What are states doing to recruit and retain employees with cybersecurity expertise?
As government and industry cybersecurity personnel await the new presidential administration's cyber policies, the threats and challenges continue to mount. Without an umbrella federal framework, government cyber experts work as best they can and with what they already have to address talent shortages and keep current with new methods of attack. Partnerships are critical in keeping abreast of the latest threats, and a future-looking mindset is necessary to create a pipeline of talent at the state and local level.
How Severe a Problem?
Cyberattacks have become more concrete to many of us in recent years. More citizens have received communications from governmental entities or companies about possible illicit access of our personal information—and then there are the allegations of the presidential election being influenced through sharing of hacked information.
Virginia Secretary of Technology Karen Jackson explains that the state's network was attacked somewhere around 70 million times between January and September 2016. And those attacks are certainly not going to diminish. "We recognize that that number is only going to continue to go up." Thus, "it's imperative that we be able to find a good quality workforce."
Because of several workforce issues common to much of government—lower salaries than in the private sector, for example—securing talent in an industry with a low unemployment level can be difficult. And that is at the state level, says Jackson, which is better positioned in terms of funding than towns and smaller cities.
In the release of its early framework, the National Initiative for Cybersecurity Education, led by the National Institute of Standards and Technology, identified 31 separate specialty areas within the cybersecurity workforce.
In terms of specific skill sets needed at the state level, CISSP—certified information security systems professional—is cited by both Jackson and Nancy Rainosek, chief information security officer for Texas, as especially critical, although that job is only the tip of the iceberg. Other openings in Virginia run the gamut from forensics to ethical hacking, defense contracting, and much more.
Virginia has a zero unemployment rate in the cybersecurity field, demonstrating the magnitude of the problem. Rainosek underscores the problem, quoting a statistic that globally through 2019, there will be a shortfall of 1.5 million persons for cybersecurity roles across positions.
While adequate cybersecurity talent is a problem in Michigan, it could be far worse. Rajiv Das, the state's chief security officer, notes that the state's top-notch public universities help alleviate shortfalls in cybersecurity talent. Further, Michigan is fortunate to have great executive support, which helps bring in talent and lessen attrition levels. The government's cybersecurity workforce can be appealing because of that commitment, which extends to providing necessary tools and systems. People are excited about what they do, and the state provides training to keep their skills fine-tuned. In Lansing, a focus on healthy work-life balance lends itself to keeping those attrition levels low, continues Das.
Creative Thinking Needed
While the cybersecurity predicament is only going to grow—and grow exponentially, according to Jackson—the number of staff is not going to rise that quickly or that much. So states need to be creative in how they dole out and use existing talent.
Virginia is employing a shared services model for agencies with less—and less sensitive—data. Agencies with lower amounts of sensitive data may choose not to have a security person in the office every day but, rather, have someone on call to handle necessary security issues. Of course, these agencies still must pass cybersecurity audits. This model allows cybersecurity talent to be directed to the most critical areas.
Internships are another means of securing cybersecurity talent, but Jackson cautions that agencies need to be choosy and select the right talent. In part because of its proximity to Washington, D.C., Virginia has a large veterans' population, one that the state is committed to tapping into for cybersecurity talent through its Cyber Veterans Initiative.
In Texas, the state's Governance, Risk, Compliance Incident Reporting Portal uses security incidents at various agencies to build a playbook, notes Rainosek. The data also are shared with the legislature during session.
Das, Rainosek, and Jackson all speak to the need to beef up their cybersecurity talent pipeline. While there are many efforts underway with colleges and universities, the end goal is to extend reach. For instance, one target is to get computer science as far down in the school system as possible, says Jackson.
As part of the North American international Cyber Summit 2017, hosted by Michigan Governor Rick Snyder, the 2nd Annual Governor's High School Cyber Challenge finals will take place. The competition tests high school students' skills in computer science, IT, and cybersecurity.
One initiative that Virginia is undertaking is the Cybersecurity Public Service Scholarship Program. For their final one or two years at a Virginia university, students planning a career in cybersecurity can receive scholarships of up to $20,000 per year for committing to work for the state.
Anecdotal evidence from a similar scholarship program at the federal level indicates that once individuals have a chance to work in the government, they want to stay—a harbinger for success for the Virginia program. The program also will bring talent into government that has just been schooled in the latest information, says Jackson.
Virginia's hands-on Cyber Range supports talent development by giving students the opportunity to solve exercises and work in cybersecurity labs. Currently in its beta stage, it will be a repository of courseware around secure network configuration, digital forensics, network defense, cyber policy, and more, according to the website. The exercises will provide training in the most current threat environment.
Government and the private sector often face similar challenges relating to hackers' tactics for trying to access networks. It benefits both public and private entities to share information on the types of threats they encounter.
States are employing many different types of partnerships to further their cybersecurity efforts. For instance, the Michigan Cyber Civilian Corps, or MiC3, is a group of expert volunteers from the government, education, and business sectors who are available to aid in the event of cyber incidents. The corps also provides training for members and expands professional relationships, which can benefit agencies.
The Texas Cybersecurity Council, which consists of representatives from the private sector, higher education and technical schools, and government, attempts to match business needs to high school and college curriculums. It also works with veterans' groups so the state can attract Texans leaving the military to cybersecurity jobs in both the private and public sector.
Just as private and public entities are apt to see similar types of threats, and thus benefit from sharing information, states often realize positive results when collaborating with one another. The chief information officers (CIOs), chief information security officers, and similar cybersecurity talent from FEMA Region 5, made up of Michigan and neighboring states, have regular meetings at which growing cybersecurity talent is a standing agenda item, says Das. And the National Association of State CIOs also shares best practices and challenges faced among its membership, sharing some of this information with the public through its resources pages.
As members of the talent development field are wont to say, training is less and less about an event and more about continuous learning. And in a rapidly evolving field like cybersecurity, it's all the more critical for talent to consistently work at upgrading skills and knowledge.
Texas's Department of Information Resources hosts an InfoSec Academy that offers IT courses, classes on Texas cyber policy, and certification, which helps agencies with their training budgets and staff retention, says Rainosek.
Michigan's Cyber Range, run through the Merit Network, is similar to Virginia's in that it gives hands-on training exercises. The Cyber Range offers courses in an array of modalities from online, to in person, to private on-site. A sampling of courses include a certified ethical hacker, certified network forensics examiner, and CISSP. And the Cyber Range's Regional Cyber Education Collaboration seeks to provide a robust cybersecurity curriculum via a mix of face-to-face and distance learning courses to meet the demand of skilled professionals.
In addition to other efforts mentioned, Virginia employs phishing exercises in house and hosts events like brown bags, especially during National Cybersecurity Month. There also are a number of conferences relating to cyber, including the national RSA Conference held in San Francisco in February. Safety requires a constant reminder, "it's not one and done," emphasizes Jackson.
Despite the partnerships, there is room for improvement in information sharing. Too much of the sharing and collaboration that currently go on, according to Jackson, are in a stovepipe: Education talks to education and so forth. There's not enough sharing of information across different agency departments. And that is definitely needed.
The Rhode Island Cybersecurity Commission's report, A Framework for the Development of Cyber Protection and Resiliency in State Government Operations, explains: "Cybersecurity is not just relevant to information technology and network operations teams, but now affects directly the efficiency of state law enforcement, emergency response, and the National Guard. In fact, it is becoming clear that the unique landscape and reach of cyberspace will require states to play a more active role protecting and advancing our national security."
That sets the bar for states' cybersecurity efforts very high. But recognition of the importance is definitely there, and states are making great strides, working with what they have for the best possible outcomes.
Awareness and Analytics
According to the Government Business Council (GBC) paper, Awareness & Analytics: Weapons of Choice in State & Local Cybersecurity, the challenges that state and local governments face with regard to cybersecurity—including the talent shortages and budget shortfalls—make it critical for leaders to "maximize the resources they do have in order to weather the most damaging attacks from those seeking to steal sensitive information or access critical controls."
The paper cited an August 2016 study by the council that found that 77 percent of state and local government leaders considered cybersecurity a high priority compared to other goals. Despite the stated importance, governments aren't necessarily putting up the money to match the priority level. Reporting on a National Association of State Chief Information Officers study, the council noted that according to nearly two-thirds of state chief information security officers, cybersecurity received a mere 1 to 5 percent of their state's IT budget. And one-third of CISOs said they had made no headway in increased funding from the previous year.
A way forward, according to the GBC report, is through the use of analytics, currently severely lacking—55 percent of respondents didn't know whether their organization used analytics to improve threat detection. Utilizing outside managed security services providers can be another attractive solution to ramping up the necessary expertise.
And, as with many other challenges, addressing cybersecurity issues begins with awareness.