Education Department Knows It Needs Cyber Skills, But Doesn't Know Which Ones

The Education Department knows it needs a strong cybersecurity workforce. It even has a framework for what constitutes “strong.” The only problem: officials aren’t sure who they need to hire to get there.

The department issued a request for information seeking industry input on how to organize its cybersecurity workforce, identify talent gaps and provide the right kind of training to all employees. Education officials in the Office of the Chief Information Officer are using the National Initiative for Cybersecurity Education, or NICE, framework developed by the National Institute for Standards and Technology as a guidepost, but want information on industry best practices and IT systems to manage cybersecurity across the workforce.

Based on the NICE framework, 90 percent of the department’s 4,000 employees have at least some cybersecurity role, though it constitutes less than 10 percent of their daily duties. Cybersecurity is a more significant part of the remaining 10 percent of employees’ jobs, accounting for 30 percent or more of their duties, according to the RFI.

“The department needs to execute on a series of tasks that will ultimately lead to the identification of the cybersecurity workforce, update positions descriptions to capture the work employees should be doing as well as develop position descriptions for future workforce needs,” the RFI states. “Additionally, the department needs to assess and document the current resources and skill gaps and develop training plans for the department as a whole and for those individuals who will be doing the work.”

The RFI ask for feedback on a dozen questions, including:

1. What are industry best practices and automated tools that are used in order to enhance workforce planning, identify key capabilities, capacity gaps and critical needs of a workforce?
2. Please describe approaches to identify required skill gaps for a variety of employees who hold various cybersecurity roles within an organization.
3. What is an effective method and tracking system for establishing programs for training and certifying/tracking certifications of the cybersecurity workforce identified in Question 1?
4. Describe approaches to perform an organizational needs assessment on an organization tasked with performing cybersecurity functions for an organization.
5. What is an effective method to update position descriptions for the cybersecurity workforce described in Question 1? Updates may be required from 400 (major updates) to 3600 (minor updates) employees.
6. Describe how an agency could approach expanding the cybersecurity workforce, especially those whose major duties are security system and data, through recruitment of highly skilled talent.
7. What are methods to retaining and developing highly skilled talent? How would an agency promote an enterprisewide approach to retention and development to support the continued enhancement of the cybersecurity workforce?
8. Considering the previous descriptions and questions, are there any deliverables (plans, reports, etc.) that your company normally provides or recommends to your public and private sector customers that could be particularly beneficial to the department?
9. What metrics are most effective to measure success in the areas of cybersecurity training and workforce development?

Interested parties have until 10 a.m. on April 3 to respond.