Since the inauguration, public and private sector cybersecurity experts have been waiting for the White House to issue a much-anticipated executive order on cybersecurity. That wait came to an end this week, with President Trump issuing the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Read the full order here.
The executive order (EO) is primarily a call for targeted reports on different aspects of our nation’s cybersecurity defenses, most of which are due back on the President’s desk three months from now. Those reports will surely be of interest to those following the cybersecurity industry, but in the meantime, there’s quite a bit to unpack from the EO itself, as it does give strong indications of what the Trump administration intends to prioritize.
Among those priorities is a sweeping analysis of our nation’s cyber workforce capabilities and workforce development programs – both at the federal level and at private-sector organizations.
According to the order, the nation’s cybersecurity policy should seek to “support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace.”
The cyber workforce shortage is massive (at least 1 million unfilled jobs currently) and shows no signs of slowing. |
But perhaps more importantly, the EO presses the Secretaries of Commerce and Homeland Security to pursue a strategy of workforce development that instills a long-term cybersecurity advantage for the United States. The Secretaries have been ordered to thoroughly review “cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education” to ensure that our nation’s approach to workforce development addresses the cyber challenges of tomorrow.
To help build this strategy, the President is requesting a review of workforce development efforts in foreign countries, as well as a review specifically addressing our national-security-related cyber capabilities.
So what does all of this mean?
Well, to an extent, we’ll need to wait for these reports to truly understand how the federal government views our top cyber priorities. But based on industry knowledge, we can make some informed predictions about the direction the nation’s cyber workforce development is headed.
First, expect a fairly dire report on workforce shortages. Many experts are predicting a cybersecurity workforce shortage of close to 1.5 million in 2019, and some forecasts have that number climbing even higher (up to 1.8 million) by 2022.
With a 0% unemployment rate for cybersecurity jobs in the U.S. and hundreds of thousands of jobs going unfilled, we fully expect the upcoming federal reports to call for a massive surge in workforce development, cross-training programs, and investments in cyber education.
Second, the EO calls for the adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity at every government agency. The adoption of NIST as the standard of choice for the federal government will likely extend into the realm of workforce development as well. The National Initiative for Cybersecurity Education (NICE), a public-private partnership led by NIST and supported by Focal Point, published an update to its NICE Cybersecurity Workforce Framework (NCWF) in 2016, which provides a common set of language
and categories for cybersecurity work, and maps a specific set of skills, requirements, and abilities to cybersecurity work roles. With the federal government putting NIST in the spotlight, expect extra attention to be paid to the NCWF, as the industry seeks a true standard for workforce development.
Third, the industry is ready for a much-needed push toward true workforce development – that is, strategic talent initiatives designed to elevate skills – as opposed to the certification-driven environment that currently dominates the industry. In an industry as short-staffed as cybersecurity, there’s a temptation to place too heavy a reliance on certifications as a marker of ability. Certifications have a role to play, certainly, but they are not the same as skills. Focal Point has been a champion of skills-based workforce development for years – one that takes a strategic approach to maturing an organization’s security operations center by improving the skills of the individuals that run it, and we expect this EO to signal a move toward that philosophy. An approach that relies first-and-foremost on skills development, as opposed to hiring from a depleted labor pool, is likely the quickest and most effective way to alleviate our nation’s critical shortfall of cyber resources.
Ultimately, the reports triggered by this executive order should yield few surprises. The lasting effect of the order, however, may be a wakeup call for both the public and private sector, that a new approach to cybersecurity workforce development is needed.