The U.S. Government Accountability Office published a report on the Department of Homeland Security's progress regarding cybersecurity positions. They recommend DHS take actions, including ensuring its "cybersecurity workforce procedures identify position vacancies and responsibilities"
The Office of Personnel Management (OPM) put out guidance in 2013 to "codify" (i.e. assign codes) to the cybersecurity workforce. It took the navy 3-4 years to comply, as it did with most agencies. Part of the problem with the claims of Cybersecurity workforce shortages is that without knowing who is doing what, how can you really quantify where your shortages are. How can an agency be expected to fill the job openings or even create job postings when they do not a) Know what they have already and b) Know what skills they are short on? That was the whole reason behind this inititative. I have been with several federal agencies and now a state agency as well. They ALL have this problem. Some are more defined than others.
Part of my plan here as CISO, after I put out the fires, is to do the same cybersecurity coding of this workforce. Here I have no defined security team, just various IT workers each performing cybersecurity duties as a part of their regularly assigned IT duties. This brings into a problem with separation of duties, insider threat, etc. That will be part of my selling point. I know I will run into the budget buzzsaw of denial so I will have to be prepared to show the return on investment.
I think this is a challenge everywhere, but one that needs to be tackled just like vulnerability scanning and asset management.
What are other people's experiences on this? I would love to see if we are all rowing in circles in the same confusing ocean or if some of you have figured out how to get the other oar in the water and to go in a straight line.
The priority given to cyber-security in an organisation will vary with its sector, location, culture & applicable regulations.
In an organisation motivated by financial gains,the provision ofcyber-security would requireconvincing the top-management to budget it --- &you may have the misfortune of having to do this.
In an organisation that mustcomply with government regulations,theprovision ofcyber-securitywill depend on regulations & their enforcement --- but these factors may be out of your hands.
@CISOScott, you're spot on about the inability of an organization to fill a gap that it's not even aware of. It's an essential step to perform a GAP analysis to determine where an organisation falls short, and then use this to develop & enforce controls that would address shortcomings.
While the ultimate goal of Information Security is to prevent things from going wrong, its implementation often depends on things going wrong to start with...