Developing a Cybersecurity Staff
WHILE DISCUSSING CYBERTHREATS at a conference in Washington, D.C., Department of Homeland Security (DHS) Secretary Janet Napolitano told the audience that her agency wanted more cybersecurity professionals to join the agency—just one sign of the government’s growing effort to beef up its in-house cybersecurity capabilities. Hiring more IT professionals with security skills seems a simple enough task, but several impediments exist. One is a lack of qualified candidates in the United States. Another is a cumbersome federal hiring process. As a way of addressing those issues, several attempts have been made in recent years to strengthen cybersecurity education and to streamline the government’s hiring and retention processes.
One major effort, administered primarily by the National Institute of Standards and Technology (NIST), is the National Initiative for Cybersecurity Education (NICE), which has set general strategic goals for improving U.S. cybersecurity education and increasing overall cybersecurity awareness. Other efforts, both by NIST and other agencies, are serving to streamline, modernize, and increase the overall effectiveness of the way the government hires its cybersecurity work force.
The lack of a sufficiently skilled work force to deal with rapidly evolving and sophisticated cyberthreats is a particularly significant challenge, according to many experts. The United States “doesn’t have the pipeline that can produce the kinds of skills that are needed,” says Hord Tipton, executive director of (ISC)2, a nonprofit that focuses on cybersecurity certification and education.
Cybersecurity education must be up to date and hands-on, according to Ernest McDuffie, who is leading the NICE effort for NIST. McDuffie says that that’s been one of the main themes of feedback that’s been received on the NICE strategic plan, which was, until recently, open to the public for comment.
Many people have emphasized that cybersecurity education is strongest when it’s ongoing, he says. “If someone took a class on [cybersecurity] five years ago and hasn’t done anything since, you can pretty much guarantee the knowledge [is] out of date,” he says. Many existing certifications at organizations such as (ISC)2 emphasize ongoing education by requiring separate evaluations or examinations over the course of several years, says Tipton.
The introduction of the NICE initiative has also coincided with a rapidly growing number of cybersecurity educational opportunities. In the past few years, numerous degree programs, at the graduate and undergraduate levels, have been introduced that focus on cybersecurity. More certifications are becoming available, and increasingly, people can take advantage of a growing number of cybersecurity contests, some of which provide winners with funds for education.
The growing number of cybersecurity contests have been particularly valuable as the contests tend to emphasize hands-on skills, according to McDuffie. Organizations “are looking for new people who come into the work force and actually show skills and do things rather than just have theoretical knowledge,” he says. “It’s been well known in educational circles that people learn better when actively engaged.” One strong educational approach could be to combine up-to-date certifications and other educational opportunities with cybersecurity contests, McDuffie says.
As a country, the United States also needs to get more young people to focus their studies in areas such as science, technology, engineering, and math. The United States has been falling behind many other nations in recent years in terms of the number of graduates in such areas, as well as in how graduates score in terms of competency in these fields, notes Tipton. In the field of engineering in particular, the United States is producing fewer graduates than it has in the recent past, according to some reports. “We have to do something about that, to turn it around,” says Tipton.
In terms of the federal government hiring process, a recent Government Accountability Office (GAO) report found that one of the biggest challenges has been an inability to come up with adequate definitions and responsibilities associated with different cybersecurity jobs. “When you don’t have a clear idea what you’re looking for, it’s very [difficult] for human resources to find people for you,” says Tipton, who formerly worked as chief information officer at the Department of the Interior. “You end up interviewing a lot of people, wasting a lot of time, and sometimes hiring the wrong person,” he notes.
Another challenge with lacking such job description clarity is that it becomes harder for agencies to develop a clear cybersecurity work force strategic plan, according to the GAO report, which also stresses the importance of such a plan. The report found that only five of the eight agencies it studied had adequate cybersecurity work force plans. DoD was one of them. But some agencies have had difficulty mapping out their work force needs as they’ve “had difficulty even determining the size of their cybersecurity work force,” says Gregory Wilshusen, director of information technology at the GAO.
But the news is not all bad; progress has been made over the years, especially with regard to the creation of specific cybersecurity positions. “When I first began hiring, there were only a few titles for cybersecurity,” says Tipton. One of the main titles was “computer analyst,” he says. “Now there’s everything from systems analyst to firewall engineer.”
The government has also made progress in being more specific in its job advertisements. In the past, for example, Tipton says, “Human resources didn’t want to specify a certificate of any kind” as a requirement for a government IT job. That’s changed. Tipton says that he has seen certain certifications and credentials go from “‘would be nice to have’ all the way to ‘preferred,’ and now we’re seeing it’s a ‘job essential.’”
Another significant challenge in federal government hiring has been the length of the application process and the challenges of candidates needing the appropriate security clearances. In the GAO report, six of the eight agencies identified the length of the hiring process as an obstacle to hiring more cybersecurity personnel.
In 2010, the Obama administration, noting such challenges, instructed federal agencies to streamline and improve the federal hiring process. Requirements included reducing the time it takes to hire new employees to under 80 days and eliminating essay-style questions from initial job applications in favor of résumés and cover letters. They also included adopting a category rating system to help make the process more efficient and, in many cases, working to include hiring managers more closely in the hiring process.
Some agencies have made progress toward achieving those goals, according to the GAO. One agency, DHS, for example, said it had eliminated application questions, had begun implementing category ratings, and had taken measures to increase managers’ roles in the hiring process.
DoD reported that the amount of time it takes the agency to hire new employees is a relatively low 70 days; the DoD also reported that it is taking several actions to improve manager satisfaction with the quality of candidates. But it will take time for many of the ongoing efforts and changes to spread out across the agency, DoD acknowledged. Officials at some other agencies, including the Justice Department, noted, however, that because of hiring freezes, it was difficult to gauge the full results of ongoing reforms.
Another challenge in federal hiring is that incentives used in the hiring and retention processes tend to vary considerably across agencies, according to the GAO. More work should be done to measure the effectiveness of incentives, the report noted. The report added that agencies have a lot of discretion over the incentives they employ. The agency offering the broadest array of incentives, which can range from benefits such as educational loan reimbursements to salary bonuses, is the DoD, according to the report.
While progress is being made in terms of educating and hiring cybersecurity personnel, it is slow going. That is in sharp contrast to the fast-evolving world of cyberthreats, which the government needs to be better able to analyze and address.