The root cause of many breaches is a shortage of qualified IT professionals.
There’s at least one thing missing from the National Institute of Standards and Technology’s new presidentially-mandated cybersecurity framework: a plan to bolster the nation’s cybersecurity workforce and address the ongoing shortage of skilled cyber staff.
The framework, released Wednesday, provides organizations charged with providing the nation’s financial, energy, health care and other critical systems with a structured set of standards and guidelines to help manage cyber risks.
But while the framework represents a positive step forward, it’s still deficient in addressing what is often the root cause for lower security incident preparedness – a shortage of qualified information security professionals, W. Hord Tipton, executive director of (ISC)2, told Wired Workplace.
“A skilled workforce is the foundation of any successful security program,” Tipton said. “I believe the success of the cybersecurity framework will depend on how quickly and effectively the area of workforce shortage is addressed.”
Tipton attended a briefing on the framework at the White House on Wednesday that featured executives from companies including Lockheed Martin, AT&T and Pepco Holdings. And while cyber workforce issues were not emphasized in the framework as a critical piece of the cyber infrastructure puzzle, many event participants acknowledged it as a key area of focus, he said.
“There were some interesting questions about the framework, and some involved the workforce issue,” Tipton said. “Many acknowledged how hard it is to find the right skill sets for the types of jobs needed. It’s encouraging to see CEOs speaking to that level on the IT threat that they deal with every day.”
Still, it’s possible that the framework is depending on other initiatives, namely the National Initiative on Cybersecurity Education, to address the cybersecurity workforce piece, Tipton added. The Homeland Security Department in particular is about to unveil a new set of standards to help critical infrastructure organizations best recruit cyber workers, classify jobs and effectively evaluate cyber skills, he said.
Tipton said the next step for (ISC)2 is to incorporate the new standards outlined in the NIST framework.
“The first thing we’ll do is map some of the standards into our education and credentialing program to make sure that the people we educate and certify ultimately can walk into and be expected to deliver against this framework,” Tipton said. “That’s always a test of our research and our credentials as to how well we do when we bring our people together and update our product.”