The US government needs a lot more cyber professionals — and needs them fast.
In a recent White House blog, the Office of Personnel Management (OPM) announced the new Federal Cyber Workforce Strategy in which it identified the target goal of 3,500 new hires by January 2017.
Even if the government moved with uncommon speed, moving so quickly to staff positions in a field with close to zero unemployment is an ambitious goal, to say the least.
But that’s no reason for despair.
I would suggest that the cyber workforce shortage could be managed if the government applied the perspective of a prior occupant of the White House: “Do what you can, with what you have, where you are,” said Theodore Roosevelt in 1913.
The 26th president’s theory does seem to collide with our current reality: not enough trained cybersecurity workers and the assumption that non-cybersecurity workers can’t easily attain enough technical skill to be useful.
With so few skilled cyber professionals in the pipeline, though, I don’t think the government has a choice but to rethink assumptions. It must place an immediate focus on its existing resources instead of trying to speed up a talent pipeline that will take years to establish.
What many do not know is that advancement opportunities for government personnel with little to no security experience do exist.
For instance, (ISC)2 ’s SSCP certification requires only one year of experience and is ideal for non-security IT personnel who focus on day-to-day operations. Another example is the Associate of (ISC)2 that bridges that gap between needing certification and needing experience. If someone does not have that experience but can pass one of our exams, they can become an Associate.
Both the Associate and SSCP programs provide employers (or potential employers) confidence that an individual’s cybersecurity skills are up to date and that they are knowledgeable of internationally recognized standards.
While such training won’t stand in for hard-won experience defending networks, an organization that encourages its personnel to pursue these designations works to help bolster security throughout the organization, ultimately changing the organization’s culture into one that accepts cybersecurity as a business reality rather than just a technology challenge.
In other words, pursuing such measures reflects President Roosevelt’s wisdom of using the tools and talents we have at hand.
The next step? Organizations which help grow their employees’ talents must dedicate ongoing resources to the retention of its existing cybersecurity professionals.
Given the multiple factors working against the government’s efforts to build a skilled workforce, existing cyber professionals must be nurtured and rewarded with training and continuing education opportunities to help contend with the lures of the private sector.
Clearly, not every non-security professional wants to become a security professional. But if we’re going to break the bottleneck of cybersecurity talent, we must do what we can, with what we have, where we are. And that means breaking old assumptions and cultivating talent in the workforce that’s right here, right now.
Dan Waddell, CISSP, is the Director of US Government Affairs and the Managing Director for the North America Region of (ISC)2 . You can follow him on Twitter @DanWaddellCISSP.