U.S. intensifies campaign to train, hire, retain cybersecurity professionals

information and developing draft policies. OPM and its auditors have found cybersecurity professionals working in as many as eighteen different federal job “series,” or groups of formally defined jobs. They are mulling whether the cybersecurity workforce needs its own series to help define and track the cybersecurity workforce. OPM is also assessing whether hiring authorities and practices need to change, Maureen Higgins, OPM’s assistant director for agency support and technology assistance, told Hoover.

Working groups earlier this year began redefining competency models — the key roles and responsibilities of jobs — for cybersecurity professionals in government. “The end goal is that OPM will be able to develop and implement strategies that will allow agencies to attract, hire, and retain the skilled employees they need to accomplish their cybersecurity missions,” Higgins says. OPM plans to release the new competency models in December.

The Department of Defense is revising its policy for cybersecurity workers, Directive 8570, which outlines the structure and definition of different cybersecurity jobs, describes training requirements, and lists DOD-approved certifications. DOD’s updated policy will clarify cyber law enforcement and counterintelligence roles, standardize skill and competency levels, facilitate training and professional development, and potentially include practical, hands-on exam requirements.

Hoover notes the following:

• Supply and demand. Beyond defining roles in the cybersecurity workforce, hiring and retaining talent is a tall order. Ed Giorgio, co-founder of cybersecurity services firm Pontetec and former chief code breaker and code maker at the National Security Agency, says even NSA is hard-pressed to hire enough computer scientists to meet its needs. At civilian agencies, many people with responsibility for cybersecurity are “liberal arts majors” who write policy rather than IT staff on the cyber front lines, Giorgio says.

   

  IT contractors who work for government agencies face some of the same issues. “We’ve got a lot of people working on these contracts who should be technical and are not,” Giorgio says. “When you look at the performance on the job, there’s a very small percentage of the people doing the key work.”

  The shallow talent pool leads to cybersecurity experts jumping from company to company and from job to job, leading to “lost continuity” on projects, Giorgio notes. “The government has a contractor working on a key development project, and all of a sudden they find out he’s gone, taking what he knows with him.”

• Skills development. Closely related to hiring is cybersecurity training — expanding the workforce through education, skills development, and certification. Government agencies can fill positions from within by giving employees the necessary training or, as programs like NICE kick in, choose from an expanding pool of skilled professionals.

   

  Many cybersecurity certifications are available. Among the most popular are CompTIA’s Security+ and (ISC)2’s Certified Information Systems Security Professional (CISSP), which are designed to demonstrate competency in a breadth of areas. There are also more narrowly focused certifications, such as the SANS Institute’s Global Information Assurance Certifications, covering areas like security management and IT auditing. Cisco and other vendors also have certification programs, and a few agencies, including the DOD, have their own internal certifications.

  Some federal agencies have their own training programs. The State Department has been providing role-based, instructor-led cybersecurity training for twelve years; it trains more than 1,000 employees annually in areas such as public key infrastructure.

  DHS has been given the authority to use a streamlined process to hire 1,000 cybersecurity pros by the end of 2012, and some of those new hires will end up at the agency’s National Cyber Security Division, home of US-CERT (“DHS to hire 1,000 cyber experts,” 2 October 2009 HSNW).

  Now in its third year, the National Cyber Security Division employs about 300 cybersecurity professionals and 630 contractors. The division’s programs for workforce development include on-the-job training, NCSD-specific modules in FedVTE, instruction through the Federal Cyber Training Exercise program, and mentoring.

  Hoover notes that DHS plans to expand a program co-sponsored with NSA called the National Centers of Academic Excellence, which provides scholarships and grants to students studying cybersecurity at more than 100 colleges and universities.

“As these programs demonstrate, federal agencies are working across the board to close the cybersecurity skills gap, both by hiring from the outside and developing new skills sets internally,” Hoover writes. “Given the stakes involved, the sense of urgency is warranted.”