Cybersecurity workforce challenges defy easy answers

The Homeland Security Department is working quickly to address the complex issue of how to effectively develop, recruit and retain a workforce capable of preventing and responding to cybersecurity threats, including the release last month of a report by a special advisory council that put forth 11 recommendations for addressing these challenges going forward.

But while that report is a testament to cybersecurity challenges being high on DHS’ radar, many of its recommendations are shortsighted and do not address the core challenges government and industry face in identifying, developing and retaining these highly-skilled workers,said Hord Tipton, executive director of (ISC)2, on Wednesday.

“The advisory council was given only about 90 days to pull this all together, and it’s a complex issue. It’s not one that lends itself to simple solutions,” Tipton said. “Silver bullets won’t solve this problem. We don’t have one, and I don’t think [the council] produced one either.”

The report, released Oct. 3 by the Homeland Security Advisory Council’s Task Force on Cyber Skills, outlined 11 recommendations, including establishing a department-level infrastructure that oversees the development of the cyber workforce, streamlining the hiring process, establishing a two-year community college program that identifies and trains large numbers of students for cyber jobs and directs the use of department’s direct-hire authority to bring on almost exclusively those with critical cyber skills, until at least 600 of those workers are fully on board.

But Tipton noted that those 600 “super sleuth” workers are not readily available, nor can they be trained overnight. In addition, the report failed to recognize that the cybersecurity community needs other workers with perhaps lesser skill levels than the super sleuths to actually help to better prevent cyber attacks, he said. For example, several reports show that more than 90 percent of breaches that occur are executed with simple attack tactics and could have been prevented, he said.

“We know we don’t have enough of the super sleuths, or the people who look at something after the corpse has already been shot,” Tipton said. “But if we get additional people in to do the basic work of better compliance and eliminate 90 percent of the problems, we’ll be better able to utilize the highly skilled technical people to tackle more difficult problems. A lot of time is wasted chasing and trying to fix things that should have been repaired or taken care of with basic security practices.”

Tipton also noted that there are some great examples of organizations and experts already working to address the cybersecurity workforce challenge, another aspect that the report failed to recognize. “It’s almost like we’re trying to start from scratch with the DHS report,” he said. “There is a lot of good stuff out there that people are willing to share, so why we don’t use that in collaboration kind of befuddles me.”

The focus also needs to extend beyond DHS, Tipton added, noting that the full information security community and the business component should be included in assessing the challenges and needs going forward. “We have to stop preaching to the choir,” he said. “The people who actually make this happen work on the business side, such as the CFOs. You can’t say 600 people at DHS are going to protect the water supply or our banking transactions. Picking out 600 people doesn’t even form a drop in the bottom of the bucket in terms of getting to the root of the problem.”