Where are the cyber pros?
The federal government's need for a robust cyber workforce is a long-standing concern, but meeting the need remains a challenge.
The government's need for a well-trained cyber workforce isn't going away, but where are the people? (Stock image)
For more than a year, leaders at virtually every federal agency have been saying it: "We need a cyber workforce." The qualifications of that workforce vary across organizations – some may need security clearances, specific credentials or specialized training – but for all the talk, what is being done?
A number of factors contribute to the ambiguity surrounding this highly touted, evolving and critical part of the government. Rapidly changing technologies and threats mean that requirements are constantly shifting; funding uncertainties abound; and formal training is in early stages of widespread availability. Moreover, the specialty itself is not well-defined.
The current budget climate, however, might be the biggest hurdle of all, particularly when it comes to getting workers installed in government positions and into fighting form. That is a tall order amid widespread program cuts and the potential for mandated furloughs, according to Gen. Keith Alexander, commander of U.S. Cyber Command and director of the National Security Agency.
"We're getting great people in our staff and in our service components that are building the teams we need," Alexander said at a House Armed Services subcommittee hearing March 13. "The issues that come up with sequester – having to furlough those people that we're bringing in sends the wrong message. Further, the continuing resolution compounds our [challenges] in conducting training missions once we bring those teams in."
And the need for cyber professionals extends far beyond the Pentagon. Across government, agencies are struggling to fill offices with the right kind of employees, particularly those who may need to stretch beyond their core skills.
"Every organization can always use more [cyber professionals]; I don’t think any of us can have enough," said Darren Ash, Nuclear Regulatory Commission CIO. "But we also have to have the right mix of technical skills and the soft skills, working collaboratively with partner organizations."
Whereas in the past the technical people may have worked separately from the employees who do the talking, those divisions do not hold up when it comes to cybersecurity, according to Ash and other officials and experts speaking at an AFFIRM event in Washington on March 14.
"In today's world, when funds are short, I have no choice as a chief information security officer but to use all of the resources within the Commerce Department so I can bring them together in a collaborative way...and capitalize on all that expertise for the good of the department as a whole," said Rod Turk, Commerce Department CISO. "That ability to work with other people is a skill. And highly technical people and highly collaborative people are two different skill sets. You need a diverse group of people who can pull all of that together and drive a solution."
So where to start? Certifications, training programs, internships and even the increasing number of bachelor's degree in cybersecurity areas all have potential, the experts said. According to Ernest McDuffie, lead for national initiatives for cybersecurity education at the National Institute of Standards and Technology, community colleges are emerging as the "pointy edge of the spear" where cyber learning is cost-effective and widely accessible. Still, it is not so simple.
"Part of the frustration is the scale of the issue," said Michael Kaiser, executive director of the National Cyber Security Alliance. "If we just needed 5,000 cybersecurity professionals, we'd only need a handful of really great institutions generating those people. But we need an entire culture, and we need a global population. That changes the way we govern, the way we work together and the way we share information – and we're still in the infancy of that."
And while cyber professionals are in high demand, simply having a diploma in the right area will not necessarily suffice when it comes to landing a job in federal cybersecurity, panelists noted. "I don’t want to leave anyone with the impression that having a degree is the end-all, be-all, because if you have an established network operations center and security operations center...understanding the functional workings of the operations if tremendously important," Turk said. "Even though you have a baseline of knowledge, you have to bring them into the environment... and truly understand that environment."
Despite the progress made so far – and the speakers, as well as Alexander and DOD CIO Teri Takai at the March 13 hearing, all agreed progress has been made – the future of the cybersecurity workforce remains unclear.
"The numbers are mushy to get at exactly what people we need in what area at what places," said McDuffie. "This is really a global issue...the internet and cyberspace doesn't really respect anybody's national boundaries. This is something that's happening across the globe."
It is also a matter of culture change in education, technology and security – and where they intersect, Kaiser added.
"This is about shifting our culture in the way we educate people to defend our country," he said. "That's a challenge."