Lack of Cyber Career Paths and Training Standards Stymies Security

The Senate's failure to pass comprehensive legislation could stall progress.

Agencies are making some great strides in carving out a space for cybersecurity professionals, but the failure of the Senate earlier this month to pass comprehensive cybersecurity legislation could stall that progress, according to one expert.

Eric Cole, a senior fellow at the SANS Institute, told Wired Workplace on Monday that the lack of strong standards for training and certification and a lack of a clear and defined career path for cyber workers are some of the most critical issues currently facing cybersecurity. The 2012 Cybersecurity Act, which was voted down by the Senate on Aug. 2, would have required strong certification standards and helped build clearer and more rewarding career paths for federal cyber professionals.

“The people in charge of cybersecurity often have less oversight and certification than the person who cuts my hair,” Cole said. “You could argue that getting a bad haircut may ruin your day or week, but why is it that someone who cuts hair has to get licensed and validated, when there are areas where people who secure very important computer systems have no oversight, no certification and no accreditation. To me, that’s where our focus has to be – to make sure that [cybersecurity professionals] really have the skills needed to accomplish the mission.”

Cole said that while some attempts by the government -- such as Defense Department directive 8570, which provides guidance and procedures for training and certifying cyber workers -- are positive starts, what is really needed is more detail. “We need the top-notch folks who in some cases get paid more than their managers,” he said. “What we really need is much more detail, such as the five levels of expertise needed and the requirements and skills to be able to do the job.”

Cole recommended a similar model to that used for training military pilots, who have clear guidelines on what is necessary to do the job, such as classroom and hands-on training. “We need to almost use the same model for classifying information security professionals,” he said.

Still, it’s not just about defining the skills and expertise necessary to do the job. Cole said agencies also are having a difficult time recruiting and retaining cybersecurity workers, pointing to the fact that just a quick search on USAJOBS.gov pulls up more than 4,500 information security job openings, 700 of which are in the Washington area.

Part of the recruiting and retention challenge is that many of the nation’s top schools are training international students who return to their home countries after graduating, including those that present a cyber threat to the U.S., Cole said. Another challenge is that many cyber workers come into government, get top-notch training and experience and then move on to the private sector, which often pays considerably higher salaries, he added.

“The government needs to do what the military does by requiring a service commitment from employees, to say, if we give you great training, then you have to give us three years of service before you can leave,” Cole said.

Even despite tight budgets, Cole said he believes agencies could leverage current internal employees by training those currently in IT jobs in computer security. The key, he said, is finding workers who are not only technical but also creative problem-solvers. “If you look at other disciplines, there are some really smart, creative people who could be very effective at cybersecurity,” he said.