Budget pressures, workforce woes and cyber threats converge

Cybersecurity consistently ranks as a top concern for federal IT leaders. But too often, surveys show, it may not be their top goal, and even when it is,  a lack of funding and the right workforce skills can make it difficult to achieve.

Budget cuts are pervasive, and the IT workplace is at a crossroads with a retiring generation of baby boomers and a limited supply of highly specialized talent. Industry experts say it’s a perfect storm of vulnerabilities.

“When we’re generating 5 trillion bits of data per second, think of what we’re doing to the problem,” said W. Hord Tipton, executive director of (ISC)2 and former CIO at the Interior Department. “The things we need to protect now are growing at a much faster rate than we’re producing people to protect them. Whether it’s crime, fraud [or] cyber terrorism, it’s an immense challenge at this point, and it can actually be life or death. We can’t keep up. Everyone needs to have the proper security staff to minimize the damage when it does come in.”

IT leaders are being forced into a juggling act. In TechAmerica’s 2012 Federal CIO Survey, cybersecurity was the No. 1 concern, but more than half of respondents listed something else as their top objective: cutting costs.

“For us, a good metaphor for the CIO was a magician — someone who has to pull the rabbit out of the hat,” said George DelPrete, a partner at Grant Thornton and chairman of TechAmerica’s CIO Survey Group. “Today the number of things that CIOs need to do hasn’t declined, yet they’re being forced to find ways to innovate with less resources than they previously had.”

In some cases, that has meant skirting the rules. Recently, the Homeland Security Department’s Immigration and Customs Enforcement agency awarded a sole-source IT security contract to its existing vendor instead of conducting an open competition. Officials filed a legal justification saying delayed budget guidance and a dearth of specific skills in the marketplace pushed them to award the contract.

Some insiders say it could set a dangerous precedent, while others say the scarcity might be exaggerated.

“I think there is somewhat of a shortage, but I don’t think it’s as critical as the author of that memo made it out to be,” said Ray Bjorklund, Deltek’s vice president and chief knowledge officer, as quoted in a story by Nextgov.

The right stuff?

At the Defense Department, there’s been a strong focus on hiring highly skilled cybersecurity staff. According to Jim Lewis, a senior fellow at the Center for Strategic and International Studies, DOD is making progress. “It's more about finding people with the right skills,” he said.

But those skills can be expensive, which is not a new challenge. There has always been a struggle between contracting officers seeking efficiencies and decision-makers wanting high-quality and proven entities, Tipton said.

There are short- and long-term ways of addressing the issue. In the short run, agencies need to figure out how to entice a younger generation of workers who are motivated by different perks than their predecessors — and have different strengths. According to the TechAmerica survey, that investment in human capital is needed to fill gaps in personnel and technical know-how.

“We have to think creatively about how to sustain the best people, whether that’s teleworking from a less expensive city or a flexible work schedule,” Tipton said. “We also have to prioritize soft skills in recruiting. One of the reasons agencies lack money is because of hiring technical geniuses, but they don’t know the first thing about convincing a businessman not to cut security funding from the budget.”

For the long term, it’s essential to broaden the talent pool, starting with encouraging students to pursue degrees in science, technology, engineering and math and later fostering more programs and government partnerships with academia.

Will those efforts be enough to counter a shortage of potentially millions of cybersecurity workers?

“We have to face the facts that the [cyberattacks] have gotten so sophisticated that if we don’t have the right people and education, [adversaries] will find the weakest link,” Tipton said. “It’s an ongoing battle.”