To fill key cybersecurity positions, agencies and industry are trading employees like professional sports teams trade players.
But over time the idea of stealing each other’s workforce doesn’t address the short or long-term needs for a skilled cyber workforce.
“It’s a good thing to have that interchange between government and industry, but in the end it’s a zero sum game,” said Phil Reitinger, the Homeland Security Department’s the under secretary of the National Programs and Protections Directorate (NPPD). “There aren’t enough to go around. We have 220 people now, but we will need a heck of a lot more people in the future, and we know others like DoD are hiring. We just don’t have enough of those people yet. So we absolutely have to build that end-to-end ecosystem.”
Reitinger pointed to a recent example of this interchange. DHS brought in Bobbie Stempfley to be the director of the DHS National Cyber Security Division, while Mischel Kwon left DHS to work for RSA, the security division of EMC.
“We can’t just focus on our urgent cyber workforce needs, but those that are strategic and critical, and there is nothing that is more strategic and critical from both a security and a competitiveness for us as a nation than workforce development and education over the course of the years,” he said during a panel discussion on the cybersecurity workforce sponsored by Deloitte Consulting in Washington Thursday.
And Reitinger should know. DHS is trying to hire 1,000 cybersecurity professionals across the department by 2012.
He said in 2009 his office as tripled the number of people working on cybersecurity in NPPD, and in 2010, it again doubled the number. In all, about 220 people work on cybersecurity in NPPD. Reitinger said that number will continue to grow.
Reitinger added that DHS has an initiative to develop their workforce efforts so they have this end-to-end process for the agency.
“There are a lot of programs we are working on,” he said. “We internally at DHS are focusing clearly now. This is a priority for all of us.”
Nearly every agency is facing the same dearth of qualified candidates. The Defense Department currently is feeling the pain of finding cyber workers as it expands its cyber command and each of the service’s cyber offices.
The Navy’s Fleet Cyber Command also is looking to hire more than 2,500 uniformed and civilian cyber workers, said Kevin Cooley, a command information officer in the office.
He said currently the Navy is on target to meet its 2011 goal, but in the out years, they realize the competition only will increase.
Cooley said the Navy is taking a different approach to recruiting cyber workers.
“Over the last two years, we have gone through, what I will call, an old people’s revelation,” he said. “If we are going to reach out and touch these people, they will not look at USAjobs or go to a recruiting office and look at a recruiting poster. That’s not their world. We spend a good amount of time and energy reaching out into the places that are in their world. Those places are in the social network. We spend a lot of time in places like Facebook, and looking at the digital presence the Navy has and how easy is it for someone to go into that environment” and find out what the Navy has to offer.
Jim Lewis, a senior fellow at the Center for Strategic and International Studies and the program manager for the Commission on Cybersecurity for the 44th Presidency, said the need for a security clearance only adds to the challenges to hire these workers. To get a new security clearance, it can take 18-24 months.
The demand for cyber employees spreads into industry as well. Deloitte estimates that government and contractors need today between 10,000 and 30,000 cyber professionals in the Washington metro area alone.
Agencies and industry also face the challenge of ensuring the workers can do the job. Unlike other professions, such as doctors, lawyer or plumbers, there is no standardized training or generally accepted certification program.
Cooley said the Navy faces this problem often.
“We go after individuals that have demonstrated the propensity to be able to learn this stuff,” Cooley said. “We have batteries of tests we deliver and screen out the most qualified individuals. But what’s common across all of that is nearly all of these positions require fairly high levels of classification.”
Lewis said cybersecurity needs to be professionalized.
“There needs to be more discipline brought to the field,” he said. “Many CIOs who I talk to say there is no correlation between the training cyber professionals receive and the job they have to do.”
He added that this is a job for universities and industry getting together to create such a standardized education and certification programs.
“We need to start matching training to results,” he said. “If you have training or a certification or some kind of degree, does it actually make you better at cybersecurity? The answer should be ‘yes.’ But we need to test that, we haven’t done enough testing. A lot of this is data. There are some things that we know work and other things that we know don’t work. Do you know the things that work? Again, that is testable.”
New requirements also are coming for federal employees. The Chief Information Officer and Chief Human Capital Officer’s councils have been working on developing governmentwide competency models for cybersecurity workers since last November.
The competency models would cover three main areas:
IT infrastructure, operations, maintenance and information assurance
Domestic law enforcement and counterintelligence
Specialized cybersecurity operations
The University of Maryland University College is trying to go down that path. Maryland recently announced a new cybersecurity education and professional development department. It is now developing three degree programs: a bachelors and a Master’s in cybersecurity that are technical, and a Master’s degree in cybersecurity policy.
Susan Aldridge, president of the University of Maryland University College, said they have been working with industry and government to create courses to combine academic and real-world examples occurring today.
“Students spend a third of their time on the content, a third of their time actually working on real world situations and a third of their time in a virtual lab that is a cybersecurity lab where students can practice defensive postures to protect their country, businesses and government,” Aldridge said. “We are hiring faculty with real world experience.”
Aldridge said Maryland also will offer three certificate programs for experienced workers who want to upgrade their skills.
“Our challenge will be to upgrade our curriculum as we go along,” she said. “We’ve hired librarians who will do nothing but search new government and new industry reports and feed them into the classes next week and the month after that, and not wait a year to debate about it and decide if it’s academically sound enough to put into a class. We have got to produce students and professionals who have the knowledge that both the government and industry needs.”
(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)