Federal Cybersecurity Workforce Strategy Unveiled

Cybersecurity , Privacy , Risk Management

Government Seeks to Boost IT, InfoSec Staff by 3,500 This Year Federal Cybersecurity Workforce Strategy UnveiledOffice of Management and Budget Director Shaun Donovan

The Obama administration has issued a federal cybersecurity workforce strategy that calls for identifying, recruiting, developing, retaining and expanding "the best, brightest and most diverse cybersecurity talent" for federal service.

See Also: 2016 State of Threat Intelligence Study

The strategy establishes four key goals:

Expand the cybersecurity workforce through education and training; Recruit the nation's best cyber talent for federal service; Retain and develop highly skilled talent; and Identify cybersecurity workforce needs.

Administration officials see the strategy as a long-term initiative, a first step toward furnishing resources needed to establish, strengthen and grow a pipeline of cybersecurity talent well into the future.

"We must recognize that these changes will take time to implement, and the workforce strategy's long-term success will depend on the attention, innovation and resources from all levels of government," says a White House blog, posted July 12. It was signed by Office of Management and Budget Director Shaun Donovan, Office of Personnel Management Acting Director Beth Cobert, White House Cybersecurity Coordinator Michael Daniel and U.S. Chief Information Officer Tony Scott.

6,500 New Positions

The officials say the strategy is needed because federal agencies' lack of cybersecurity and IT talent affects their ability to protect information and assets. How big is the cyber skills gap? A White House spokesman did not respond to a question on identifying the number of IT security personnel the government employs and how many new ones are needed. But the administration blog said the government hired 3,000 new cybersecurity and IT professionals from October through March and agencies are committed to hire another 3,500 individuals to fill critical cybersecurity and IT positions by January.

Nationwide, IT and IT security personnel is in short supply for government and business. An Information Security Media Group analysis of U.S. Bureau of Labor Statistics data puts the IT unemployment rate at 2.7 percent, which economists consider full employment.

The consultancy Frost and Sullivan estimates a global gap between security openings and skilled people to fill them will reach 1.5 million by 2020. "Even when positions are created and funded, they are difficult to fill, both in private industry and in government," says Peter Singer, strategist at the think tank New America. "For example, at last report, 40 percent of the cybersecurity positions at the Federal Bureau of Investigation remained unfilled, leaving many field offices without expertise."

Administration officials say another restraint is the failure of agencies to consistently implement continuing federal initiatives to bolster IT security employment.

"This shortfall affects not only the federal government, but the private sector as well," the blog authors point out. "Recent industry reports project this shortfall will expand rapidly over the coming years unless private sector companies and the federal government act to expand the cybersecurity workforce pipeline to meet the increasing demand."

Many of the elements in the strategy are not new; they were outlined in the administration's Cybersecurity Strategy and Implementation Plan, issued last October (see Federal Cybersecurity Strategy Revised). But codifying them in a new strategy could prove useful, not only as guidance to federal agencies that are responsible for their own cybersecurity and staffing but also to the next administration.

Roadmap for Next Administration

"What you want to do, especially during this time of transition, is to make sure that plans are solidified," says former federal CIO Karen Evans, national director of the U.S. Cyber Challenge, which sponsors programs to attract more individuals to IT security careers. "Things like [the strategy] are going to be important to the incoming administration so they know exactly what the agencies are focused on and what they're doing."

The strategy proposes some out-of-the-box approaches to recruiting, noting that federal agencies should "pursue individuals with cyber talent who, historically, may not have sought out government careers." That includes women and minority students, who, according to OPM estimates, represent 25 percent and 32 percent of the federal cyber workforce, respectively.

To improve employee retention and development efforts, according to the strategy, OPM will work with agencies to develop cybersecurity career paths, credentialing programs and rotational assignments, as well as foster opportunities for employees to obtain new skills and become subject matter experts.

The workforce strategy directs agencies to adopt a new way to identify their skills gaps by using the National Cybersecurity Workforce Framework that identifies 31 discrete specialty areas within the cybersecurity workforce. By defining specific specialty areas, agencies could identify their needs and the types of skilled individuals required to fill them.

Those specialty areas are found in seven categories: securely provision, protect and defend, oversight and development, collect and operate, operate and maintain, analyze and investigate.

Singer, the think-tank strategist, says the strategy is much needed, "but it will fail if it only puts new people in old organizational boxes, using the same pipelines."