Federal Chief Information Security Officers (CISOs) and information security executives face a number of challenges in today's dynamic, fast-paced environment. These challenges include advanced persistent threats, system vulnerabilities, and regulatory compliance, to name a few -- all of which require a dedicated and knowledgeable team of information security professionals. Yet, how do federal information security leaders put together and maintain a team that is effective in using processes and technology to secure enterprise systems and data when such people are so hard to come by?
Let's take a look at how we got here. In the aftermath of 9/11, there was a concerted effort across the federal government space to increase the size of information security or information assurance (IA) teams to help address the need for continuity of operations, disaster recovery solutions, certification and accreditation, and other IA requirements.
Now fast forward to 2014. The federal government community is still dealing with the aftermath of the two-week shutdown that occurred in October 2013. This event forced some information security workers -- both feds and contractors alike -- to seek employment elsewhere and find positions that offered more stability. Challenges such as this, along with competition, supply/demand, and budget constraints, have undermined the information security talent pool. This all adds up to a workforce crisis.
So where do we go from here? As with any crisis, both long-term and short-term fixes are needed. For the long term, several government initiatives are already underway. For example, the National Initiative for Cybersecurity Education (NICE) was established in 2010 to raise national cyber security awareness, broaden the pool of cyber security workers through strong education programs, and build a globally competitive workforce. NICE developed a national cyber security workforce framework to codify cyberwork and to identify the specialty areas of cyber professionals. An update to the framework was announced in May of this year.
But initiatives such as NICE need additional time and effort in order to achieve tangible and lasting results. What can agencies do in the short term? Here are some recommendations:
Craft your recruiting message. Some folks will want to climb the ladder, others will want an exciting opportunity that will look good on the resumé. For the former group, recruits will want to see how they will progress and grow while at your agency. For the latter, highlight interesting, unique, and dynamic aspects of the work. Make sure your message speaks to both audiences.
Take inventory. Discover what types of hidden talents and skills may already exist within your current team and move workers around as needed. For example, you may have employees currently tasked with audit and compliance work that have more of a technical security engineering background and passion. This will also help make your team much more versatile and give it more of a "bench" in the event of staffing shortages due to vacations, unplanned time off, etc.
In-reach and communicate. We talk about outreach all the time, but what about "in-reach"? This concept involves performing typical outreach and communication activities within your current team. Hold brown-bag sessions to help educate and inform employees working in other departments. Rotate the sessions so everyone has a chance to learn from one another.
Spring cleaning. It may be summertime, but consider performing some spring cleaning to freshen up stale job descriptions. Review job postings to make sure they are relevant and embrace social media whenever possible to reach the millennial crowd.
Hire a veteran today. Members of the workforce who are also veterans have some unique advantages. Many of them already have active security clearances, which are tough to find and are more important these days. Veterans may have already received some sort of IT and/or infosec training while in service.
Investigate and network. See what tools you have within your agency (e.g., direct hire authority, bonuses, career fairs, training, etc.) that may improve your chances of landing the right candidates. Network with other infosec professionals to meet others who may be looking for their next opportunity. Several organizations such as ISSA, OWASP, ISACA, and (ISC)2 may have active chapters within your geographical area that provide great networking opportunities.
Perform oversight. If you have a contractor support team, make sure you are performing oversight on your contractors to ensure that processes are created, documented, and accessible, and that tasks are clearly spelled out in your contract. In the event of a contractor change, make sure your processes can be easily transitioned to the new team.
Based on the points above, how is your agency building and maintaining cyber security teams? Let us know in the comment section below.
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge. Read the InformationWeek Tech Digest, Government Cyber Security: Flexibility Equals Strength.