In mid-July, the White House released its “first-ever”Cybersecurity Workforce Strategy, a directive under the Cybersecurity National Action Plan (CNAP) and the President’s 2017 budget. Its goal is to “…grow the pipeline of highly skilled cybersecurity talent entering federal service, and retain and better invest in the talent already in public service.” The government believes that by implementing this Strategy, it will elevate the attractiveness of public service to such a level that every private sector cybersecurity leader will ultimately deem it essential to his/her career to complete a tour of duty in federal service. How many cyber and IT professionals are they looking to attract? According to the White House blog, the magic number is 3,500. How long will it take? The goal is to reach its target number of new hires in six months’ time.
For those industry stakeholders who have evolved their corporate mission and dedicated significant organizational resources to solving this extremely complex cybersecurity workforce shortage, at first glance, this Strategy might appear to be lofty at best. On the other hand, it is extremely validating. This new Strategy demonstrates that the government is listening to the voice of (ISC)2 and to the many other organizations that have done the work to develop and provide sound recommendations, including those cited in the survey we just released in May. This Strategy demonstrates that those responsible for the government’s cybersecurity workforce challenge at least know what it’s going to take to fix the problem.
I am honored to participate in one of the sub working groups under the National Initiative for Cybersecurity Education (NICE) Working Group at large, which operates out of the National Institute of Standards and Technology (NIST). These subgroups provide a mechanism in which public and private sector participants can develop concepts, design strategies and pursue actions that advance cybersecurity education, training and workforce development. I am thrilled that NICE and its National Cybersecurity Workforce Framework was mentioned as part of the White House Strategy and will continue to be a key initiative moving forward.
Will the government successfully recruit, retain and train enough cyber candidates to meet its magic number by the start of 2017? Probably not, but it has to start somewhere. As (ISC)2 and our U.S. government members support the government in these efforts, we would encourage the following:
1) Shift the focus from quantity to quality. The government’s hiring process needs to be restructured to recruit qualified IT and security professionals. While it is tempting to throw bodies at the problem, if recruits are not properly vetted and have no proven track record, the government will have an even greater challenge on its hands than a workforce shortage.
2) Push the government to fund it. This Strategy is yet another unfunded requirement, a challenge magnified by the fact that the country is getting ready to enter a lame duck session. If we don’t do something to fund this Strategy quickly, we will find ourselves reading the next iteration of the same Strategy this time next year.
3) Keep relationships strong, communicate often. The White House Cybersecurity Workforce Strategy validates everything we have been saying about how to approach the global shortage of cyber personnel. Government is listening, industry needs to keep talking.
As to what it will realistically take to attract private sector leaders to federal service, we would like to hear from our members and the cybersecurity community at large. Are the Strategy’s proposed efforts to make federal service more attractive sufficient? If not, what will it take for our private sector members to view a stint in federal service an essential career move? Let us know in the comments below.
By Dan Waddell, CISSP, CAP, PMP, Managing Director, North America Region and Director of U.S. Government Affairs, (ISC)²