Workforce training seen as key to cyber success

The situation with the federal cybersecurity workforce is more complicated than many people might assume.

It’s no secret that federal agencies often have difficulty recruiting and retaining security experts. But according to numerous reports, agencies also are running into problems with managing the staffs they have. And they are exacerbating these problems by not addressing the need for cybersecurity-related training and awareness programs among system developers and end users.

Perhaps the lack of training should not be surprising because training programs rarely fare well during tight budgets times. But in this case, the lack of training could be costly, according to the Government Accountability Office.

The ability of agencies to protect systems “is dependent on the knowledge, skills and abilities of the federal and contractor workforce that uses, implements, secures and maintains these systems,” GAO wrote in a February 2013 report. That includes federal and contractor employees who use IT systems as well as system designers, developers and programmers.

The cybersecurity workforce itself, though, remains a particular concern. It’s not enough to simply hire or “train up” cybersecurity workers, experts say. What is needed is a systemic approach to ensuring that an organization both understands its cyber workforce needs and has the resources available to meet them (see sidebar).

That sort of strategic thought is often sorely lacking in federal agencies. GAO notes that a study conducted in late 2011 found that only two of the eight agencies reviewed had developed cyber workforce plans, and only three had developed departmentwide training programs for their cybersecurity workforce.

Several tools are available to help agencies develop cyber workforce strategies. For example, in August 2012, the National Institute of Standards and Technology published the National Cybersecurity Workforce Framework, which provides a common vocabulary for discussing cybersecurity work and the associated knowledge, skills and abilities.

Another resource is the Federal Virtual Training Environment, available through the National Initiative for Cybersecurity Education, a joint effort of the federal government, academia and industry. FedVTE provides a library of training material, including classroom lectures.

Some experts believe that the growing complexity of cybersecurity, combined with the ongoing workforce shortages, will lead to demand for more automation.

More and more cybersecurity solutions that once required considerable expertise to deploy might soon be offered on demand in a software-as-a-service environment, noted Charles Kolodgy, research vice president for security products at IDC, a market research and consulting firm.

“As the IT infrastructure becomes more complicated, driven in part by mobile computing and cloud computing, security will need to be easier to acquire, deploy and operate,” he wrote in a recent report.

Still, automation can only go so far toward securing the infrastructure. Cybersecurity workers are still an agency’s most important resource.

Heidi Shey, an analyst at Forrester Research, emphasized how important it is for an organization to maintain its “security edge.” Part of that is making sure that employees keep their skills up-to-date. But it’s also about “encouraging new ideas to flow” and “preventing the security group from getting stale and set in their ways and habits,” she wrote in a recent blog post.

“A security team and an organization that maintains their security edge will be better equipped to protect their organization and its assets through better decision-making at all levels,” Shey wrote.

Workforce planning: Essential ingredients

In a report released in February 2013, the Government Accountability Office identified seven leading practices that agencies ought to incorporate into their cyber workforce plans:

  • Develop workforce plans that link to the agency’s strategic plan.
  • Identify the type and number of employees needed for an agency to achieve its mission and goals.
  • Define roles, responsibilities, skills and competencies for key positions.
  • Develop strategies to address recruiting needs and barriers to filling cybersecurity positions.
  • Ensure that compensation incentives and flexibilities are effectively used to recruit and retain employees for key positions.
  • Ensure that compensation systems are designed to help the agency compete for and retain the talent it needs to attain its goals.
  • Establish a training and development program that supports the competencies the agency needs to accomplish its mission.

Source: Government Accountability Office