The government is trying to bring calm to the chaos of its haphazard approach to building a cybersecurity workforce, and it wants help.
The multiagency National Initiative for Cybersecurity Education, led by the National Institute of Standards and Technology, is seeking public comment until Dec. 16 on a draft plan to standardize cybersecurity work throughout the government.
The NICE framework is a dictionary of cybersecurity work, divided into seven categories from operating networks to analyzing cyber threats. Together, those categories contain 31 job functions linked to more than 1,000 knowledge, skills and abilities.
“From driving educational programs in K-12 through training programs offered commercially, through cybersecurity competitions, this is our keystone,” said National Cybersecurity Education Strategy Director Peggy Maxson.
It found agencies struggle to get a handle on how many cybersecurity workers they have, how much time those workers devote to computer and network protection and whether their cybersecurity positions align with federal guidelines.
“The most critical problem in establishing the cybersecurity professional workforce was, indeed, to first define what that is,” said Maxson at a webinar hosted by Government Business Council. “We weren’t at a lack of definitions at the federal government. Every agency has their definitions.”
That is precisely the problem.
“We couldn’t even talk [Department of Homeland Security] to Health and Human Services to the National Security Agency about the duties of system administration, which should be a common duty across the federal government,” she said.
Some agencies are piloting the draft structure, Maxson said.
Agencies would be wise to use the framework to take inventory of their current workforce’s skills and identify gaps, said National Cybersecurity Workforce Structure Strategy Director Angie Curry. “We need to develop some best practices for workforce planning,” she said.
The lengthy hiring process and discrepancies in compensation across agencies can make it hard to fill cybersecurity vacancies, according to the GAO report.
Hord Tipton, executive director of the certification consortium (ISC)², warned agencies need to look at their recruitment strategies too.
“When you have an economic recession and some high unemployment rates across the world, you have more people flocking to get into a field that pays pretty darn good right now,” he said. “Our examinations, trainings and educational courses are at all-time highs at this point.”
But, he warned, many candidates aren’t capable of the work. Certification programs aren’t standardized and may require as little as watching a two-hour course, he said.
Current employees also need training to keep up with the latest threats, he said, adding that 92 percent of cybersecurity errors last year could have been prevented by simple controls.