Seven Steps to Solving the Cyber Skills Gap

Cybersecurity professionalization nonprofit (ISC)2 earlier this month offered key federal agencies a series of next steps that can help address a persistent skills shortage in the cybersecurity field.

In a Dec. 2 letter to officials at the White House, the Homeland Security and Defense departments, the National Institute of Standards and Technology, and members of academia and other influencers within the federal workforce community, (ISC)2 outlined seven key steps agencies can take to advance the cybersecurity workforce and address skills shortages.

The letter highlights the 2013 (ISC)2 Global Information Security Workforce Study, which identified a significant gap between the supply and demand of qualified cybersecurity professionals. While 61 percent of federal government respondents agreed that their agency has too few information security workers to effectively manage threats, the study found federal respondents viewed the underlying cause of those staffing shortfalls differently from their global peers. More than half of federal respondents, for example, said the greatest reason their agency has too few information security workers was because business conditions could not support additional personnel.

“Other experts around the world represent that the problem of the skills gap lies primarily with the difficulty in finding qualified personnel and funding challenges,” W. Hord Tipton, executive director of (ISC)2, wrote in the letter.  “So what really is the underlying challenge in the federal environment, and do IT security insiders hold a differing opinion than those on the outside of public and private sector organizations?”

(ISC)2 made seven recommendations to agencies to help solve the skills gap challenge:

• Update the Federal Acquisitions Regulations (FAR) with language to ensure cloud providers adhere to federal laws and policies and ensure that personnel responsible for providing cloud services and securing data in the cloud have the appropriate training and skills.
• Ensure that FAR contains modular language related to the acquisition of secure and resilient technology and software through assured supply chains.
• Demand top-notch software that meets minimum levels of assurance and ensures security is built in to products. This requires employing qualified security software professionals in the development lifecycle.
• Establish a cyber special forces team that is part of the federal government’s employment structure but culturally may not assimilate into the federal workforce.
• Review the Scholarship for Service and the Centers for Academic Excellence programs to determine if they meet the needs of the federal government.
• Assign accountability for information security failures to mission and business owners. Currently, chief information officers and chief information security officers often become scapegoats for a lack of security investment by program managers, the budget office or senior management.
• Apply a Defense Department directive across government to help agencies match cybersecurity skills in accordance with Defense and global standards.

The recommendations were gathered at the 10^th anniversary of (ISC)2’s U.S. Government Advisory Board for Cybersecurity, where former and current board members representing federal CISO-level executives offered insight into the underlying challenges agencies face in finding and hiring qualified cybersecurity personnel.  

“Our goal in delivering these recommendations to key influencers is to help the U.S. government close the workforce skills gap and to strengthen information security via avenues such as existing frameworks, the acquisition process and personal accountability, among others,” Tipton said in a statement.