Yes, there’s a federal cybersecurity workforce gap, but it’s not a pipeline issue, says Pluralsight’s Aaron Rosenmund. “We have this massive talent gap ...
Keeping pace with cybersecurity in government continues to get tougher as the onslaught of attacks by cyber criminals and adversaries becomes more pervasive.
“It used to be that you had to be pretty advanced even to pull off a low-level attack,” said Aaron Rosenmund, director of security research and curriculum at Pluralsight. “Now, criminals literally just have to copy, paste and press enter.”
That increasing ease coupled with the potential for financial gain from breaching large organizations with expansive and valuable data acts to fuel yet more attacks. The cost to organizations continues to grow, Rosenmund pointed out. “We’ve seen it increase exponentially, and it will be be pushing $13 trillion in losses worldwide within the next few years.”
While it may now sometimes be easier for cyber criminals to attack and break into systems, it takes a sophisticated effort to defend against them and remove them from federal systems.
Part of the challenge comes from the fact that cyberattacks are asymmetric, Rosenmund said. “A small group that’s highly motivated can have the same effect as a highly resourced group by leveraging tools in cyberspace. Because all you need is a computer and your mind.”
So how can the government best respond? Rosenmund offered three tactics that agencies can take to better improve the cyber knowledge, skills and abilities (KSAs) of their security and technology teams and also their employees.
Admittedly, there is a talent gap across cybersecurity organizations, both in the government and in industry. But it’s not a pipeline issue, which is the thing most commonly bandied about — especially within civilian agencies, Rosenmund said. It’s a skills level gap.
“We have this massive talent gap at an intermediate and advanced level. You can’t go recruit them,” he said. “I’m saying they don’t exist. There’s just not enough of them in the world. So, we have to grow them.”
He suggested that agencies focus instead on developing new ways to train their teams. It requires assessing current staff and then charting a path for employees to achieve intermediate and advanced KSAs, he said.
“Customize the training paths to align not just to use cases but also to the actual roles that people need to accomplish,” Rosenmund said. “Is someone, for instance, an IT administrator or are they a malware analyst? If you’re an IT admin do you need to know what malware is to the same level that you need to know what it is if you’re a malware analyst? No.”
Just as an organization must test its cyber technology to ensure it works against the most current attack methods, agencies need to test their employees as part of awareness training programs, Rosenmund said.
“The number one thing that we know we can do is tell people to stop clicking on stuff. The rest of it is harder,” he said.
The best way to determine what people know and what they don’t is to test them and then use that as a training benchmark, Rosenmund said. The goal is to move all employees along a security awareness path from beginner to intermediate to advanced, he said.
Use the benchmark to plot a training path for each employee. “You want to test your people as much as you’re testing your products,” he said.
In some industries, businesses can afford to pay highly competitive salaries to hire from the limited pool of extremely advanced cybersecurity experts currently available. But just hiring those individuals isn’t enough, Rosenmund said. It’s critical to continue training them to stay ahead of changing attacks and to adapt to evolving cyber technology.
What many of these leading cyber-ready businesses do is establish “hands-on lab products that they run their teams through. They have pipelines for training that are specialized for all of their cybersecurity workforce roles,” he said. “They have cyber ranges that they go compete in and actually test their people.”
Admittedly, this is a small percentage of even private-sector businesses. But it’s a model that agencies can and should emulate, Rosenmund said.
“At Pluralsight, we have a massive group of consultants that will come in and assess your cyber maturity as an organization,” he said. “We’ll look at the roles you do and don’t have. We’ll bring in our experts to help define which roles you need and the functions that the people in those roles need to accomplish — to move from beginner to intermediate to advanced. It aligns to the National Institute of Standards and Technology’s Cybersecurity Framework too.”
The Defense Department has a trickier challenge because it self-limits it’s pipeline in addition to needing people with a more advanced skill set, said Rosenmund, who began his cyber career during eight plus years working in cyber systems operations for the Florida Air National Guard.
“On the military side, we really need to find a way to allow for that talent pipeline to just have a larger diameter,” he said. “That pipe needs to be less restrictive.”
He pointed to the rules that have long defined military job assignments and promotions and said they hinder DoD military organizations in identifying talent that might well exist within their own ranks.
“We can’t say, ‘You have to get through this four-year pipeline or you’re just not good enough to go operate.’ That’s not true for everybody.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.