The DHS Task Force on Cyber Skills released a much-anticipated report last month on the state of the cyber workforce within the Department of Homeland Security.
Commissioned in June 2012 by Secretary Janet Napolitano, a group of government and industry leaders was tasked with “identifying the best ways DHS can foster the development of a national security workforce capable of meeting current and future cybersecurity challenges.” The group was also charged with “outlining how DHS can improve its capability to recruit and retain that sophisticated cybersecurity talent.”
As one of the largest body of information security professionals and cyber security workforce/education stakeholders around the world, (ISC)² commends Secretary Napolitano for pooling the brain trust of a group of senior advisors to establish a path toward expanding the national pipeline of skilled cybersecurity professionals.
The report rightly acknowledges the urgent need to foster the development of a national security workforce capable of meeting current and future cybersecurity challenges. It also attempts to address the multi-faceted dilemma we face in quickly building a cybersecurity workforce capable of protecting national information assets and citizens against highly sophisticated, advanced threats.
I believe, however, that this report falls short of the nation’s expectations and does not provide new insight or a solid and balanced roadmap toward solving the global cyber workforce shortage.
Upon first review, I had to ask if I was missing something. Did this just reflect the initial findings of the task force, or had I actually received the full report? After all, a report that is commissioned by a senior-level government official, in my mind, warrants at the very least the inclusion of a well-defined research methodology, a range of in-depth, existing industry data, and the citing of original comments from a variety of subject matter experts.
Instead, the report suffered from unsubstantiated claims about the cyber skills mandate and an overall lack of validated research data to support the methodology of its recommendations.
A 90-day turnaround required for delivering this report that aims to address such a complex problem was highly ambitious. Perhaps had the authors been given more time, the report would be more realistic and actionable.
On the surface, the report’s recommendations are hard to argue against:
1. Ensure that the people given responsibility for mission-critical cybersecurity roles and tasks at DHS have demonstrated that they have high proficiency in those areas.
2. Help DHS employees develop and maintain advanced technical cybersecurity skills and render their working environment so supportive that qualified candidates will prefer to work at DHS.
3. Radically expand the pipeline of highly qualified candidates for technical mission-critical jobs through innovative partnerships with community colleges, universities, organizers of cyber competitions, and other federal agencies.
4. Focus the large majority of DHS’s near term efforts in cybersecurity hiring, training, and human capital development on ensuring that the Department builds a team of approximately 600 federal employees with mission-critical cybersecurity skills.
5. Establish a “CyberReserve” program to ensure a cadre of technically proficient cybersecurity professionals are ready to be called upon if and when the nation needs them.
But what was missing from the report is how to build a solid foundation that addresses the broad needs of an effective organizational cyber security team/program.
The report heavily promotes the technical aspect of the cyber workforce – with no grounds for support – while omitting the operational and policy aspects that are so critical to any effective security program.
The report also expresses a myopic view of how to solve the global cyber workforce crisis and downplays the importance of the critical roles required to sufficiently secure our nation’s infrastructure – using layman’s terms such as “cool jobs” when referring to job opportunities that must attract and be filled by the most skilled and educated of cyber professionals.
What else would I expect from a commissioned report on this topic?
- Insight from organizations that are critical to supporting the report’s recommendations, such as academia, research, industry, etc., and a collaborative implementation plan among these groups.
- A foundational reliance on and alignment with what has already been widely adopted as DHS’ own cybersecurity workforce framework – the National Initiative for Cybersecurity Education (NICE)framework.
- Reference to, or acknowledgement of, the existing and widely adopted scenario-based testing platforms and certification schemes used by private industry and held by large segments of the current workforce.
Finally, after reviewing the report, I was left asking the most critical question: how will the government fund any, much less all, of these recommendations?
The recommendations, if undertaken by DHS as set forth in this report, will not only cost the US taxpayers billions but will also create another bureaucratic infrastructure that has minimal ability to impact positive change.
I believe, as a representative of an organization that is a significant stakeholder in the cybersecurity workforce/education community, I do not stand alone when I challenge the DHS Cyber Skills Task Force to dive a level deeper in its recommendations and to substantiate its approach with research and data that offers a broader opinion from all those who have supported the development of the global cyber security workforce and advanced programs over the past several decades.
W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former CIO of the Department of Interior and recipient of the President’s Distinguished Rank Award.He writes regularly for Breaking Gov and serves on its board of editorial advisors.