Should developing cybersecurity talent be the next public-private partnership?
As the Department of Homeland Security continues to reach out to the private sector to foster better sharing of cyberthreat intelligence, it’s also looking for help in meeting the high demand for cybersecurity talent.
One of the agency’s key objectives is to build a workforce that can meet the security challenges of the future, said Rick Driggers, deputy assistant secretary for cybersecurity and communications at DHS’s National Protection and Programs Directorate, said Thursday. He called on the private sector for help.
“How do we build a cyber workforce not for us to recruit against, but how do we build a cyber workforce as a national asset,” he said at the Cyber Threat Intelligence Forum presented by FireEye and produced by FedScoop and CyberScoop.
DHS has long advocated to share more threat-based information with a variety of industries as a way to strengthen current cyberdefenses. In addressing the global shortfall of cybersecurity talent in the public and private sectors, Driggers said the two should extend their partnerships to collaborate on better ways to stock a pipeline of skilled workers.
“Right now, we’ve got about 300,000 unfilled cybersecurity positions as a nation,” he said. “So what are we doing to engage K-12, what are we doing to engage academic universities? What are we doing, at least in the federal government, to change our hiring practices so we can bring on cybersecurity talent, we can keep them engaged? But we can’t do this alone. This is something we are going to have to work with industry [on.]”
Exacerbating that challenge is the widening scope of skill sets needed for new threat intelligence-based cyberdefenses. The threat-based cybersecurity model works best with a multidisciplinary cybersecurity team that contains not only IT experts but also other specialized analysts as well who can mimic a likely adversary and use their methods to test an entity’s system, said Beau Houser, CISO at the Small Business Administration.
“At the SBA, we have a program that centers around 24/7 security operations, a small cyberthreat intel team made up of intel analysts. Not IT people or forensics people, intel people,” he said on a panel using threat intel to improve cyber risk management,” Houser said. “I have a small team of penetration testers, a small team of cyberthreat hunters and forensics. So now I am able to say, ‘Pen testers, imitate cybercriminal X against that high-value system.’ That not only proves the resilience of that specific system, it also — working with the 24/7 monitoring — can show you if the [Security Operations Center] has the right visibility and the right triggers in place.”
There has been no shortage of proposals on how the federal government can plug significant gaps in its cyber and IT workforces, ranging from reskilling current federal workers to deploying private-sector tech talent to the federal government on a limited, but rolling, basis.
But given that the talent in the market is in such demand, Driggers said collaboration between the public and private sector could best serve the country.
“You guys are facing the same challenges that we are,” he said. “It’s obvious that you guys have some different incentives that you can put on the table that the federal government can’t, but at the end of the day, from a nation perspective, how do we build out a cybersecurity pipeline so that we can have this type of skill and talent at the ready to help us with this particular mission?”