U.S. President Donald Trump last week signed an executive order on growing and strengthening the federal cybersecurity workforce.
The White House says there are over 300,000 cybersecurity job vacancies in the United States and believes it’s crucial for the country’s economy and security that these jobs are filled.
The executive order outlines the development of a rotational program that enables government employees to temporarily be assigned to other agencies. It also encourages adoption of the cybersecurity workforce framework from the National Initiative for Cybersecurity Education (NICE), which should help in recruiting, improving and retaining talent.
The Trump administration also hopes to boost the cybersecurity workforce through awards and competitions.
Commenting on the new executive order, some cybersecurity industry professionals say it’s a step in the right direction, while others have pointed out that it will likely not help too much or that more needs to be done.
And the feedback begins…
Kelly Shortridge, VP, Product Strategy, Capsule8:
“Given there are already certifications and online courses available to demonstrate aptitude and eagerness in cybersecurity, I’m not sure how a new standard will assist reducing the skills gap. Too many jobs require years of work experience, making it less a question of knowledge gaps and more how to help commercial organizations have a strong security program without solely hiring senior talent.
Additionally, there are a lot of people from underrepresented and underprivileged backgrounds who go the certification / training route and still don’t get jobs.
As far as the Federal part, given the very high wages in the private sector for cybersecurity talent, federal roles primarily remain unfilled due to lack of competitive compensation. Rotational programs and CTFs may encourage federal workers to move into cyber security roles but it is unlikely to meaningfully move the needle in attracting talent that currently opts for the private sector instead.”
Mike Polatsek, Co-founder, Chief Strategy Officer, CybeReady:
“It’s encouraging to hear that the executive order will inspire widespread adoption of the cybersecurity workforce framework from the National Initiative for Cybersecurity Education (NICE). I expect that this initiative will help organizations in recruiting and retaining talent, something that is critical these days, especially for government agencies that compete on talent with private sectors. It is important to note that the main challenge in security education is to shorten the process from ‘novice’ to expert; The cyber space is experiencing unprecedented growth and cybersecurity has become a complex undertaking. It will require the utilization of agile tools, scientific methodology, real-life attack simulations and continuous drills to build a highly-skilled cybersecurity workforce that is capable of mitigating today’s cyber-attacks and keeping up with their fast evolution.”
Andrew van der Stock, Senior Principal Consultant, Synopsys:
“The message presented within the Executive Order on America’s Cybersecurity Workforce is a good one as it implements a pipeline to create more information security talent—something that the US desperately needs. There is very actionable potential by asking federal agencies to implement the NIST National Initiative for Cybersecurity Education (NICE) learning framework, by asking the military to establish awards and merit badges, and by asking the public to establish awards and competitions—extending into the public education system—which will all play into the larger plan to address the skills shortage.
One concern that I do have with the NICE framework is that it ignores America’s leading role in building insecure software, as it concentrates on secure operations through forensic investigations. While NICE hasn’t been perfected, there will always be room for improvement as the cyber threat landscape evolves. The key takeaway is that this Executive Order isn’t about NICE itself, it’s about implementing NICE and this is a strong first step.”
Mark Whitehead, Director, Trustwave SpiderLabs:
“Executive orders are a crucial tool used by administrations to quickly enact important initiatives vital to our nation. It is good to see focus on increasing the commitment to combating cyberattacks which have become more complex and brazen. It is also encouraging to see more cross department cooperation which should save individual agencies time, money, and resources. It appears this executive order was thoroughly thought out having a framework, accountability, incentives, as well as milestones and timelines.
Training initiatives and events that are included should create great opportunities for the federal workforce, one that struggles with shortages of available cyber security professionals, much like the private sector.
The order should also help improve knowledge sharing between federal and commercial entities. Shared cyber intelligence is vital for governments to understand the latest threats and techniques nation states are attempting. Lastly, showing continued commitment for accountability at the highest level at departments should help better prevent incidences that place our federal and contract workforce at risk both physically and remotely from cybercriminals and nation sponsored groups.”
Dan Lohrmann, Chief Security Officer, Security Mentor:
“The number one challenge that are I keep hearing from public and private sector organizations around the globe is the ability to find and retain technology talent to innovate. Within tech, filling cybersecurity jobs is the most difficult, with projections of millions of vacancies for cyber jobs in the 2020s.
This Executive order is spot-on and focuses attention on our top cyber challenge currently – our cybersecurity workforce. These steps are important to help the federal government compete, as well as provide a pipeline of cybersecurity talent to fill high-paying and cutting-edge roles that will defend our U.S. Governments and businesses from cyberattacks. This is just the beginning, and more needs to be done. Nevertheless, the competitions work at all levels – from K-12 schools with programs like Cyber Patriot, through to National Cyber Defense competitions with colleges and universities, to federal government agency competitions. Using NICE as the framework is also a good move.
Bottom line, excellent move by the President – and more needs to be done by government and the private sector to help.”
Phil Quade, CISO, Fortinet:
“The US Government issued an Executive Order designed to smooth-out the lumpiness of cybersecurity skills across government Departments and Agencies. Titled ‘America’s Cybersecurity Workforce’, the EO establishes a within-government policy designed to encourage cross-pollenization of cybersecurity workforces. It deserves a richer analysis, since its action acknowledges that any organization, large or small, must be objective in understanding its shortfalls and strengths.
More generally, cybersecurity needs to be treated more like a science, not an art. Good things won’t happen without using more rigor in planning and executing cybersecurity strategy, and understanding the fundamental elements that are necessary to optimize around. With full respect government professionals whose mission it is to protect the bison and the forests, it’s wrong to think that, on the side, they’ll also take on our nation-state adversaries’ attempts to penetrate government systems or otherwise, alone, detect and respond to sophisticated cyber attacks.
To close the cyberskills gap, everyone – public and private – must employ a comprehensive workforce initiative around cybersecurity to create a talent pool that can serve many. We need to create a workforce, with a variety of skill levels, with low barrier to entry, and progressions through it, take on the converging security challenges of today. It should include apprentices, and journeymen, novices to experts, all armed with high-end cybersecurity skills and experiences.”
Kevin Bocek, VP, Security Strategy and Threat Intelligence, Venafi:
“Overall, the White House is taking a positive step by focusing attention on the risks cybersecurity present to our national infrastructure. This is a critical issue for our country, 87% of cyber security professionals believe we are already fighting a cyberwar.
However, for this directive to succeed, government officials must do more than acknowledge the difficulty and urgency of addressing cybersecurity threats.
It’s especially noteworthy that this new directive concentrates on addressing the US federal government’s lack of competitiveness when attracting and retaining talent. If the government wants to recruit the greatest minds in cybersecurity, it must make sure our tools and technology are the best in the world and demonstrate their commitment to success by partnering with industry on key policy questions.
For example, if this administration really wanted to go beyond policy declarations, they could take the advice of scores of industry experts and decide that we will not introduce encryption backdoors into consumer technology that will only weaken our defenses and aid our adversaries.”
Dave Weinstein, VP, Threat Research, Claroty:
“I commend the White House for taking a forward-thinking approach to one of our Nation’s most critical workforce issues. Cybersecurity is as much a human problem as it is a technical one and let’s face it, the incentives — financial and otherwise — to work for the federal government in this capacity pale in comparison to industry. At the same time there is one aspect of the federal workforce that the private sector can’t compete with: mission. This Order paves the way for giving mission-oriented cybersecurity professionals a legitimate alternative to industry, even if it means taking a pay cut. When it comes to cybersecurity, there should be a revolving door between industry and government. Rotational programs are the best way of ensuring that our cybersecurity talent contributes to both economic growth and national security. Implementation will be key, but this Order constitutes real progress that is overdue.”
Laurie Mercer, Security Engineer, HackerOne:
“Any company that has tried to hire cybersecurity talent in the past 12 months will know that there is an acute shortage of security skills. It’s good news for those with the skills that the US government is willing to go above and beyond in terms of offering competitive compensation for those with the skills.
However, it’s this supply and demand issue that’s the reason why many forward-thinking organisations are turning to the hacking community to help boost their security defences. These organisations have come to realise that to help discover flaws in online systems they need as many eyes looking as possible. Rather than having one or two people looking for vulnerabilities once or twice a year, these security teams are able to leverage tens to thousands of people with diverse skill sets to continuously perform security assessments throughout the year.
Many federal departments are actually already doing this effectively with Bug Bounty programmes and competitions to incentivise intelligent and passionate hackers to help them find any holes in their systems. Supporting this burgeoning community by offering them the chance to hone their security skills in this competitive manner also supports the growing pipeline of talent for the future as the young hackers of today become the CISOs of tomorrow.”
Pravin Kothari, Founder, CEO, CipherCloud:
“This has been long overdue. The level of hacking against the US has created an extraordinary threat to the national security targeting our businesses, infrastructure, stealing trade secrets, and meddling our election, challenging our democracy and freedom. This is a defensive step in protecting America by addressing a key aspect of cybersecurity – workforce – with education and preparedness.
It’s a step in the right direction, but more needs to be done, and will require major funding and continuous investment for 5 to 10 years that may span over multiple administrations before we can see results. While this Executive Order is a step in the right direction and further affirms the reality of cybersecurity as a widespread issue that touches every person and every industry, this just represents a down payment in the protection of our nation’s cyber infrastructure.”