A magnifying glass has been focused on the significant shortfall in cybersecurity talent in the government. This runs parallel to a similar awareness and focus on this sector’s gap in IT technology sophistication in general. This doesn’t surprise many of us with experience in both government and cybersecurity, as indeed, these issues are tightly interwoven and interdependent.
Before we address how these issues interrelate, let’s evaluate the need for cybersecurity skills. First, a shortfall in highly qualified talent is not unique to government; it is pervasive across every sector and every vertical industry. Unfortunately, cybersecurity is a booming business as attackers become more sophisticated, organized, skilled and backed by entities with a myriad of motives, driving both need for defensive talent, and concurrently, the pay ranges these professionals can command in the market.
However, the shortfall is more visible in the government sector because of the stringent reporting and transparency requirements of governmental agencies. It is difficult to directly compare government cybersecurity issues to the private sector’s. But it is clear that many private sector industries have similar skills gaps and equally or more restrictive budgets to address them, such as healthcare or retail, which are struggling to attract and retain top talent.
What is somewhat more specific to government, however, is a slower pace of change. The government is not built to embrace change or move quickly. Laws, policies, incentives and procurement challenges create unique barriers. This is seen quite clearly in technological solutions despite a rapidly evolving technological landscape for both personal consumers and business users. The government sector has been slower to move off of legacy gear, embrace cloud adoption and look to new solutions that improve internal efficiency. According to a Department of Defense Memorandum documenting Cloud Computing Strategy, a Defense Science Board analysis of 32 major automated information system acquisitions showed the average time to deliver an initial DoD program is 91 months once funding is approved — two to three times the average industry IT refresh cycle time. Technology advances rapidly, and the slower governmental adoption curve has served to widen the gap between where most agencies are today, and where they need to evolve to in order to modernize.
The most recent example of politicians trying to address these challenges is in the form of the Modernizing Government Technology Act, which was passed by the House of Representatives in September of 2016. The intent of the bill is to create a centralized funding structure to upgrade legacy IT infrastructures; the impetus behind the bill was a hack of Office of Personnel Management systems.
This is where IT modernization and cybersecurity intersect: Legacy equipment, including hardware, software, processes and associated older security protocols increase security risk. In parallel, they create inefficiency, as they represent a patchwork of older, less efficient solutions, often with some newer gear thrown in the mix, making a holistic, strategic security schema nearly impossible to implement without leaving gaps. Finally — and here is an important point — staffing to support this montage of equipment is itself highly inefficient, meaning you need more people to manage it, and cannot effectively attribute the right people and budgets to the most essential functions, such as cybersecurity talent. Government is hiring to their current IT needs; the commercial sector is hiring to where IT is going.
So, what is the answer? Technology has a clear and distinct lifecycle, and implementing it effectively requires having a well-thought-out strategy that takes into account: A) Where the organizations is today; B) What technology options are available today to meet your current needs more efficiently; and C) What technology advancements are coming in the visible horizon that can be planned for, built around and budgeted into a longer-term roadmap. Governmental agencies must first start with a clear strategy and roadmap built around technology, not only today, but in the future, and understanding that technology will have a defined lifecycle that must be planned for.
Step two is beginning to view staffing as having a similar lifecycle. As technologies sunset and new advancements are embraced, the skillsets needed to support those capabilities will need to shift as well. Unfortunately, government regulations create unique management challenges. Artificial intelligence, automation and machine learning are being built into every area of technology, from IT gear to networking infrastructure to cybersecurity itself. Government will eventually move to fully embrace cloud solutions as well. In the longer term, this will mean that some (if not most) of the cyber skill sets that are needed to support more manual processes today will not be needed in the very near future, and these staff members can be reskilled to other areas where humans are needed for more strategic or automation supporting work. In other words, people will need to continue to adapt to change in the roles that they play — and part of the onus is always on each of us to own our own careers, remain relevant and see the winds of change — and be ready to move with it.
In the shorter term, as governmental agencies begin to evolve their technology environments, they will be able to create greater staffing efficiencies across their environments allowing them to shift budgeting to cybersecurity talent. Yet attracting skilled talent goes beyond offering a competitive wage; the government needs a technological reset, and very much so within cybersecurity. By offering security talent true empowerment to lead the change and affect new directions, they can offer a compelling employment value proposition beyond just salary. Studies consistently show that empowerment is a key driver in job satisfaction — not just salary band — and the government is at a pivotal point where they can offer talented cyber experts the ability to lead just such a sea change.
I do not believe that compensation is the main driver. What the government may lack in comparable compensation, they make up for in unique missions, scale and benefits that cannot be replicated. A good example is offensive cybersecurity. If you want experience in offensive cyber, the DoD, DHS, intelligence community and other agencies can offer a unique experience that cannot be replicated.
Government agencies can also start by leveraging third party providers for cyber risk advisory, pentesting and cyber engineering services to help them create strategies, learn their vulnerabilities and prioritize their spend based on risk. Building and retaining top cyber talent is a hard strategy, and using unique cyber skill only when and where you need it is not something the government has historically done well. Just as IT infrastructure needs to be elastic, so too does the labor force.
The Modernizing Government Technology Act is a step in the right direction. We see the seeds of commitment to change — but in government, we believe it begins with understanding a broader view of the lifecycle of both technology and the skills that support that technology, and building a longer-term strategy around it, infusing security into it every step of the way.
Tom McAndrew is the chief operating officer at Coalfire, a cyber risk advisory firm.