely need – are key for the emerging emphasis on workforce planning.
"We tend to peanut butter-spread our personnel and our resources across the entire organization, and that mindset needs to change...and focus on what most needs to be protected and what doesn't," Williams said. "That's what cybersecurity workforce planning does, that's what the maturity model is and that's what the diagnostic tool does – it puts that in human terms. How do you put those key human resources in the right spots, and what does that look like?"
According to the (ISC)2 report, more than half of those surveyed believe the most important resources center on people, including management support, qualified staff, policy adherence and staff training. That pattern likely will be reflected in the coming year as more than a third of C-level executives plan to increase spending on personnel and education and training, the report noted.
"Changes in IT and evolving IT norms on how, when and where business operations occur – such as BYOD, cloud computing and social media – remind us that information security professionals must be highly adaptable...in order to manage a dynamic range of risks," the report noted. "Consequently, information security professionals have no downtime; there are always new risk management challenges to address."