The recommendations were delivered early this month directly to government officials at the White House, USDepartment of Homeland Security, US Department of Defense and National Institute of Standards and Technology, as well as members of academia and other influencers within the federal workforce community.
As supported by data from the 2013 (ISC)² Global Information Security Workforce Study, the known gap between the supply and demand for qualified information security professionals around the world has become acute, the organization said. More than half of US government survey respondents said the greatest reason their agency has too few information security workers is because business conditions can’t support additional personnel. Yet, other experts around the world claim the problem of the skills gap lies primarily with the difficulty in finding qualified personnel and funding challenges.
“Based on our research, 61% of US government information security professionals believe that their agency has too few information security workers to manage threats now, let alone in the future,” said W. Hord Tipton, executive director of (ISC)² and former CIO of the US Department of Interior, in a statement. “Yet, information security positions are going unfilled.”
During the 10th anniversary gathering of (ISC)²’s U.S. Government Advisory Board for Cyber Security (GABCS), (ISC)² officials led a discussion with former and current board members representing CISO-level executives from federal agencies and departments in an effort to gain greater understanding of the underlying challenge facing the federal environment. As a result, (ISC)² developed a series of recommendations.
Ensuring security in the cloud, software and the supply chain is one big area, unsurprisingly. The group’s recommendations here include updating the Federal Acquisition Regulations (FAR) with modular language that will ensure cloud providers adhere to FedRamp, FISMA and explicit information security requirements; and that all personnel who provide cloud services and those charged with guarding data in the cloud are assessed as qualified to securely operate in this environment.
It noted too that government agencies should demand superior software, which involves employing qualified security software professionals in the development lifecycle.
“Whether an agency is developing software in-house or purchasing commercial software, including software-as-a-service, the same rudimentary issues such as SQL injection lead often to a breach or compromise of a system,” (ISC)² noted. “The US government must demand secure software and demand that the individuals providing software meet minimum levels of assurance and ensure security is baked into products.”
(ISC)² also encouraged the implementation of personnel initiatives like establishing a cyber “special forces” team and aligning existing workforce programs such as the Scholarship for Service (SFS) and Centers for Academic Excellence (CAE) programs to the NICE Framework. When it comes too special forces, this team would exist within the federal government’s employment structure but culturally may not assimilate into the federal workforce. The federal government often dismisses talented individuals because they are unable to hold a suitability or clearance, while some potential information security professionals simply dismiss the idea of government workforce rules. The special forces structure solves those obstacles.
There’s also the crucial point of assigning accountability for information security failures to mission and business owners, and recognizing successes. (ISC)² said in its letter that often at federal agencies, the CIO or the CISO becomes a scapegoat for a lack of security investment by a program manager, budget office or senior management. OMB should demand those unwilling to fund security in accordance with FISMA and the privacy act are held accountable for those risk management decisions, it said; and in some instances, OMB should use budget language to direct security be funded as a direct line item.
Also, it recommended that government entities implement the DoD 8570.01-M model across all government agencies.
“Our goal in delivering these recommendations to key influencers is to help the US government close the workforce skills gap and to strengthen information security via avenues such as existing frameworks, the acquisition process and personal accountability, among others,” Tipton said.