An FCW article (White House hints a new cyber policies) recently reported that the White House is preparing to act on recommendations from its first cybersecurity directive issued last May. But it also noted concern from lawmakers who have been questioning gaps in DHS’ cybersecurity workforce related to job title coding errors.
DHS is required to classify and code every cybersecurity position to facilitate alignment with need and help define roles for cybersecurity duties. There are a multitude of codes for everything from incident responders to auditors to cyber analysts to policy analysts to threat assessors, and the list goes on and on.
Recently it was determined there was a discrepancy in DHS’ cyber workforce based on coding errors. This led to more scrutiny and more criticism of DHS’ ability to staff effectively.
Lawmakers such as Rep. Scott Perry (R-Pa.) said these cyber-related shortcomings are “emblematic of the systemic hiring issues continuing to plague the department.”
Compounding the problem is significant attrition that I attribute to a fundamental flaw in the current role and training of federal cybersecurity specialists.
While the majority of cyber security jobs are titled and coded for very specific roles, with many related to compliance, very few understand the problems that the engineering and business teams are having securing their enterprise and applications.
The situation described above can be attributed, in part, to the previous OMB and FISMA directive mandating that managing agency and government-wide cyber security be managed from a risk-and compliance perspective. And it did not account for the increasing important need for cyber security specialists to understand the critical business application and critical risks associated with going on line.
The result is a large number of very niche focused cyber security specialists more focused on translating compliance requirements and enforcing these controls that have to be put in place versus helping the business application leaders know how to prevent and stop an attack.
What is the solution?
Federal IT security leaders must begin adopting and promoting new enterprise security architectures (such as software defined perimeters) that marry compliance with the enterprise architect goals to make the security specialists jobs easier and more effective in identifying and stopping attacks.
For more information, check out this white paper on software defined perimeters.