Federal agencies must take more concrete measures to address a shortage of skilled specialists who can protect government IT systems from cyber-security threats, a leading cyber-security group advised the Obama administration.
The International Internet System Security Certification Consortium, or (ISC)2, this week released seven recommendations it delivered to the White House, Departments of Homeland Security and Defense, and the National Institute of Standards and Technology (NIST) aimed at easing the shortage of qualified cybersecurity professionals.
Some of the recommendations, delivered to government agencies earlier this month, focused on the shortage of employees with the specialized skills to combat cyberthreats. Among the measures, the consortium recommended:
"The biggest mistake we see is government and companies putting people in the wrong jobs," said W. Hord Tipton, executive director of (ISC)2 and former CIO of the Interior Department. He said these recommendations would expand the pool of prospective candidates with the skills needed for open cyber-security positions.
[Can our governments really afford to fall further behind in IT security competence? Read: The Troubling Decline Of IT Security Training.]
Alan Paller, research director of the SANS Institute, said he disagreed with the (ISC)2 manpower recommendations.
"The NICE framework has identified so many different characteristics of people for jobs, [put] so much extraneous stuff in, the government is hiring unqualified people," Paller said. "You can have 10 out of 12 skills where the two are technical skills and you can qualify for high-tech jobs."
(ISC)2 also suggested ways to improve the security of software and hardware products, including changes to government acquisitions and heightened security awareness of the supply chain, recommending:
"The widespread adoption of the cloud and cloud services has completely changed the dynamics of how... to find a provider, how to evaluate them," Tipton said. "It has to be done through contract terms."
SANS's Paller strongly endorsed these recommendations. He pointed out that building security into the technological DNA of software and hardware "reduces the load" on security professionals and improves efficiency.
The final recommendation made by (ISC)2 suggested that the government enforce accountability for security, particularly for managers and business owners -- not security professionals -- who fail to make the investments needed to meet standards set by FISMA and other requirements.
Paller found merit in this final suggestion, but he emphasized that individuals and organizations should be praised for their positive security accomplishments, and encouraged to share their successes publicly.
"You don't have to play the gotcha game," Paller said. "People are afraid to talk about good security because they're afraid of becoming targets. But we need to talk about successes so that people can learn from them."
Patience Wait is a Washington-based reporter who writes regularly about government IT for InformationWeek.
Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)