Government officials have recognized the importance of investing in human capital, not just technology, to confront cybersecurity crises.
Call me an optimist, but I predict the US government will make significant progress in 2014 in marshaling a human capital strategy -- not just a technical response -- to today's cybersecurity crisis. Part of that optimism is predicated on the belief that there is opportunity in crisis. It's also based on the sense that the executives with the power to create change have a deeper awareness of the crisis that cyberthreats pose and are more willing to address it than before.
Consequently, I believe in 2014, the government's human capital challenge, of having the cybersecurity talent it needs, will begin to evolve -- from crisis to collaboration, from being "stuck" to at the very least getting "out of the gate."
Why do I believe this?
1. Awareness of the need has been established. Security breaches of various kinds have significantly affected companies' bottom line, reputation, and public trust. For better or worse, the C suite is now keenly aware of the need for security and is placing a higher value on qualified information security professionals. The troubling issues with the Affordable Care Act website has underscored the horrific impacts both to cost and and the security and privacy of waiving the requirements for acceptable system development. I believe this will build further awareness of the value of certification and accreditation (authorization) for all federal systems and the need for professionals skilled in implementing this critical process.
2. Security budgets have been relatively protected. Despite budgetary setbacks, information security resources as a whole are being given greater consideration than other IT programs, according to a recent study. Interestingly, Office of Management and Budget reports show that up to 90% of federal IT security spending is on personnel costs.
3. The cry for greater guidance has been heard. Both government and industry have expressed the need for greater guidance in developing security policies, specifically in training workers. Those responsible for staffing agency security programs are looking to pioneering programs, such as the Defense Department's directive (8570.1), which mandate certification training and provide guidance on how to effectively validate, build, and train their agency's information security workforce. In 2014, I believe we will see more legislatively driven policies and guidance to support security workforce development.
Army network training. Photo courtesy of Army CIO/G6.
4. Demand for certification is on the rise. According to observation and research, both the number of jobs requiring information security certification and the number of practitioners seeking certification are increasing.
5. Mechanisms are in place -- and evolving -- to foster collaboration with academia to meet growing workforce demands. Initiatives such as the NICE Framework, the Scholarship for Service Program, and the National Centers of Academic Excellence have advanced the government's relationship with academia. Behind the scenes, we are seeing a change in universities as they become more business-oriented and geared toward specialty programs. This is helping to build a sorely needed cybersecurity career path.
6. Security policies and personnel are being integrated into the government's IT acquisition process. Thanks in large part to cloud adoption and the FedRAMP program, personnel assessment requirements are being developed on the front-end of IT acquisition, a process greatly in need of reform from a security perspective.
7.Culturally out-of-the box talent is gaining respect. Even Pentagon officials acknowledge that some of the most complex cyber maneuvers are coming from teenagers sipping Red Bull, wearing flip-flops in their parents' basement. Although this image of cutting-edge cyber talent hardly fits the traditional government employee profile, I believe government is gearing up to tap into a more culturally out-of-the box talent pool capable of providing insight and skill beyond what is considered the norm.
So, what if I am wrong? Well, if I am wrong, the government is in big trouble.
But the outlook appears to be brightening. Despite budget setbacks, the government's investment in cybersecurity personnel is only going to escalate in 2014. Based on the most recent budget reports (and notwithstanding budget revisions): the Air Force is slated to add 1,000 new personnel between 2014 and 2016 as part of its cybersecurity units; the Army continues to develop its new cyber command center at Fort Meade to eventually house 1,500, from which it will lead a worldwide cyber corps of 21,000 personnel; and DHS will be entering Phase 2 of the largest existing US government cybersecurity contract ($6 billion).
With an investment of this magnitude, lack of progress is not an option. If the government doesn't keep up its momentum, the unfortunate truth is that it will end up losing all or most of its good people.
The federal government shutdown last October represented the first phase of a personnel exodus during which it lost some of its finest talent. If the government does not take immediate measures to take care of its people, the exodus will continue, particularly in cybersecurity.
Our studies indicate that US government information security salaries fell behind in 2013 after remaining ahead of the private sector in prior years. The demand for skilled professionals is high in the private sector as well as in the public sector, but private-sector pay is now higher. If the government does not continue to strengthen its workforce with the momentum it has created and build on what it has already established, we will find ourselves right back in crisis mode come 2015.
Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.
W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.