Steve Kirk is vice president of federal at Fortinet. He is a cybersecurity professional with 17 years of experience, 11 of them with Fortinet. Prior to Fortinet, he worked for network security company Secure Computing, 3Com and Foundry. Kirk has 26 years of experience supporting the U.S. federal sector. He is a graduate of Radford University.
Findings from the “2015 PwC US State of Cybercrime Survey” revealed that only 26 percent of those surveyed feel they have the expertise to address cyber risks associated with implementation of new technologies. This means 74 percent of organizations—essentially three-quarters—don’t have the cybersecurity talent they need.
This is the known quantity of the security talent gap. The unknown quantity is the solution to this gap. Why? Because the scope of the challenge is broad and growing, it requires a broadening range of skill sets that are known but also unknown.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
This is a significant challenge for the public sector. At one point, and not just in the cybersecurity arena, but in multiple other areas of expertise such as law, medicine, engineering etc., the public sector was able to lure qualified candidates for a variety of positions with the promise of stability and benefit packages.
This is not the case today, nor is this just a public sector challenge. Private companies are also feeling the talent shortfall. However, they possess allurements such as stock options and larger paychecks unavailable to the public sector.
The government is not without its incentives, though; it can attract security talent by focusing on purpose, control, influence and challenges. Its market is always broader, with more interdisciplinary opportunities and applications, and its societal influence is longer-lasting. Many people derive greater satisfaction and fulfillment from a public career than from one in private industry.
There is always, however, the need for the government package to meet certain fundamental material aspirations and requirements of employees. The challenge is to balance fiscal requirements with the above-referenced factors.
Challenges exist beyond those related to attractive incentives. The most significant cybersecurity challenge is the unknown. Perhaps former Secretary of Defense Donald Rumsfeld gave the best explanation of this during a news briefing 14 years ago:
There are known knowns. These are the things that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. These are things we don’t know we don’t know.
Unfortunately, attack methods and breaching techniques are constantly evolving. This means finding the elusive talent to overcome present challenges is only part of the solution. Sure, we know the tried and true breach methods. But what about the attacks we don’t yet know? If the method is unknown, then so is the required response. The talent shortfall, therefore, is about much more than just a limited technical pool.
How We Got Here
How did we arrive at this place of shortfall?
During the 1960s, there was a push to interconnect computer systems. But even at that time, concerns were raised about security and data protection. However, these concerns were disregarded in order to focus on connectivity. This same focus continues today. Ease of connectivity first, security later.
The reality, though, is the two are intertwined. Connectivity and security must be coordinated together and be able to scale equally. Data without protection is unreliable and dangerous, and security without data is an empty bank vault, impressive but with neither function nor purpose. The balancing of this yin and yang is the ultimate goal.
Cybersecurity came to the forefront initially because of connectivity, but today it has taken on greater importance. This new prioritization is critical as we continue to encounter cybersecurity’s unknowns. To avoid history repeating itself, this cultural shift needs to flourish, because defective, altered, manipulated, compromised or breached data nullifies the benefits of connectivity.
This will, therefore, require growth in the security talent pool and a broader definition of the talents required for that pool. Fortunately, government agencies are helping to build talent through organizations such as the National Initiative for Cybersecurity Education, but work remains.
The Critical Human Factor
When we take a good look at government agencies’ needs, there is not a single agency that does not need a more robust cybersecurity workforce. Many government agencies are responsible for various systems and critical infrastructures.
While homeland security will always be the greatest risk when it pertains to government, the risk cybersecurity poses extends far beyond just our borders—from roadways to transportation systems to manufacturing. Incapacitation or destruction of any critical homeland infrastructure would have a debilitating effect on security, public safety and the economy. Technology alone can’t protect these systems. To fully protect these critical infrastructures, we need skilled cybersecurity professionals to protect against both the known and the unknown.
The cybersecurity skills gap is real, but it is an issue not only of bodies but of minds. That is, the problem is too important to merely fill vacant positions with warm bodies; they need specific skill sets to truly be effective. Here are four key areas those entering the cybersecurity field should have in their knowledge toolbox:
- Knowledge is power: The federal government, informed by the NICE program, is taking steps to establish an ecosystem of cybersecurity education, training and workforce development across the public and private sectors. Keeping up to date with NICE’s recommendations will give you a leg up on the competition.
- Back to basics: For any cybersecurity position, a basic level of understanding how IT messaging works is foundational. Having the knowledge of how programs exchange messages and what data or information is included in those messages is paramount for cybersecurity professionals.
- Understanding people: IT today is about much more than knowing how technology works. Sure, understanding how technology works is most definitely needed, but what is more important is having an understanding of the people using the technology. Knowing human nature and characteristics of those using the technology will provide a better understanding of how preventable breaches such as email phishing attacks infiltrate networks.
- Application: Cyber threats hit close to home if you consider how much of our personal information resides in digital form. From banking to health care to even our taxes, all are for the most part done online or in digital form. These are the known knowns. We know the type of data and we know it is at risk, but without groomed professionals prepared to fight the cyber crimes of tomorrow and keep this data protected, all of our online information can be compromised and held hostage. We must apply the key learnings from these knowns to future unknown threats so they can be anticipated and mitigated earlier, or blocked altogether.
Citizens rely heavily on critical infrastructure and other connected government services. Bridging the cybersecurity talent gap must become an essential priority for government agencies. This is easier said than done, but it is not impossible. It will require educating, building and reinforcing our cybersecurity talent pool and workforce through expanding their knowledge toolbox in the four ways listed above.
Creating programs and public/private partnerships to actively recruit more individuals into the cybersecurity field is another key tactic. Acting now will enable the government to create the workforce needed to safeguard the nation’s assets and its citizens from the known and unknown threats ahead.