From: GovWin.com
by jslye
The rate of growth, variety and complexity of cybersecurity attacks on federal departments and agencies – as well as private companies – is cited far and wide as evidence that we need to do more to protect our data, networks, systems and other infrastructure. A major focus of the federal government has been on building the workforce with the right skills to meet the challenge and information from DHS and other agencies reveals that this challenge is persistent and success is evasive.
Federal cybersecurity spending and its make-up has been a focus of federal budgeters for some time. A few budget cycles ago OMB began requiring executive branch departments and agencies to submit an Exhibit 53B that reports IT security cost and budget data for security testing, assessment and authorization, security tools, personnel, and training. OMB reports some of this data in their annual FISMA report to Congress. Below is a chart of the most recent data for fiscal year (FY) 2011 for civilian agencies. (Unfortunately, DoD has not been able to provide this breakdown of information in their Exhibit 53B and some data was incomplete.)
Source: OMB FY 2011 FISMA Report to Congress
What is clear is that workforce issues are key to federal cybersecurity. Over 74% of the IT security spending by civilian agencies is for personnel. In FY 2011 agencies reported having more than 84,000 full-time equivalent (FTE) staff with major responsibilities in information security. What is telling is the particular mix of government personnel to contracted personnel. (See chart below.) Civilian agencies reported 45% of their security FTEs were government employees compared to 55% contracted staff. The DoD’s security workforce mix of 64% government to 36% contractor requires a bit of qualification since, according to the FISMA report, the DoD classifies the majority of its IT workforce (not just cyber) is “personnel with significant information assurance responsibilities.” That clouds the real mix. It also may not totally account for personnel – uniformed or otherwise – who may hold a “cyberwarrior” designation within the growing cyber-warfighting domain.
Source: OMB FY 2011 FISMA Report to Congress
Observations and Implications
So what does this and other publicized information tell us about the nature and future of cybersecurity, particularly as it applies to workforce issues? Here are just a few observations.
- Competition for Skill Sets is Fierce – Recently, DHS released its CyberSkills Task Force report which provided makes eleven recommendations towards building and retaining federal cyber security talent. One of DHS’s objectives is to build a team of approximately 600 federal employees with mission-critical cybersecurity skills. This addresses the December 2012 expiration of the OPM-approved hiring authority that began with DHS’s October 2009 announced goalfor hiring 1,000 cybersecurity professionals over the three years from 2010-2012. It appears the new 600 goal is a moderation of that original goal. DHS cites the rapidly changing threat vectors and the highly competitive market among federal agencies, government contractors and the private sector to hire professionals with these mission-critical skills.
- “Cybersecurity Professional” resists definition – DoD’s designation of the majority of its IT workforce as having significant information assurance responsibilities shows the difficulty to segment out strictly cyber-centric personnel and skill sets. When we broaden the traditional scope of information assurance/security to include a more comprehensive, contemporary picture, i.e. pre-emptive/counter/proactive measures, we enter the realm of cyberwarfare and that continues to pose a challenge for policy makers to draw lines between domains. In fact, one of the issues discussed regularly among leadership from the various cyber- commands from Air Force, Navy and Army is the lack of a uniform definition of “cyberwarrior.”
- Advanced Tools are Needed – The Task Force report provides a list of recommended mission-critical jobs and tasks that DHS should seek to sure-up, including the areas of penetration testing, security monitoring, threat/event analysis, and advanced forensics analysis. Each of these and other areas would be maximized in effectiveness if greater automation and tools were brought to bear. Michael Daniel, the new Cybersecurity Coordinator, is interested in improving the return on investment (ROI) for the federal cybersecurity dollar, so agencies will need to maximize the productivity of their security workforce as a means to pass muster.
Clearly, the rapidly morphing threat environment requires a very anticipatory, flexible and responsive cybersecurity posture that will continue to challenge agencies to develop the skilled workforce to meet the threat.
Leave a Reply