Modern field guide to security and privacy

Obama plan to boost cybersecurity workforce fails to impress professionals

Cybersecurity experts say a White House plan to bolster numbers of professionals working to safeguard federal networks doesn't go far enough. 

|
David Becker/Reuters
Attendees at the 2016 Black Hat cybersecurity conference in Las Vegas, Nevada, U.S. August 3, 2016. REUTERS/David Becker

The battle over encryption on consumer devices isn't the only area where many in Washington and Silicon Valley diverge when it comes to cybersecurity. 

They also can't seem to agree on the best path to grow the federal cybersecurity workforce so government agencies can better defend against breaches such as last year's massive Office of Personnel Management breach.

While the White House recently proposed a series of measures to address the lack of skilled digital defenders working for the government, many cybersecurity experts say the plan doesn't go far enough – and won't be implemented soon enough – to adequately address the severity of the cyberthreat facing the US.

"The strategies that have been defined appear to address the challenges currently faced," says Candy Alexander, a member of the Board at the Information Systems Security Association (ISSA), a cybersecurity nonprofit organization. "[But] it appears to address the problem with old solutions.”

The White House Federal Cybersecurity Workforce Strategy is the government's first ever plan to bolstering the number of information security workers and represents several years of research and study on the topic. 

The strategy includes short-term measures such as hiring 3,500 more information security professionals in government by January 2017 and longer-term initiatives such as increasing salaries and establishing formal career paths for government cybersecurity professionals.

The plan also calls on government agencies to expand the sources from which they recruit security professionals and explore opportunities to establish fellowship and other programs for attracting top talent. Up to $62 million will be available in fiscal 2017 for cybersecurity education and training.

Several senior White House information technology officials have cast the plan as a "meaningful first step" but one that will take time to implement and require support from industry stakeholders to become a success.

“It sets forth a vision where private sector cybersecurity leaders would see a tour of duty in federal service as an essential stop in their career arc,” the officials said in a White House blog post last month.

Karen Evans, who served as the de facto chief information officer for the US government before President Obama created the official office, says the new White House strategy addresses many of the issues that federal agencies have been dealing with for years in their efforts to attract and retain more information security professionals.

"These are the things that everyone is working on," notes Ms. Evans, who is currently the national director of US Cyber Challenge. "The workforce strategy articulates all the different initiatives that have to be undertaken at a national level,” to address the skills issue.

In that sense, the White House initiative represents a step in the right direction, she says. But as with many federal proposals, the devil is in the detail, private sector security experts say.

The planned federal investment in education and training for example, is laudable but unlikely by itself to generate the cybersecurity talent that federal agencies need, said many experts.

"The private sector has found that graduates from any technology university program are already behind in skills and knowledge,” by the time they hit the job market because of the rate at which technology and risks change," says Ms. Alexander of ISSA.

A better bet in the short-term would be to put more emphasis on obtaining talent from other careers that have transferable skills that can be used in cybersecurity. A stronger focus on "just in time" learning is another approach worth focusing on, says Alexander. "Cybersecurity is heavily focused on technology, and cybersecurity staff need the ability to keep up with their skills and learn the latest technologies."

There are also questions also over whether the White House proposal will do anything to boost the availability of security skills in areas such as cybersecurity analytics, risk assessment and management, penetration testing and incident detection and response.

Security analysts consider such skills critical to an organization’s ability to defend itself against cyberthreats. But government and private organizations have had an especially hard time finding and retaining such talent because of the broader lack of skilled professionals in the industry.

"There are a lot of people in government calling themselves cybersecurity workers and they do important things" such as implementing security guidance, remedying flaws, and administering systems, says Frank Reeder a former IT official at the Office of Management and Budget and cofounder of the Center for Internet Security. "They are good folks and they need to continue what they are doing."

While the White House workforce proposal will likely end up bolstering the availability of such skills within government agencies, it offers little by way of incentive to ensure availability of the high-end specialist skills that are sorely needed, says Mr. Reeder.  

“Until the government and enterprises focus on that piece of the cyber workforce all we are doing is playing a numbers game,” he says. “We won’t have the high-end skills to provide a first line of defense.”

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Obama plan to boost cybersecurity workforce fails to impress professionals
Read this article in
https://www.csmonitor.com/World/Passcode/Security-culture/2016/0810/Obama-plan-to-boost-cybersecurity-workforce-fails-to-impress-professionals
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe