Can our governments really afford to fall further behind in IT security competence? Recruiting isn't enough.
Those of us in government circles hear an awful lot about the high demand for information security professionals. I admit I just may be someone who shouts the loudest on any given day. Indeed, the US government (and the world) is in grave need of more qualified people.
However, I am seeing an equally troubling trend that is impacting those who already work in government cyber positions and one that must be addressed as agencies formulate their security strategies for the new fiscal year: IT training and educational opportunities for existing personnel appear to have reached an all-time low.
Just prior to the sequester last fall, my organization, (ISC)², asked approximately 1,600 information security professionals from the federal government to forecast their training/education budgets. Nearly half of respondents reported that 1) their agency’s training budgets had remained the same over the past 12 months, and 2) they expected an increase in the coming year.
Yet, as 2013 rolled out its schedule of educational conferences, slowly but surely, government attendance started to decline, government leaders started to pull out of their speaking obligations, and several of the tried-and-true information security conferences were actually cancelled. My colleagues are reporting stagnant growth in education and training of new and existing practitioners and professional across the board.
In analyzing the reasons for this year’s absence of IT professionals from conferences and other training events, is it really the result of a few bad apples caught in the act of wasteful conference spending in other areas? Or is it the result of security budget cuts, starting when the sequester hit? Either way, is it in the government’s best interest to focus on recruiting new hires and yet neglect the advancement of those who are already in the ranks?
Army personnel recently considered professional development such a high priority that they created an online interactive means for personnel to engage in its October Annual Meeting and Expo despite budget and travel cuts. Yet, other agencies that actually received significant funding for information security initiatives this year withheld budget approval for their information security personnel to attend our annual Security Congress last September.
How can we say that we don’t have enough qualified information security personnel when we don’t adequately train the people we do have? Consider that this is the fastest growing career field in the world, and yet we are not keeping up with training.
Is online professional development the way of the future? Perhaps. Online conferences and educational opportunities will likely serve in the interim while sequesters, shutdowns, and debt ceilings are being debated on the Hill. The good news is that most professional organizations, including (ISC)², have invested substantially in their online training/education capabilities in recent years. We have very sophisticated online training tools and are recognizing a sizable uptick in registered users.
While the online dimension is certainly a viable option in the interim for those professionals serious about increasing their knowledge, anyone who has attended the RSA Conference, Blackhat or the (ISC)² Security Congress knows that the element of human interaction greatly enhances one’s educational experience. There is something very powerful about being in a room of peers who are grappling with the same challenges and who are provided the forum to exchange ideas and successes.
The government ultimately needs to get back to that place and budget for the full experience of professional development. As for the bad apples who take advantage of educational opportunities, those few will never disappoint. Let’s just hope that greater accountability measures are in place as a result. Let’s also not forget that there are a lot of good apples in the bunch who are dedicated to keeping our national assets secure and who deserve the chance to grow in all areas of professional development.
With exponential growth in emerging technologies and sophistication of the attack we defend against daily, we simply cannot afford to fall even further behind.
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?