Federal Cybersecurity Workforce
In mid-July, we reviewed “Strengthening the Federal Cybersecurity Workforce” strategy that White House team of Shaun Donovan (OMB), Beth Cobert (OPM), Michael Daniel (Cybersecurity Coordinator), and Tony Scott (U.S. CIO) released. The strategy is meant to fill the nation’s cybersecurity gaps as we are moving deeper and deeper into the wild frontier of the cyberage. While the shortfall in cybersecurity professionals is a real problem, in truth, according to Fortinet’s Steve Kirk, the bigger problem is that we don’t really even know what to expect when it comes to cyberthreats. In other words, to some degree, we could be trying to grow the wrong kind of cybersecurity force. We simply don’t know.
VERIFIED SHORTFALLS
Kirk reports, “There is a known crisis in the cybersecurity workforce: a massive shortfall in qualified and trained security professionals. . . . A multitude of studies identify the cybersecurity labor shortage and illustrate the drastic need for more experts, especially in the public sector because of its universality to the population.” According to Kirk, answering the shortfall and building the right size cyber Federal workforce depends a careful balance of attractive pay and benefits that the private sector can beat with interdisciplinary opportunities and stability that challenge the private sector. But no matter how the available cybersecurity workforce distributes itself among practically innumerable available jobs across the Federal and private sectors, there will still be a shortfall. But that shortfall, Kirk argues, isn’t the biggest problem. Kirk writes, “Unfortunately, attack methods and breaching techniques are constantly evolving. This means that finding the elusive talent to overcome present challenges is only part of the solution.”
THE BIG PROBLEM
Kirk writes, “Unfortunately, the problem is not limited to resource competitions. The real cybersecurity challenge is the unknown.” In other words, we don’t really know what we need when it comes to cyber talent. Kirk tracks the evolution of cyber talent over past decades, a transition from more general questions of connectivity across networks and data storage and sharing. While accelerating networks and sharing will remain important objectives, the great challenge of today and tomorrow is securing all that, all those networks and all that data. If we can’t secure the connections and the data, then the power of both diminishes proportionally.
To further complicate things, it isn’t just a matter of cybersecurity per se; it’s also a matter that the black hat cyberthreat, right now, is vastly more agile than the white hats in the Federal and private sector. “This,” Kirk writes, “will therefore require growth in the security talent pool and a broader definition of the talents required for that pool.” We don’t know what the challenges will be, but they will be complex and evolve quickly to overwhelm whatever defenses we throw up. So the cyber-talent-pool we’re growing has to be a thinking, adaptable workforce that’s more agile. And achieving that sort of deep cultural change is an imposing challenge.
Perhaps the human will never be quick enough and intelligent enough to sense, interpret, learn, change, and respond quickly enough to defend against the cyberthreat. But all is not lost. There’s always artificial intelligence. That’s a topic for tomorrow.
