The National Academy of Public Administration (NAPA) appointed a panel of five experts to examine government-wide cybersecurity workforce development strategies, as well as the strategies and partnership models used by the Cybersecurity and Infrastructure Security Agency (CISA).
While CISA and other federal agencies have improved cybersecurity workforce development programs, NAPA found that the lack of a government-wide cybersecurity workforce development strategy and clarity about federal agency roles and responsibilities has stunted the U.S. government’s ability to tap into the capabilities and resources of the private sector, academia and other levels of government.
In the congressionally funded report, the panel provides additional findings and recommendations to better foster the growth of a strong national cybersecurity workforce. With the global cybersecurity workforce gap estimated to be over 2.7 million positions and a national gap of around 500,000, security leaders can use the recommendations provided in the NAPA report to determine how best to close the gap and recruit new cybersecurity talent.
One of the first solutions to the cybersecurity workforce gap suggested by the report is the creation and implementation of a comprehensive, uniform strategy for cyber workforce development. According to the report, this strategy should be developed by the National Cyber Director in coordination with CISA and should include:
Cybersecurity leaders can learn from these federal government-level solutions when growing or maintaining their own programs. By looking in previously untapped areas for new cyber talent and providing educational materials to employees, enterprises can develop cybersecurity professionals uniquely qualified to secure their organizations.
The NAPA report outlines a governance framework for the federal government to extend its cybersecurity workforce development efforts. One aspect of this framework involves data collection. According to the report, those looking to further develop the industry should “ensure data relevant to cyber workforce challenges and needs are collected and available for use in developing strategy, creating educational programs, and assessing the impact and effectiveness of workforce development initiatives.”
As security leaders seek to improve enterprise cybersecurity, they can apply this framework to their own organizations while reviewing talent recruiting and retention strategies. For example, identifying industry challenges in cybersecurity workforce development can give hiring personnel a view of the state of cybersecurity and provide insight into how individual organizations can best mitigate the effects of the cyber workforce gap.
According to the report, most workforce development programs led by CISA adhere to congressionally identified standards of diversity, excellence and scalability. Enterprise security leaders can strive to meet these standards in their own organizations to drive long-term change in cybersecurity workforce development.
The report suggests continued focus on diversity, excellence and scalability in cybersecurity through educational program development. By targeting interested parties at K-12 and higher education institutions, security leaders can provide opportunities to entry-level security talent by offering training programs for cybersecurity career skills.
For a deeper dive into the report findings, click here.
jeffbergen / E+ via Getty Images
As cybersecurity professionals explore zero trust, a data management strategy that grants and revokes access privileges based on constant verification, it becomes paramount to develop long-term adoption strategies in order to best secure an organization, according to the Trusting Zero Trust report from Forrester, commissioned by Illumio.
Although zero trust has been a long-discussed concept in cybersecurity, active business implementations of the framework remain in the minority. According to the report, only 36% of surveyed large enterprise organizations are in the implementation phase of zero trust, with 63% of respondents indicating that their business was in the pre-zero trust phase, which includes conducting an assessment, developing a zero trust business strategy or cybersecurity architecture, and running a pilot program.
According to Andrew Rubin, CEO and Co-Founder of Illumio, the “buzzy” status of zero trust is both a benefit and detriment to the framework. While the popularity of zero trust has elevated the cybersecurity strategy to boardroom discussions across the globe, the buzzword status of zero trust is detrimental because “nobody asks that follow-up question, which is ‘What do I do about this tomorrow to actually change how I secure my organization?’” says Rubin.
Pamela Fusco, Chief Information Security Officer (CISO) at Splunk, believes that the stalled adoption rates of zero trust may be related to the timing of the concept’s popularity. “I think the issue here is that zero trust is not a new concept, but the onset of current events and the situation that we’re all in has really brought this to the forefront much quicker than maybe it would have in the past,” she says. The COVID-19 pandemic, which served as a major catalyst to remote work environments, may have expedited the need for zero trust, according to Fusco.
The need for strong cybersecurity measures intensified over the past two years, and 63% of survey respondents said that their organization was unprepared for the uptick in cloud migration. As they consider adopting zero trust, cybersecurity leaders can keep three concepts in mind to ensure a smooth implementation.
To begin zero trust implementation, security professionals need to identify all identities that will be managed in the new system. By assessing all parties with past or current access to the organization, cybersecurity professionals can begin to ascertain who needs access to what company data and network segments.
While adopting zero trust principles, cybersecurity leaders need to balance the security of their organization with operability and efficiency. “It’s not just about governance — it’s also about access, it’s also about the downstream system and the impact there,” says Bhagwat Swaroop, President and General Manager at One Identity.
“Have a basic set of controls in play, whether that is multi-factor authentication or having a risk score view of the organization,” advises Swaroop.
In addition to managing the privileged access of human identities involved in an enterprise, cybersecurity professionals must also consider the access applications, bots and automated devices are allowed into an organization. Forgetting to manage the access of these potential attack vectors could mean the difference between a mitigated threat and a cyberattack.
MF3d / iStock / Getty Images Plus via Getty Images