Findings from the “2015 PwC US State of Cybercrime Survey” revealed that only 26 percent of those surveyed feel they have the expertise to address the cyber risks associated with the implementation of new technologies. This means that 74 percent of organizations — essentially three-quarters — don’t have the cybersecurity talent they need.
This is the known quantity of the security talent gap. The unknown quantity is its solution. Why? Because the scope of the challenge is broad and growing as more and more organizations and agencies move towards the digitization of their networks, adopt more interactive applications, and move services online. It also requires an expanding range of skill sets that are known, but given the rate of change, also unknown.
This is a significant challenge for the public sector. At one time the public sector was able to lure qualified candidates for a variety of positions, not just in the cybersecurity arena, but in many other areas of expertise, including law, medicine, science, engineering, etc., with the promise of stability and impressive benefit packages.
This is not the case today. Nor is this just a public sector challenge. Private companies are also feeling the talent shortfall. However, they possess allurements such as stock options and larger paychecks unavailable to the public sector to hire the expertise they need.
The government is not without its incentives, though; it can attract security talent by focusing on purpose, control, influence, and challenges. Its market is always broader, with more interdisciplinary opportunities and applications, and its societal influence is longer-lasting. Many people derive greater satisfaction and fulfillment from a public career than from one in private industry.
There is always, however, the need for the government package to meet certain fundamental material aspirations and requirements of employees. The challenge is to balance fiscal requirements with the other factors discussed.
However, challenges exist beyond those related to attractive incentives. The most significant cybersecurity challenge is the unknown. Former Secretary of Defense Donald Rumsfeld perhaps gave the best explanation of this during a news briefing 14 years ago:
“There are known knowns. These are the things that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. These are things we don’t know we don’t know.”
This pretty much sums up the cybersecurity challenge. Attack methods and breaching techniques are constantly evolving. Which means that finding the elusive talent to overcome present challenges is only part of the solution. Sure, we know the tried and true breach methods. But what about the attacks we don’t yet know? If the method is unknown, then so is the required response. The talent shortfall, therefore, is about much more than just a limited technical pool. The NSA recently summed up the cybersecurity technology requirement as integration, synchronization, and automation – functionality that most networks, public sector or not, currently lack.
How We Got Here
How did we arrive at this place of having both a technology and talent shortfall?
During the 1960s there was a push to interconnect computer systems. Even then there were experts raising concerns about security and data protection. However, these concerns were disregarded in order to focus on connectivity. This same focus continues today. Ease of connectivity first, security later.
The reality, though, is that the two are intertwined. Connectivity and security must be coordinated together and be able to scale equally and simultneously. Data without protection is unreliable and dangerous, and security without data is an empty bank vault, impressive but with neither function nor purpose. The balancing of this yin and yang is the ultimate goal.
Cybersecurity came to the forefront initially because of the risks related to increasing connectivity. But today it has taken on greater importance. Its new prioritization is critical because we continue to encounter the dangerous unknowns of cybersecurity. To avoid history repeating itself, a cultural shift towards integrated security needs to be embraced, because defective, altered, manipulated, compromised, or breached data nullifies the benefits of connectivity.
This will, of course, require a growing security talent pool and a broader definition of the talents required for that pool. Fortunately, government agencies are working to develop that talent through organizations such as the National Initiative for Cybersecurity Education, but much work remains to be done.
The Critical Human Factor
When we take a good look at the needs of government, there is not a single agency that does not need a more robust cybersecurity workforce. Many government agencies are responsible for a variety of interconnected systems, valuable data, and critical infrastructures.
While homeland security will always be the greatest risk when it pertains to government, the risk cybersecurity poses extends far beyond the borders of government — from roadways and transportation systems, to energy and water, to manufacturing and financial systems. The incapacitation or destruction of any of these critical homeland infrastructures would have a debilitating effect on security, public safety, and the economy. Technology alone can’t protect these systems. To fully protect these critical infrastructures, we need skilled cybersecurity professionals who can plan for and protect them against both known and unknown threats.
The cybersecurity skills gap is real, but it is an issue not only of bodies, but also of minds. That is, the problem is too important to merely fill vacant positions with warm bodies. Security professionals need specific skill sets to truly be effective. Here are four key areas those entering the cybersecurity field should have in their knowledge toolbox:
- Knowledge is power: The federal government, informed by the NICE program, is taking steps to establish an ecosystem of cybersecurity education, training and workforce development across the public and private sectors. Keeping up to date with NICE’s recommendations will give you a leg up on the competition.
- Back to basics: For any cybersecurity position, a basic understanding how IT messaging works is foundational. Knowing how programs exchange messages, and what data or information is included in those messages is paramount for cybersecurity professionals.
- Understanding people: IT today is about much more than knowing how technology works. Sure, understanding how technology works is a definite requirement, but what is just as important is having an understanding of the people using the technology. Understanding human nature and the personal and social characteristics of those using the technology will provide a better foundation for preventing breaches such as email phishing attacks from infiltrating networks.
- Application: Cyberthreats hit close to home when you consider how much of our personal information resides in digital form. From banking to health care to even our taxes, all are for the most part done online or are stored in digital form. These are the known knowns. We know the type of data and we know it is at risk, but without groomed professionals prepared to fight the cybercrimes of tomorrow and keep this data protected, all of our online information is at risk of being compromised or even held hostage. A cybersecurity professional must be able take key principles learned from both known technical weaknesses and the mindset of the cybercriminal and apply them to future, unknown threats so they can be better anticipated, mitigated earlier, or blocked altogether.
Citizens rely heavily on critical infrastructure and other connected government services. Bridging the cybersecurity talent gap must be an essential priority for government agencies. This is easier said than done, but it is not impossible. It will require educating, building, and reinforcing our cybersecurity talent pool and workforce through expanding their knowledge toolbox in the four ways listed above, including constant education and retraining.
Creating programs and public/private partnerships to actively recruit more individuals into the cybersecurity field is another key tactic. There is a ready talent pool in our universities, and transitioning out of the armed forces, with the capacity and mindset that makes them ideal cybersecurity candidates. Acting now to identify and prepare these individuals will enable the government to create and grow the workforce needed to safeguard the nation’s assets and its citizens from the known and unknown threats that lie ahead.
By Steve Kirk, vice president of federal at Fortinet.
*Originally published by NextGov on October 27, 2016.