- Promoting a cyber and science, technology, engineering and mathematics (STEM) education, as well as creating cybersecurity scholarships are two key ways federal cybersecurity workforce challenges can be addressed, according to a recent Government Accountability Office (GAO) report.
Cybersecurity skills gaps, being able to recruit and retain qualified staff, and the federal hiring process itself are top challenges for agencies working to ensure they have a strong cybersecurity workforce, GAO explained.
“Cybersecurity professionals can help to prevent or mitigate the vulnerabilities that could allow malicious individuals and groups access to federal IT systems,” report authors wrote. “The ability to secure federal systems depends on the knowledge, skills, and abilities of the federal and contractor workforce that uses, implements, secures, and maintains these systems.”
GAO added though that the Office of Management and Budget (OMB) has found that both the federal government and the private industry are frequently facing a cybersecurity talent shortage. A lack of cybersecurity professionals makes it more difficult to protect the nation’s IT networks and could leave federal systems vulnerable to attacks.
For identifying and closing skill gaps, GAO recommended that organizations set the strategic direction for IT workforce planning, analyze the workforce to identify skill gaps, and develop strategies and implement activities to address those gaps. From there, entities must monitor and report progress in addressing the gaps.
Federal agencies should offer incentives to assist in their hiring process, GAO suggested. This can include recruitment, relocation, and retention incentive payments, as well as student loan repayments, annual leave enhancements, and scholarships.
GAO also discussed difficulties in the federal hiring process, noting that it often doesn’t meet agency needs, does not fill managing positions with the right talent, and does not give applicants “a timely, efficient, transparent, and merit-based process.”
“The federal hiring process is often an impediment to the very customers it is designed to serve in that it makes it difficult for agencies and managers to obtain the right people with the right skills, and applicants can be dissuaded from public service because of the complex and lengthy procedures,” the report authors explained.
The report did highlight several executive branch initiatives to improve the cybersecurity workforce. For example, the National Initiative for Cybersecurity Education (NICE) “is a partnership between government, academia, and the private sector that is coordinated by NIST to help improve cybersecurity education.”
NICE also published the National Cybersecurity Workforce Framework in 2013, which defined 31 cybersecurity-related specialty areas that were organized into seven categories.
“Among other things, the revised framework defines work roles within each specialty area and also describes cybersecurity tasks for each work role and the knowledge, skills, and abilities demonstrated by a person whose cybersecurity position includes each work role,” GAO stated.
These initiatives, along with other activities designed to improve the cybersecurity workforce, are working to overcome the current challenges in hiring skilled cybersecurity workers.
“If effectively implemented, these initiatives, laws, and activities could help establish the cybersecurity workforce needed to secure and protect federal IT systems,” report authors concluded.
Previous studies have found that a cybersecurity skills gap can create potential data security issues for organizations.
ISACA’s State of Cyber Security 2017 report found that 37 percent of organizations said that less than one in four candidates have the qualifications employers need to keep companies secure.
Additionally, 59 percent of surveyed organizations receive at least five applications for each cybersecurity opening, with only 13 percent receiving 20 or more. More than one in four companies added that the time to fill priority cybersecurity and information security positions can be six months or longer.
“Though the field of cyber security is still relatively young, demand continues to skyrocket and will only continue to grow in the coming years,” ISACA board chair Christos Dimitriadis said in a statement. “As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job. When positions go unfilled, organizations have a higher exposure to potential cyberattacks. It’s a race against the clock.”
Experience is key, the study found, as respondents said formal education was unimportant when compared to other areas. Formal education was barely rated higher than personal endorsements and recommendations.
“The lack of a practical experience and hands-on capability in the field of cyber security presents a quagmire for most hiring managers in an enterprise,” the researchers wrote. “Although some people within the industry may view cyber security as a longstanding, entrenched career field, others view the field as relatively young.”