Government // Cybersecurity
News
12/19/2013
12:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Increase Cyber-Security Workforce, Government Urged

Cyber-security organization offers seven recommendations to the White House and defense agencies on improving worker qualifications and strengthening security built into IT.

Federal agencies must take more concrete measures to address a shortage of skilled specialists who can protect government IT systems from cyber-security threats, a leading cyber-security group advised the Obama administration.

The International Internet System Security Certification Consortium, or (ISC)2, this week released seven recommendations it delivered to the White House, Departments of Homeland Security and Defense, and the National Institute of Standards and Technology (NIST) aimed at easing the shortage of qualified cybersecurity professionals.

Some of the recommendations, delivered to government agencies earlier this month, focused on the shortage of employees with the specialized skills to combat cyberthreats. Among the measures, the consortium recommended:

  • Aligning existing workforce development programs, such as the Scholarship for Service and Centers for Academic Excellence programs, with NIST's National Initiative for Cybersecurity Education (NICE) framework
  • Implementing the Defense Department's 8570.01-M, "Information Assurance Workforce Improvement Program," across the government
  • Setting up a cyber "special forces" team designed to employ talented cyber-security workers who, whether because of personality or previous personal conduct, would not normally be able to obtain security clearances or work in a typical agency culture

"The biggest mistake we see is government and companies putting people in the wrong jobs," said W. Hord Tipton, executive director of (ISC)2 and former CIO of the Interior Department. He said these recommendations would expand the pool of prospective candidates with the skills needed for open cyber-security positions.

[Can our governments really afford to fall further behind in IT security competence? Read: The Troubling Decline Of IT Security Training.]

Alan Paller, research director of the SANS Institute, said he disagreed with the (ISC)2 manpower recommendations.

"The NICE framework has identified so many different characteristics of people for jobs, [put] so much extraneous stuff in, the government is hiring unqualified people," Paller said. "You can have 10 out of 12 skills where the two are technical skills and you can qualify for high-tech jobs."

'The biggest mistake we see is government and companies putting people in the wrong jobs.' — W. Hord Tipton, (ISC)2 Executive Director
"The biggest mistake we see is government and companies putting people in the wrong jobs."
— W. Hord Tipton, (ISC)2 Executive Director

(ISC)2 also suggested ways to improve the security of software and hardware products, including changes to government acquisitions and heightened security awareness of the supply chain, recommending:

  • Updating the Federal Acquisition Regulations (FAR) with modular language that requires cloud providers meet FedRAMP, FISMA, and specific information security requirements, including ensuring personnel are qualified to operate securely in a cloud environment
  • Including modular language in FAR concerning secure and resilient technology, both hardware and software, through assured supply chains and applying risk-management tools and techniques to those supply chains
  • Demanding superior software, created with qualified security software professionals participating in the development lifecycle, including government expectations that security is "baked in"

"The widespread adoption of the cloud and cloud services has completely changed the dynamics of how... to find a provider, how to evaluate them," Tipton said. "It has to be done through contract terms."

SANS's Paller strongly endorsed these recommendations. He pointed out that building security into the technological DNA of software and hardware "reduces the load" on security professionals and improves efficiency.

The final recommendation made by (ISC)2 suggested that the government enforce accountability for security, particularly for managers and business owners -- not security professionals -- who fail to make the investments needed to meet standards set by FISMA and other requirements.

Paller found merit in this final suggestion, but he emphasized that individuals and organizations should be praised for their positive security accomplishments, and encouraged to share their successes publicly.

"You don't have to play the gotcha game," Paller said. "People are afraid to talk about good security because they're afraid of becoming targets. But we need to talk about successes so that people can learn from them."

Patience Wait is a Washington-based reporter who writes regularly about government IT for InformationWeek.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Susan Fogarty
100%
0%
Susan Fogarty,
User Rank: Author
12/23/2013 | 10:19:33 AM
Re: Calling the workforce "unqualified" shows a complete lack of the present working environement
Yes, I agree, many IT folks who work for the government are highly qualified but hamstrung by very complicated budget structures (or lack of it) and being spread extremely thin. It certainly doesn't help that the NSA's reaction to the Edward Snowden affair was to reduce IT staff by 90% to reduce the chance of additional data leaks.
RonFJ
100%
0%
RonFJ,
User Rank: Apprentice
12/22/2013 | 9:15:46 PM
Re: Calling the workforce "unqualified" shows a complete lack of the present working environement
The government needs contractors for short term "disposable" projects with an ending date.  They need government employees for continuity of government.  It's quite simple really.  The government is not designed to be efficient, but safe, hence a three party check and balances system. In many cases the government employee is dealing with the bureaucracy and red tape, while the contractor is doing more operational work. Additionally, contractors are often brought in for higher risk projects as it can take years to punish or release a fed, but a contractor can be fired almost immediately.  There must always be a federal employee monitoring the contactor's performance and ensuring the contractor did the work specified at the price specified.  Add to this a government hiring freeze as noted with no training and you have a situation where agencies are hiring contractors instead of training their own staff or hiring more feds.  Glad you find this amusing, as it is all our tax dollars (and laws our lawmakers have passed) which has led to this situation. While I will state some government employees are certainly unqualified, making sweeping statements about all  such as yours are completely off-base without any research to site such as ISC2 does.
rman23
0%
100%
rman23,
User Rank: Apprentice
12/20/2013 | 1:13:21 PM
Re: Calling the workforce "unqualified" shows a complete lack of the present working environement
Wow I couldn't stop laughing at the previous post.  Of course the government workers are "unqualified" otherwise why would they need contractors?  The way it actually works is where we have one governament employee and then a contractor that does the actual work.  The taxpayers get to pay for both.  Please post more humor!

thanks
JackBadger
100%
0%
JackBadger,
User Rank: Apprentice
12/20/2013 | 10:27:43 AM
Calling the workforce "unqualified" shows a complete lack of the present working environement
The government does a great job in screening and hiring people; they just don't have enough.  They often have to ask overworked professionals to perform jobs outside their skill base as a result.  It is totally unfair for anyone to characterize these dedicated civil servants as incompetent.  Furthermore, most civil servants are being asked to wear a dozen hats in these times of sequestration and hiring freezes.  These folks have gone without pay raises and promotions for over 2 years now and are being asked to implement new mandates in addition to everything else they have on thier plates with often ZERO training budgets.  I'd say they are doing pretty well all considered.  Kudos to ISC2 for pointing out the pipeline issues with procurement and the overarching issues with accountability!
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Author
12/19/2013 | 5:24:29 PM
Accountability
Thanks for the recap of the (ISC) report, Patience. I'm curious about whether the authorsoutlines how they would go about enforcing security accountability. Were audits recommended? And if so, by whom?

 
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.