Much has been made about the U.S. government's need to hire more cyber-security professionals. But finding the best way to build that workforce may be difficult.
A new survey from the International Information Systems Security Certification Consortium (ISC)?? found that many of the trending ideas on how to structure the cyber-security workforce do not jibe with the thoughts of those on the frontlines. In a poll of nearly 700 IT security pros, about 75 percent cited "a lack of a defined career path" as a key reason there is a shortage of federal IT security pros, while just under 60 percent cited "a lack of professional development plans."
"Ideally the path would start in the upper schools and certainly no later than the college level to establish the curricula for obtaining the appropriate training to ably enter the workforce with the skills needed to -hit the ground running'," said Hord Tipton, executive director of (ISC)??. "At some point the individual must decide which path they want to follow. Are they happy performing the hi-tech hands-on functions such as forensics, pen testing, cryptology research, etc. or do they want to progress into the more professional arena to technically manage the holistic point of view...Future paths will be blended with people with business skills who will also be very savvy in IT."
Some 74 percent attributed the security weaknesses of infrastructures as being due to inadequately trained staff. Lack of professionals with appropriate skills (68.6 percent) and insufficient funding (63.2 percent) were also popular answers.
Roughly 47 percent agreed current information security certification programs are serving the need of the U.S. federal government to build a qualified cyber-security workforce. About the same amount (48.3 percent), however, said there is a gap between existing certification programs and the specific cyber-security skills needed in the workplace. Approximately 40 percent felt current professional certification programs create a false sense of security, and about 54 percent said "increasing investment in training and certification primarily for technical skills" will not solve America's security problems.
"Each certification meets specific enterprise security needs including strategic, tactical and operational expertise," Tipton said. "Where the current certification community seems to fall short is in trying to map each certification to each role/requirement. That is perhaps one of the first steps that should be taken in order to accurately evaluate the certification landscape and whether it is meeting the government's needs...We can train and certify and even license people until exhaustion, but they will never be perfect and humans will be human. Our target is not perfection, but to see if the risks can be minimized to an acceptable level."
Those surveyed were overwhelmingly against the creation of a government-run Board of Examiners (BoE) being involved in the certification process as suggested in a recent report from the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity. Sixty-nine percent of respondents thought that was a bad idea.
"The survey was taken anonymously, but I think one respondent said it best: -A government-run BoE would end up becoming a political nightmare...The government needs to utilize commercial certification bodies that are focused upon maintaining pace with cutting-edge technology and issues'," Tipton said.
"The government's challenge in meeting the demand for qualified cyber-security professionals is multilayered," he noted. "On the surface, government is faced with the very basic challenge of being able to categorize the wide variety of cyber-security roles. Without a defined career path, those candidates - those who are already in the field and those wanting to gain entry -- don't have clear direction for their pursuit. As more agencies gain the maturity of DoD (Department of Defense) and specify exactly what they need and who meets that need, the path will become (clearer)."
"Secondly, government agencies are not only competing with other agencies who offer a variety of different compensation plans/incentives, but they are also competing with private industry organizations who are also facing a shortage of qualified cyber-security professionals," he said. "These are just a few of the factors working against the government in their endeavor to meet the need."