The Office of the National Cyber Director is soon expected to release the National Cyber Workforce and Education Strategy. The document is expected to address workforce issues through collaboration across government. With more than 700,000 cyber jobs remaining vacant worldwide — 40,000 of those in the public sector alone — it is essential that every federal worker plays their part in keeping America’s networks safe.
Instead of waiting for cyber-specific positions to be filled, the White House has prioritized strengthening the current federal workforce through cyber education and skills-based training. This is a leap in the right direction, as Fortinet’s recent global survey found that 68% of respondents agree that the cybersecurity skills shortage creates additional cyber risks for their organization.
Managing cyber risk is everyone’s responsibility
The reality of the situation is that cyber criminals are taking advantage of the cyber workforce shortage and federal chief information security officers continue to face a daily onslaught of attacks. While many attribute the lack of personnel solely to the shortage of skills needed for supporting roles and assume it is the CISO’s job to manage an agency’s cyber risk, the reality is that all personnel contribute to cybersecurity efforts. Once this has been acknowledged, leaders can begin to equip individuals with the skills and knowledge needed, decreasing the gap and empowering their employees to take on this responsibility.
The good news is that while agencies wait for guidance on how to close the talent gap, leaders can implement ongoing education programs and awareness protocol to equip their existing workforce.
Before agencies expect their personnel to assume this responsibility, employees need to understand their role in the security health of their agency — the more ownership they take of that role, the better they will perform and contribute. This builds on the sense of civic responsibility that should be shared by all Americans, but is emphasized for public servants in the oath of office. Once federal workers understand the importance of their role and how they are expected to play a part in the overall security and resilience strategy, leaders need to ensure their employees are equipped with the proper skills and resources.
For example, while education and continued learning programs should always be available for upskilling federal personnel, these programs also allow employees at all levels to build a solid foundation of cybersecurity awareness, understand cyber risk, and implement best practices to reduce that risk. The entire agency, whether a part of the security team or not, must work together to assess and mitigate these cyber risks. Particularly with regard to ensuring the continuity of mission-critical functions, assessment of the potential consequences of a cyber incident and ways to mitigate those consequences requires input not just from the IT team but from everyone involved in the delivery of those critical functions for the American people.
As leaders prioritize employee cyber awareness education, they must also recognize the role that communication plays in a successful security strategy. This includes setting the appropriate risk tolerance for the agency and communicating risk management plans and procedures across the staff. Employees need to know what an attack may look like, and how they should report and mitigate that risk. Since all employees play a role and are responsible for practicing proper cyber hygiene, agency leaders need to ensure they are aware of proper protocols, especially as the threat landscape evolves.
For federal workers to carry out their role, leadership and IT professionals must continue to monitor evolving tactics and threats, as these inform the education and upskilling programs provided to employees. Cybersecurity is never finished; a strong security framework relies on the constant evaluation of the risk landscape. By doing so, leadership can continue to update their personnel on best practices, empowering them to play a successful role in the agency’s security.
While the cyber workforce gap must be addressed and new talent procured and nurtured, agencies have people on hand who, with training, can help in the near term. Beyond that, making every federal worker part of the government’s cyber posture not only strengthens cybersecurity, but also creates a culture where everyone understands they have a role to play in protecting the sensitive information that flows through federal networks.
Suzanne Spaulding is a Fortinet Public Sector Advisory Council member andformer Department of Homeland Security undersecretary for cyber and infrastructure.