“There is a significant skills gap issue, and we need to address it,” Karen Evans, partner at information technology advisory KE&T Partners and co-author of the report, told SCMagazineUS.com on Monday.
There is a shortage of individuals with the necessary security skills to operate and support systems that already are deployed, according to the report, released by the Commission on Cybersecurity for the 44th Presidency, established in 2007 by the CSIS to provide findings and make recommendations concerning cybersecurity.
The report also found that there is an even greater shortage of cybersecurity experts that can design secure systems and networks, write nonvulnerable computer code and create the tools needed to prevent, detect and mitigate damage due to malicious acts.
Jim Gosler, fellow at the Sandia National Laboratory and visiting scientist at the National Security Agency, said in the report that there are only about 1,000 individuals in the United States with the specialized security skills to defend cyberspace.
There needs to be around 10,000 to 30,000, he said.
Additionally, Lt. Gen. Charles Croom, commander of the Joint Task Force for global network operations in the U.S. Air Force, stated that the most critical problem in meeting the growing cyber challenge is finding the technical security people to handle the task.
“A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build and staff the defenses and responses,” the report states. “And that is, by many accounts, the area where we are the weakest.”
Additionally, existing professional certification programs are "inadequate" and create a “dangerously false sense of security” because these programs do not always improve an individual's ability to address security risks, the report states.
While many defend certifications as a way to prove that someone has practical knowledge in a given field, the credentials currently available, according to the report, are too focused on documenting compliance rather than actually reducing risks.
“There's a lot of money put forth in scholarships for service, but when you look to see what they actually get trained on is not necessarily what they need to apply on the job,” Evans said. “It's time to raise the bar and go a little higher because you could get a whole staff full of people with cybersecurity certification, but that doesn't mean they can actually handle an incident.”
There already are a number efforts underway within and outside of the federal government to develop a skilled workforce. For example, the U.S. Department of Homeland Security announced last year that it had secured funding to hire up to 1,000 cybersecurity experts.
One of the primary recommendations in the report is that these efforts be leveraged in a comprehensive manner and the president's cybersecurity coordinator, Howard Schmidt, sponsor an effort to create and publish a classification of core cybersecurity roles and skills, Evans said.
This standard would serve as the basis of education and training curricula and professional certifications, the report recommends.
“There's good work happening in pockets,” Evans said. “There are things that are working well and can be leveraged across the board to help everyone.”