As the 100th day of the Trump Administration arrives next week, (ISC)2 offered a series of recommendations to President Trump to advocate for the cybersecurity workforce.
Writing this week on an (ISC)2 blog, Dan Waddell, regional managing director, North America Region for (ISC)², reiterated remarks he offered to White House Chief of Staff Reince Priebus and others on the Trump team, as well as to the Subcommittee on Information Technology, pressing the need for the new administration to emphasize workforce development within the cybersecurity community. (ISC)2 is a nonprofit organization which provides information security education and certifications.
Time is of the essence, he emphasized, pointing to the widespread and damaging effects of cyberthreats in the headlines each day. Exacerbating the situation is the lack of a skilled workforce to counter the ever-present and growing threat landscape, he added, pointing to the 2017 (ISC)² Global Information Security Workforce Study, which projected a projected workforce gap of 1.8 million workers in the information security field by 2022.
Citing achievements already made in the past decade in the cybersecurity field, Waddell pointed to his organization's support of the Cybersecurity National Action Plan (CNAP), which resulted in the appointment of the nation's first federal CISO.
"That is why we recommend the reinstatement of both the federal Chief Information Officer (CIO) and CISO positions, but with greater authority," Waddell said. "The next federal CIO and CISO must have the ability to positively affect change, have a depth of experience in both the technical and managerial aspects of cybersecurity, and must be advocates for effective, holistic cybersecurity solutions that include people, process and technology as equally essential components."
Other recommendations include the expansion of training in order to recruit from a broader base – not just technical personnel, but to instill in everyone an awareness of security risks and "cyber literacy across all departments within federal agencies."
(ISC)2 also advocates for the use of financial incentives to foster a stronger work environment. Specifically, Waddell pointed to a DHS hiring practice in which recruits were hired at a payscale 20-25 percent above existing salaries as a way to motivate and retain new cybersecurity hires.
"The practice of incentive pay needs to be replicated throughout the federal government in order to attract experts from the private sector," Waddell explained. "This perk also plays a key role in retaining cybersecurity talent."
Another step recommended was further education for personnel on the administrative end, particularly acquisition, legal and human resources (HR) staff. These employees are essential in the cybersecurity ecosystem, Waddell stated, and need advanced training in not only the needs of customers, but the nuances of the cyber workforce. It's imperative, he said, that these staffers develop accurate Requests for Proposals (RFPs) and job descriptions to make certain the right people are hired and the right technology tools are acquired.
In addition, staff with effective communication skills are in demand, Waddell said. People are needed in government posts who can explain to business leaders – in language they can understand – the risks from cyber attacks. "Effectiveness of the CISO role in the future will depend upon a 'translation' layer of personnel that must be established and trained," Waddell said.
The appointment of chief risk officers to government agencies, mandated recently by the Office of Management and Budget (OMB), is a promising start, he said. "Efforts to align technology risk with mission and business strategies should leverage this OMB initiative."
Waddell also pointed to weaknesses in the existing civil service system, going so far as to call it broken and insufficient to meet present requirements in the government. In the need to hire top cyber talent, legacy systems, particularly in the government's general schedule (GS) classification and pay system, are antiquated and prevent both the promotion of worthwhile talent and the reassignment of non-achievers. To upgrade the system, Waddell suggested adoption of the “cyber national guard” concept – where the federal government could pay off student loans of STEM grads in exchange for their commitment to work for the government for a few years.
"While we haven't received any official response from White House staff regarding our recommendations, we did receive acknowledgement that they were received," Waddell told SC Media on Friday.
Members of Congress expressed interest in the recommendations from (ISC)2 and the firm took the opportunity to present them at a recent Subcommittee on Information Technology hearing by Rep. Will Hurd from Texas who chairs the House Committee on Oversight and Government Reform, he said."From our view, we feel the White House has cybersecurity among its priorities," Waddell added. "I would not necessarily equate the delay in the Cybersecurity Executive Order (EO) to a feeling of unimportance on their part. We are hopeful that the White House will consider our recommendation to backfill the Federal CIO and CISO positions and, once on board, leverage their expertise to release a final version of the EO."