Cybersecurity affects every agency, program and employee, and has become an even greater challenge to manage as global networks become more susceptible to risk. Learn how agency CIO’s can develop cyber strategies and support the desired goals to recruit, retain, and develop the cyber workforce amidst the growing talent gap. General Harry Raduege, Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP and Michael Gelles, Director, Deloitte Consulting LLP weigh in on this timely discussion for cybersecurity month.
• The changing cyber threat landscape • Top cybersecurity personnel priorities for Federal agencies • How and where agencies should invest in the cybersecurity workforce • Narrowing the cybersecurity workforce gap—the growing need for cyber professionals • Future challenges and opportunities in cybersecurity
The following is a full transcript of FedCentral’ s interview with General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP and Michael Gelles, Director, Deloitte Consulting LLP and former Chief Psychologist, Naval Criminal Investigative Service conducted by Jane Norris on October 4, 2012.
Jane Norris Welcome to Fed Central, brought to you by Deloitte, a program where executives and federal government leaders talk about the issues and initiatives that are making a real impact on the business of government today, to help government help America.
Today, we’re going to talk about the state of Federal cyber security and the state of the cyber security workforce. And we have two honored guests joining us on the show today. General Harry Raduege, the former Director of the Defense Information Systems Agency and four time federal agency CIO. He’s now chairman of the Deloitte Center for Cyber Innovation and the Director with Deloitte Services.
And Michael Gelles is a former Chief Psychologist for the Naval Criminal Investigative Service, or better known as NCIS, as you’ve seen on TV. Currently a Director with Deloitte Consulting’s Federal Practice in Washington, D.C. He specializes in the area of Human Capital Management, with an emphasis in cyber security workforce issues. Gentlemen, a pleasure to have you both on the show.
General Raduege Thank you, it’s great to be here.
Michael Gelles Thanks, Jane. Great to be here.
Jane Norris It’s an honor. All right, so let’s talk about the increasing number of high profile cyber security attacks and breaches over the last year. Give us a sense of how the cyber threat landscape is changing and what issues government agencies are facing today. General Raduege, let me start with you.
General Raduege Sure, Jane. Well those are two really big areas. And I would just say that the cyber threat landscape is changing dramatically today. Today, there’s more and more victims that I’m seeing across the whole landscape of government and industry users of cyberspace. And this has become a very, very serious, as far as the number of incidents that are happening. In other words, the bad news is that these incidents are increasing in frequency and scale and impact. And let me just say what that includes. It includes everything from [hacktivists] that we experience every day, the easily conducted but very serious identity theft that’s going on, the fraud. Embedded malicious software that’s unknown, actually, to business owners, but that’s extracting critical information from their networks on a routine basis. Espionage and the growing globally syndicated criminal activity.
As a matter of fact, I’m reminded of our Commander of the U.S. Cyber Command, who talked about these incidences and he said that they are producing the greatest transfer of wealth in our history. And so, generally, you name any cyber related threat, like the ones I talk about and it’s growing significantly.
Now, the second point, Jane, you asked me to comment on is government agency issues. And I think they really fall into four fundamental categories. And I know Michael Gelles will want to comment on these today. I would say people, process, technology – and I would add funding, also there. First off in the people area, we need a properly educated and trained workforce with an increasing number of people needed to meet the growing demand of the areas that I talk about. In the process area, there are three areas that I want to mention. First off, having better internal cyber operating procedures. Folks that are in business today are dealing with the social media. They’re talking about moving to Cloud computing. There’s a lot of uncertainty there. You’ve got to trust others with your organization’s crown jewels of data. And there’s also a movement that everybody’s facing toward a more mobile workforce—and bring your own device to work.
The second process area that I’m seeing hit the mines of people in business and government is for better information sharing so that the cyber workforce that we’re talking about today can really stay updated and constantly updated with the growing threats.
And then the last – technology having the benefit of having appropriate hardware and software, having the funding levels you need. So those are the four big areas. And these areas really have got everyone hopping because of all the attacks that are coming from all angles and directions today.
Jane Norris That brings us to all the threats that the General has laid out. So, Michael, you have to have a cyber workforce in place that tries to defend or does defend against those threats that are incoming. So how are agencies doing? Do they have the funding in place to actually mitigate some of that?
Michael Gelles Well – do they have the funding in place? I think it’s clear to everyone right now that the government is under a pretty restricted funding budget crisis. And that’s where I think it becomes important to think about – and maybe we’ll get more to this – but the idea of how they begin to develop a work sourcing strategy. So how do they begin to think about – well beyond just the technology. And clearly, the General’s articulated a landscape that, as you listen today, is quite frightening. In fact, it gets more and more frightening every year. But I would emphasize the fact that the important tool is going to be the workforce and the competencies of the workforce that are going to implement that technology. Specifically, the knowledge and the awareness of the workforce and how do we begin to develop – just not a workforce in a workforce planning strategy, where people have the specific competencies around computer forensics, around technology. But specifically around understanding and being aware, so that they don’t begin to put organizations in a vulnerable position.
Jane Norris So how do agencies invest for the future? General Raduege, as you point out, there’s a threat matrix that is becoming more complex, global in nature, wide ranging. So where do they go? How do they invest to get the most bang for their buck?
General Raduege Sure. Well I think there are a number of areas that they can get the most out of what they’re working with today. First off, in the areas of policy and systems and controls. Everyone is struggling today with setting up governments, through instructions, policies and procedures. This takes a trained workforce. Folks have really got to know what they’re doing there and also, I think, that agencies are really investing a lot in total enterprise management, including better network tools for better insight, data center consolidation, big data, provisioning in technologies, Cloud computing. All these type of things. And Michael, I would just say that it really takes a great trained workforce – a smart workforce. And one that doesn’t become stagnated, that always keeps current. So how do you deal with that?
Michael Gelles I think you’re absolutely right. And I think one of the questions is from a maturity standpoint – where are organizations, in terms of their workforce planning around cyber secure workforces? Have they begun to really begun from the right sources – where if you look back from 2011, which a recent JAO report, back to 2002, with the FISMA Act – all the way back to the Clinger-Cohen Act, in 1996 – CIO’s and CISO’s are really responsible for developing this workforce. And I think the concern is, have we begun to really develop the appropriate strategies to, if you will, develop a workforce that links to the necessary people, to implement that technology. Are we clearly defining the roles and responsibilities? Are we identifying the right competencies? And I want to keep those two separate, because the competencies to execute what you’re describing also are not individual or separate from the roles and responsibilities that people have to assume to be able to implement a security in a secure workforce.
Jane Norris How do we get there? I mean, obviously, you have young people going into cyber degree programs, like the University of Maryland program, General Raduege, that I know that you work with. How do agencies inculcate the kind of workforce and grow the kind of workforce that’s needed when we see young people not necessarily investing in math careers or physic careers or other kinds of careers that would lend themselves to this kind of discipline.
General Raduege Well Jane, there’s a full spectrum of skills that are needed today in the government and the industry workforce. You mentioned University of Maryland University College. I’ve had the privilege of working with them now to define some degree programs. And frankly, they’ve been very, very successful. A Bachelor’s Degree in Cyber Security, a couple Master’s Degrees in technical and policy. And now, UMUC is actually added a brand new Forensics in Criminal Investigation degree program. Just think of that now – the full spectrum of where we’re looking for cyber security trained individuals. Originally, we thought about it more from the stem area of the science, technology, engineering, mathematics. But think about the cyber law perspectives. Not only of protecting and getting good advice – trusted advice to your clients, but also the fact that there’s going to be litigation, growing litigation in the future, where lawsuits are established. So there is a full spectrum of opportunities in what I would call the blue collar, the white collar and the platinum collar jobs, from the back room to the board room. And growing beyond that today.
Michael Gelles As I listen to you, General, I mean, I think what it defines for me is a context that’s very complex. And when one begins to think about – well, how do you begin to develop a workforce that can begin to address those. How do you to begin to identify the skills and capabilities that, beyond just the competencies of electronics and forensics and specifically, the technology tools. But how do you develop a group of folks that also are going to have certain levels of integrity that are going to be able to be attentive to detail? That are going to be able to communicate, collaborate and really be able to manage all that they need to be aware of in keeping a cyber secure workforce?