The Trump administration issued two significant reports in the last couple of months attesting to the state of the federal government’s cybersecurity posture. The Federal Cybersecurity Risk Determination Report and Action Plan
noted 74% of agencies that participated in the Office of Management and Budget’s and Department of Homeland Security’s risk assessment process have either “at risk” or “high risk” cybersecurity programs. Meanwhile, the National Cyber Strategy of the United States of America
addressed steps agencies should take to improve upon the assessment.
Together, the reports illustrate two fundamental factors instrumental in combating those who would perpetrate cybercrimes against the U.S. Those factors—people and the technology they use—comprise our government’s best defense.
People: the First Line of Defense
People develop the policies and processes driving cybersecurity initiatives throughout the government. Their knowledge—about the threat landscape, the cybersecurity tools available for government
, and the security needs and workings of their own organizations—are essential to running a well-oiled security apparatus.
But finding those skilled individuals, and keeping them, is difficult. Since the government is committed to keeping taxpayers’ costs low, agencies can’t always afford to match the pay scales of private sector companies. This leaves agencies at a disadvantage when attempting to attract and retain skilled cybersecurity talent to help defend and protect national security interests.
Several education initiatives are underway to help with this cyberskills shortage. The National Cyber Strategy report lays out some solid ideas for workforce knowledge improvement, including leveraging merit-based immigration reforms to attract international talent, reskilling people from other industries, and more. Meanwhile, the Federal Cyber Reskilling Academy
provides hands-on training to prepare non-IT professionals to work as cyberdefense analysts.
Hiring processes must also continue to evolve. Although there has been progress within the DoD, many agencies still adhere to an approach dictated by stringent criteria, including years of experience, college degrees, and other factors. This effectively puts workers into boxes—this person goes in a GS-7 pay grade box, and this other person in a GS-15.
While education and experience are both important, so are ideas, creativity, problem-solving, and a willingness to think outside the box. It’s a shame those attributes can’t be considered just as valuable, especially in a world where security professionals are continually being asked to think on their feet and combat an enemy who both shows no mercy and evolves quickly to bypass an organization’s defenses. The government needs people who can effectively identify and understand a security event, react quickly in the case of an event, respond to the event, anticipate the next potential attack, and formulate the right policies to prevent future incidents.
(to be continued next week)
Find the full article on Fifth Domain.