Agencies eager to step up cybersecurity training
If knowing what you don’t know is a form of knowledge, government employees appear to be getting smarter all the time.
As the cybersecurity environment becomes increasingly complex, government information technology workers say that their agencies need more staff with cybersecurity expertise and that at least some of that staff needs access to more specialized training.
All told, 40 percent of respondents said that the IT team at their agencies is understaffed to combat perceived cybersecurity threats, while another 37 percent said their staffs were barely adequately sized, according to a recent survey by the 1105 Government Information Group. Only 22 percent said their IT staffs were ideally sized. (See chart.)
And nearly one-third of respondents said their agencies’ IT employees were not really trained to combat cyber assaults, with 50 percent saying they were adequately trained. Only 18 percent said their IT employees possessed expert knowledge.
Looking at departmentwide initiatives, agencies are doing fairly well when it comes to basic security awareness training. What is missing, though, is security geared toward further developing the skillsets of employees with specific interests in cybersecurity.
Nearly 60 percent of respondents said they were not satisfied with the budget for role-based training available at their agencies, with another 31 percent saying they were somewhat satisfied and only 10 percent very satisfied. The numbers were nearly identical when it came to professional development and education. (See chart.)
The Obama administration is aware of these concerns. The Federal Chief Information Officers Council teamed with the National Initiative for Cybersecurity Education to assess the state of the federal IT workforce in the area of cybersecurity.
7 best practices in workforce planning
In a February report on the federal government’s cybersecurity strategy, the Government Accountability Office identified seven leading practices that agency workforce planning should address:
Link workforce plans to the agency’s strategic plan.
Identify the type and number of employees needed for an agency to achieve its mission and goals.
Define the roles, responsibilities, skills and competencies for key positions.
Develop strategies to address recruiting needs and barriers to filling cybersecurity positions.
Ensure that compensation incentives and flexibilities are effectively used to recruit and retain employees for key positions.
Establish a training and development program that supports the competencies the agency needs to accomplish its mission.
Their study, released in March, identified three areas in which more training was needed: information assurance, vulnerability assessment and knowledge management. Information assurance is in highest demand at the GS-4 level and below, the study found.
Another factor to consider is contract employees. In June, the inspector general of the Homeland Security Department criticized the department’s Office of Cybersecurity and Communications (CS&C) for not developing an effective process to ensure that contractors working on the CyberScope program receive the training they need to do their jobs.
“CS&C cannot guarantee the security of the data collected through CyberScope without ensuring that all people involved understand their roles and responsibilities and are adequately trained to perform them,” the IG report states.
On the other hand, DHS is one of the federal government’s bright spots when it comes to role-based training. In fiscal 2012, the department began developing a Microsoft SharePoint-based program to enable its different components to share training content and opportunities, according to a separate report by the DHS IG. In this process, DHS officials have identified more than 100 unique “significant security roles” across the department, the IG reports.
Beyond meeting specific training needs, the Obama administration would like to work with experts across government and industry to develop a more methodical approach toward building a cyber workforce, according to the fiscal 2012 report to Congress on the implementation of the Federal Information Security Management Act of 2002.
To make that happen, however, cybersecurity leaders must come to terms on a basic cybersecurity vocabulary.
“In the past, there has been little consistency in how the cybersecurity workforce and cybersecurity work is defined or described throughout the nation,” the report states. “The absence of a common language to discuss and understand the work and skill requirements of cybersecurity professionals has hindered our nation’s ability to baseline capabilities, identify skill gaps, develop cybersecurity talent in the current workforce and prepare the pipeline of future talent.”