The Cybersecurity and Infrastructure Security Agency (CISA) held its inaugural Cybersecurity Advisory Committee meeting Dec. 10, focusing heavily on how CISA and the committee can increase the Federal and national cybersecurity workforce.
Committee members were led through the conversation by CISA Director Jen Easterly, with the focus on a variety of proposals about how CISA can better recruit cyber talent to the Federal workforce, as well as ways to boost the national cyber workforce at large.
“One of the things that I started when I took over was doing something I did in the Army, which was we call them ‘sensing sessions,’ so, essentially just gathering together groups from the workforce [and asking] ‘What’s on your mind? What do you think?’” Easterly said. “In many of those sensing sessions, we’ve heard there’s not enough training opportunities.”
According to the National Institute of Standards and Technology’s (NIST) National Institute for Cybersecurity Education (NICE), currently there is a more than 2.72-million-person global shortage of cybersecurity professionals. Nationally, there is just a single qualified cybersecurity professional for every eight cyber job postings, according to a study by CyberSeek.
CISA and its parent agency the Department of Homeland Security (DHS) have already undertaken a variety of initiatives to try to help increase the number of qualified individuals both in the Federal workforce and talent pipeline, including partnering with Girls Who Code and launching the Cyber Talent Management System (CTMS). However, members of the advisory committee said that increasing the workforce has to be an effort that starts with kids as young as elementary school, along with significant efforts to hire and train from a diverse talent pool.
“I think [Easterly’s] done an incredible job of not making CISA seem like a government agency because it is a lot of effort to even try to apply for a government job; the CTMS is going help you advance that,” said Ronald Green, vice chair of the advisory committee and chief security officer at Mastercard.
“The cyber talent problem is not unique to CISA, I actually think there’s an opportunity to leverage that [system] for like the whole career of an employee, even before and then during,” Green said. “I think we can work together with the private sector to leverage that system.”
Other members floated various proposals like having student loan forgiveness as a potential reward for multiple years of cyber service, starting cybersecurity education and training early, and recruiting interns as early as their junior year of college in order to compete with the private sector.
Looking at recruitment from a diversity and equity standpoint, Niloofar Rowe, a board member at Tenable, also noted that it would be helpful to not focus on degree requirements.
“[Easterly’s] raised equity and diversity as one of the goals here,” Rowe said. “Less than half the population has college degrees, and those numbers drop dramatically as you go into minority populations. And so, if we’re basing our talent pool on the need to have a college degree, we’re missing out on a tremendous opportunity.”
“There are companies … that have trained millions of Americans into the IT workforce by offering a different form of training and a different form of education on a very short timeline,” Rowe continued. “And I’ll tell you personally, some of the best entrepreneurs and CEOs and researchers I’ve worked with have not had college degrees in the cybersecurity industry. So, I think it’s really important not to leave that group out and make sure that we’re skilling people in who may look different, and have a pipeline, and work with companies that already have these kind of training programs in place to get them in.”
Easterly said she plans on tasking one of the vice chairs of the committee to pull together a subcommittee soon to continue working on the issue of how to broadly build the national cyber workforce.
The committee, whose members were announced at the beginning of the month, has also tasked members with figuring out how to create an effective national cyber hygiene campaign, build trust among the hacker and researcher community, and tackle dis- and misinformation. Each of the four major issue areas will be handled by a different subcommittee on the advisory committee.