Cybersecurity is a dynamic and crosscutting field that is ever changing and increasingly challenging to address. At the Association for Federal Information Resources Management (AFFIRM)’s 5th Annual Cybersecurity Summit, government thought leaders gathered to explore growing threats as well as innovative approaches to attract and retain the best cyber talent.
Nicole Blake Johnson, Managing Editor at GovLoop, moderated a panel of federal Chief Information Officers (CIO) to discuss current cybersecurity priorities and how to attract, retain and train a dwindling pipeline of cyber talent. Speaking on the panel were:
-Max Everett, CIO at the Energy Department
-Joe Klimavicz, Deputy Assistant Attorney General and CIO at the Justice Department
-Rodney Petersen, Director of the National Initiative of Cybersecurity Education (NICE) at the National Institute of Standards and Technology (NIST)
-Howard Whyte, CIO at the Federal Deposit Insurance Corporation
Cybersecurity Landscape and Challenges
For most federal CIOs, strategizing the best ways to prevent cyberattacks and strengthen cyber posture are only a part of the job. Additionally, these CIOs must work to modernize their technology infrastructures while managing limited resources, as well as meet increasingly demanding expectations from customers.
“The biggest challenge we face at FDIC is resources,” Whyte said. “We have a lot of systems that are legacy, but we have to sustain what we need to conduct our mission while modernizing to meet our business needs.”
At the Energy Department, risk management is both a priority and challenge, Everett said. “It’s getting cheaper and cheaper to launch more damaging cyberattacks every day. Deterrence alone is not working anymore and the constant increase in the capabilities of the bad guys is a real challenge.”
Klimavicz added that the frequency of attacks is increasing as agencies must also keep pace with evolving technologies. “From my perspective at Justice, technology is changing very rapidly. We’re trying to keep up with technology and where it’s going. Artificial intelligence is increasing exponentially. At the same time, customer expectations remain very high.”
Petersen contributed additional insights to the challenges facing CIOs. “CIO can also stand for ‘career is over,” he said. “It’s a very challenging job. At NIST or Commerce, there’s a lot of operational work to be done to support the mission of the agency.”
CIO Priorities
While recruiting and retaining the cyber workforce was a priority that resonated across all agencies, the CIOs had different areas of focus for strengthening their agencies’ cyber postures, including risk management, automation and improved IT governance.
For the Justice Department, Klimavicz and his team are focusing on automation and continuous monitoring capabilities. “We have over 300,000 endpoints to protect so we’re trying to minimize the risk through continuous monitoring,” he said. “We also want to automate incident response and cyber capabilities while trying to improve our identity, credential and access management so we can build in resiliency through all of our mission-essential systems.”
At FDIC, improving collaboration and strengthening IT governance have been ways to improve organizational structure while addressing cybersecurity. “Right now, I’m laser-focused on security, but also on strategy – making sure the organization is functional,” Whyte said. “We’ve put in a governance framework so we can be more collaborative and look at our problems and systems together. We have risk wards where we sit together at the table and look at the risks and make decisions together. Our rule is to make a decision fast in one meeting, not two meetings. It’s important for us to have the policies in place, capture the data and have others at the table to encourage open collaboration, respect and constant communication.”
Everett and his team are focusing on the strategic level of risk management for the many missions the agency oversees. “We have open labs and their purpose is to share data openly on an international basis,” he said. “At the same time, we’re delivering electricity to tens of millions of Americans. That’s an enormous surface of risks. So we have to manage all of that as risks across the department and have that business knowledge. We’ve used continuous diagnostics management to see into our environment as that’s been really critical for us.”
Cybersecurity Workforce
The Global Information Security Workforce Study projects a 1.8 million-person shortage in the cybersecurity workforce by 2020. It’s no news that government has long been trying to address the shortage of personnel and skillset in the cyber workforce. But these CIOs are making progress in recruitment and retention efforts, primarily by making hiring easier, improving training initiatives and by promoting K-12 cyber education.
Petersen recommended that agencies refer to the NICE Cybersecurity Workforce Framework to aid in recruiting more qualified candidates. “NICE tries to convene people across the country and offers an interagency working group as well as our annual conference to bring people together to create that energy and momentum we need to address this challenge,” he said. “This job shortage or challenge needs to be addressed by working across government and having academia in an integrated ecosystem.”
“There’s not enough cyber talent in the federal space to go around,” Klimavicz added. “We really do need to start young and elevate the cyber professions. Everyone in elementary school should want to be a cyber professional.”
While both the Justice Department and FDIC are hiring for open positions, the CIOs also rely on contractors to substitute talent for the cyber workforce. “The contractor workforce, or we call partners, are key to our success,” Whyte said. “We make sure that we have a number of contractors or partners that we can always call. They know our business processes and can help us execute plans quickly.”
Training is a big focus for the Justice Department, Klimavicz said. “Just because you graduated with a computer science degree, you still need to continually keep skills current. It’s much more cost-effective to host large-scale trainings. The employees also like the idea that you’re investing in their future too to keep them current.”
The cyber landscape is rapidly changing along with the technologies and skillsets needed to keep up. As federal CIOs work to navigate this landscape, it will be critical to use innovative approaches to recruit, hire and grow the cyber workforce.
For more reading on government cybersecurity, check out GovLoop’s recent guide, “How to Play Your Role in Cybersecurity.”