This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.

Bookmark Email Print this page

The State of the Cybersecurity Workforce


DOWNLOAD  

Cybersecurity affects every agency, program and employee, and has become an even greater challenge to manage as global networks become more susceptible to risk. Learn how agency CIO’s can develop cyber strategies and support the desired goals to recruit, retain, and develop the cyber workforce amidst the growing talent gap. General Harry Raduege, Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP and Michael Gelles, Director, Deloitte Consulting LLP weigh in on this timely discussion for cybersecurity month.

Audio file:

To use our embedded media player, please install the latest version of Adobe Flash Player.

Guests:

Show highlights:

  • The changing cyber threat landscape
  • Top cybersecurity personnel priorities for Federal agencies
  • How and where agencies should invest in the cybersecurity workforce
  • Narrowing the cybersecurity workforce gap—the growing need for cyber professionals
  • Future challenges and opportunities in cybersecurity

Transcript:

The following is a full transcript of FedCentral’ s interview with General Harry Raduege Jr. USAF (Ret), Chairman, The Deloitte Center for Cyber Innovation, Deloitte Services LP and Michael Gelles, Director, Deloitte Consulting LLP and former Chief Psychologist, Naval Criminal Investigative Service conducted by Jane Norris on October 4, 2012.

Jane Norris
Welcome to Fed Central, brought to you by Deloitte, a program where executives and federal government leaders talk about the issues and initiatives that are making a real impact on the business of government today, to help government help America.

Today, we're going to talk about the state of Federal cyber security and the state of the cyber security workforce. And we have two honored guests joining us on the show today. General Harry Raduege, the former Director of the Defense Information Systems Agency and four time federal agency CIO. He's now chairman of the Deloitte Center for Cyber Innovation and the Director with Deloitte Services.

And Michael Gelles is a former Chief Psychologist for the Naval Criminal Investigative Service, or better known as NCIS, as you've seen on TV. Currently a Director with Deloitte Consulting's Federal Practice in Washington, D.C. He specializes in the area of Human Capital Management, with an emphasis in cyber security workforce issues. Gentlemen, a pleasure to have you both on the show.

General Raduege
Thank you, it's great to be here.

Michael Gelles
Thanks, Jane. Great to be here.

Jane Norris
It's an honor. All right, so let's talk about the increasing number of high profile cyber security attacks and breaches over the last year. Give us a sense of how the cyber threat landscape is changing and what issues government agencies are facing today. General Raduege, let me start with you.

General Raduege
Sure, Jane. Well those are two really big areas. And I would just say that the cyber threat landscape is changing dramatically today. Today, there's more and more victims that I'm seeing across the whole landscape of government and industry users of cyberspace. And this has become a very, very serious, as far as the number of incidents that are happening. In other words, the bad news is that these incidents are increasing in frequency and scale and impact. And let me just say what that includes. It includes everything from [hacktivists] that we experience every day, the easily conducted but very serious identity theft that's going on, the fraud. Embedded malicious software that's unknown, actually, to business owners, but that's extracting critical information from their networks on a routine basis. Espionage and the growing globally syndicated criminal activity.

As a matter of fact, I'm reminded of our Commander of the U.S. Cyber Command, who talked about these incidences and he said that they are producing the greatest transfer of wealth in our history. And so, generally, you name any cyber related threat, like the ones I talk about and it's growing significantly.

Now, the second point, Jane, you asked me to comment on is government agency issues. And I think they really fall into four fundamental categories. And I know Michael Gelles will want to comment on these today. I would say people, process, technology – and I would add funding, also there. First off in the people area, we need a properly educated and trained workforce with an increasing number of people needed to meet the growing demand of the areas that I talk about. In the process area, there are three areas that I want to mention. First off, having better internal cyber operating procedures. Folks that are in business today are dealing with the social media. They're talking about moving to Cloud computing. There's a lot of uncertainty there. You've got to trust others with your organization's crown jewels of data. And there's also a movement that everybody's facing toward a more mobile workforce—and bring your own device to work.

The second process area that I'm seeing hit the mines of people in business and government is for better information sharing so that the cyber workforce that we're talking about today can really stay updated and constantly updated with the growing threats.

And then the last – technology having the benefit of having appropriate hardware and software, having the funding levels you need. So those are the four big areas. And these areas really have got everyone hopping because of all the attacks that are coming from all angles and directions today.

Jane Norris
That brings us to all the threats that the General has laid out. So, Michael, you have to have a cyber workforce in place that tries to defend or does defend against those threats that are incoming. So how are agencies doing? Do they have the funding in place to actually mitigate some of that?

Michael Gelles
Well – do they have the funding in place? I think it's clear to everyone right now that the government is under a pretty restricted funding budget crisis. And that's where I think it becomes important to think about – and maybe we'll get more to this – but the idea of how they begin to develop a work sourcing strategy. So how do they begin to think about – well beyond just the technology. And clearly, the General's articulated a landscape that, as you listen today, is quite frightening. In fact, it gets more and more frightening every year. But I would emphasize the fact that the important tool is going to be the workforce and the competencies of the workforce that are going to implement that technology. Specifically, the knowledge and the awareness of the workforce and how do we begin to develop – just not a workforce in a workforce planning strategy, where people have the specific competencies around computer forensics, around technology. But specifically around understanding and being aware, so that they don't begin to put organizations in a vulnerable position.

Jane Norris
So how do agencies invest for the future? General Raduege, as you point out, there's a threat matrix that is becoming more complex, global in nature, wide ranging. So where do they go? How do they invest to get the most bang for their buck?

General Raduege
Sure. Well I think there are a number of areas that they can get the most out of what they're working with today. First off, in the areas of policy and systems and controls. Everyone is struggling today with setting up governments, through instructions, policies and procedures. This takes a trained workforce. Folks have really got to know what they're doing there and also, I think, that agencies are really investing a lot in total enterprise management, including better network tools for better insight, data center consolidation, big data, provisioning in technologies, Cloud computing. All these type of things. And Michael, I would just say that it really takes a great trained workforce – a smart workforce. And one that doesn’t become stagnated, that always keeps current. So how do you deal with that?

Michael Gelles
I think you're absolutely right. And I think one of the questions is from a maturity standpoint – where are organizations, in terms of their workforce planning around cyber secure workforces? Have they begun to really begun from the right sources – where if you look back from 2011, which a recent JAO report, back to 2002, with the FISMA Act – all the way back to the Clinger-Cohen Act, in 1996 – CIO's and CISO's are really responsible for developing this workforce. And I think the concern is, have we begun to really develop the appropriate strategies to, if you will, develop a workforce that links to the necessary people, to implement that technology. Are we clearly defining the roles and responsibilities? Are we identifying the right competencies? And I want to keep those two separate, because the competencies to execute what you're describing also are not individual or separate from the roles and responsibilities that people have to assume to be able to implement a security in a secure workforce.

Jane Norris
How do we get there? I mean, obviously, you have young people going into cyber degree programs, like the University of Maryland program, General Raduege, that I know that you work with. How do agencies inculcate the kind of workforce and grow the kind of workforce that's needed when we see young people not necessarily investing in math careers or physic careers or other kinds of careers that would lend themselves to this kind of discipline.

General Raduege
Well Jane, there's a full spectrum of skills that are needed today in the government and the industry workforce. You mentioned University of Maryland University College. I've had the privilege of working with them now to define some degree programs. And frankly, they've been very, very successful. A Bachelor's Degree in Cyber Security, a couple Master's Degrees in technical and policy. And now, UMUC is actually added a brand new Forensics in Criminal Investigation degree program. Just think of that now – the full spectrum of where we're looking for cyber security trained individuals. Originally, we thought about it more from the stem area of the science, technology, engineering, mathematics. But think about the cyber law perspectives. Not only of protecting and getting good advice – trusted advice to your clients, but also the fact that there's going to be litigation, growing litigation in the future, where lawsuits are established. So there is a full spectrum of opportunities in what I would call the blue collar, the white collar and the platinum collar jobs, from the back room to the board room. And growing beyond that today.

Michael Gelles
As I listen to you, General, I mean, I think what it defines for me is a context that's very complex. And when one begins to think about – well, how do you begin to develop a workforce that can begin to address those. How do you to begin to identify the skills and capabilities that, beyond just the competencies of electronics and forensics and specifically, the technology tools. But how do you develop a group of folks that also are going to have certain levels of integrity that are going to be able to be attentive to detail? That are going to be able to communicate, collaborate and really be able to manage all that they need to be aware of in keeping a cyber secure workforce?

Jane Norris
Well these are questions that we're going to have to answer in the next segment because we'll take a quick break and we'll come right back. You're listening to Fed Central on Federal News Radio 1500 am. Our guests today, General Harry Raduege, the Chairman for the Deloitte Center for Cyber Innovation and Michael Gelles,a Director with Deloitte Consulting in the Federal Human Capital Practice in Washington, D.C., who specializes in cyber security workforce issues. And we'll come back with more after this.

Welcome back to Fed Central, brought to you by Deloitte. We're talking today about the state of the cyber security workforce with General Harry Raduege. General Raduege is the Chairman for the Deloitte Center for Cyber Innovation and a Director with Deloitte Services. And also, Michael Gelles. He's the former chief psychologist for the Naval Criminal Investigative Service, or NCIS and is a Director with Deloitte Consulting, who works in the human capital management area.

All right, gentlemen, so my question, from the last segment that we just finalized, about the capabilities of the workforce, so what are the capabilities that agencies need in their cyber workforce areas and how do they get these trained personnel? General Raduege?

General Raduege
Sure, Jane. Well, Michael, as we were talking just a little bit earlier, the folks that are working in cyber security related areas now, we're finding that it's so complex, it's so broad, that we're now going into specialist areas. Not only from the policy perspective, but also from the technology and the legal perspectives. Now, all of this is starting to fall out into blue, white, and platinum collar type jobs, as I would refer. I'm reminded of the medical doctor fields of the specialists that are required – there's general practitioners, but then there's also the specialists. And Dr. Gelles, I might mention, that you are a Doctor of Philosophy and you specialize in human capital. And so those specialty areas have come out, even with your PhD. I don't know – do you see this happening in the cyber security related area today?

Michael Gelles
Well I think it's a very good metaphor. If one begins to think about how, within the cyber workforce, one is going to specialize, it's going to have a tremendous impact of the overall workforce planning and the workforce strategies— specifically, as that strategy links to the overall strategic objectives of the organization in cyber, which is evolving all the time. I think what's important, when we begin to think about it from a specialty area, is really getting beyond what traditionally has been positions and classifications and more into position profiles. The position profile enables us to look at the very unique and specialized skills that would be required for a given position – the defined roles and responsibilities and then the determined access for that individual, as it relates to being able to accomplish the mission. Because I think what we're also talking about, when we talk about a workforce strategy – much like you're describing, in terms of having a specialty area across a very complex landscape; how do we manage the roles and responsibilities in the access that people have from the standpoint of keeping information secure and a system from becoming vulnerable by having full access to everything.

General Raduege
You've got to have the right people. I think about how agencies are building their cyber security teams. It really is a daunting job. You've got to recruit and look for the best talent. You've got to then fund for the education and training of these top prospects – both internally and through external sources. A lot of times, you can't buy all the talent you need, so you've got to try and contract for that talent.

Also, trying to identify and place the most exceptional talent in your organization into the top leadership positions, there's nothing worse than having someone who isn't providing their full potential to the organization in the areas, Michael, that you've talked about. And I think one of the growing concerns today of any one that's running agencies or activities, is the need to try and retain this top talent.

Michael Gelles
So I think you're hitting on two very key issues around talent management—obviously, the recruitment and hiring of those folks who possess the right competencies. I think what we're saying is while OPM has offered a very exhaustive 34 competency list, which is very helpful as a guideline, what we're suggesting is if we move to a more specialized area, there are going to be very specific competencies that speak to those position profiles.

But the other thing that you're mentioning, General, that I think is important to at least spend a moment on, is retention. How do we begin to think about retaining a workforce? And I might say a workforce that is also a new demographic. One that is much more tech savvy, as we begin to look at the Gen Y coming into the workforce in larger numbers. That being said, how do we develop retention plans? How do we develop training? You were saying yourself, how things evolve so exponentially. How do we get beyond just training and awareness? How do we define and begin to differentiate training to those specific skills and those specific areas of specialty and to be able to sustain that. Just as the bad guys get smarter, how do we be sure that those folks securing our systems in the United States keep getting smarter also?

General Raduege
Sure. Michael, as I think about folks who are leaving our agencies today, they've really got a huge task in front of them. And I think the fact that you have to recognize that there are four different levels of individuals who are working in most of our organizations today and the characteristics of those age groups – the Boomer Generation, the Generation X, the Generation Y and the Millennials. Each one of those four brings great characteristics to the workforce and they each have good things and they all have things that they can learn from one of the other generations. And I think that's one of the other tasks for any leader within an organization, is to try and bring out the best of all of those four different generations that are now coming into workforces. And also, planning for the future, when the boomers will be gone and we'll have a younger workforce that we're going to be dealing with and all that they bring to that organization, as far as their need for bringing their own devices to work now, which a lot of security folks in the Boomer Generation are having concerns about, but they need to learn how to become more mobile, as our work force goes there today.

Jane Norris
I think as CIO's look at that workforce that you're talking about – the multi-generational workforce – they see the need to share information. It's become ubiquitous. It isn't just on your personal device anymore. It's your business devices. And sometimes, those are one and the same, as you point out, General Raduege. So what can be done, in terms of the cyber workforce to enable information sharing and yet keep the information that needs to be safe, safe? What's the best methodology that agencies should be thinking about?

Michael Gelles
Well I think, in the agencies I've worked with, Jane, the information sharing is not only within your organization. Developing the procedures and the processes within, but also looking to the activities that you're going to be working with – other federal government activities, if you're in the federal government. Also, what you're going to be gaining from working with trusted industry partners and what you can pick up, as far as information sharing and gaining access to all source information, that there is, frankly, a lot of it out there on the internet today. And it's being able to try and mine that information so that you can improve the organization and the products and the business operations that you're responsible for.

General Raduege
I think you're right. And I think it's going to come down to really developing some very fundamental strategies. Those strategies that link back to the mission that support the workforce that executes the mission, and how those policies, the position profiles I've mentioned and other things that define roles and responsibilities, enablement through technology and tools, really help execute the mission. But it has to be the alignment, in terms of what are the mission objectives, as it relates to cyber security and how do we execute that with a workforce strategy?

Jane Norris
Well when you have any workforce, you have elements that are very positive and looking to improve the mission of the agency, and then there are always people – and we've experienced this very recently, with some release of information, release of documents, from the Pentagon that really nobody wanted out there, but yet, they were out there and there have been prosecutions in place. So your role as a former NCIS psychologist – how do you differentiate between someone in such a sensitive position in the cyber workforce, between someone who is working positively for the agency and maybe is an insider threat?

Michael Gelles
So the insider threat, of course, exists across all organizations. And with the fact that everything being done today via technology and virtually increases the risk for a variety of different reasons. That notwithstanding, what do organizations need to do to be proactive, to be able to manage your workforce in a secure way? I think that's where being able to look at how you determine who has access and access to what, so that generic access to systems is not something, I think, that should be routinely done. And I think we're really thinking hard about that. That's why I had mentioned the position profiles.

The other thing is, how do we continue to keep the workforce educated? How do we keep and develop awareness? More than just the one time, security awareness training? But how do we make it part of the fabric, so that we fight against probably one of the greater risks that we need to address and that's complacency. And how is it that, really, complacency can be something that an insider unwittingly facilitates and being able the systems secure and a workforce secure, is going to require an ongoing sense of awareness but that something that becomes part of the fabric and not just something that one does annually on the computer?

General Raduege
Well Michael, you're absolutely right. The insider threat is becoming a very serious concern with all of the organizations that I'm working with, be they government or C-Suite activities in industry. And in fact, a lot of vorganizations are developing internal controls for the insider threat, not only against the naïveté of an insider threat, of where people don't have the awareness or the education to know that you don't double click on an attachment that's then going to allow all this malicious software to enter in through your very protected network. Because you opened the back door and allowed the individual in. So there's the naïveté.

But there's also this growing concern that government and industry has now of the individual inside who wants to have a better lifestyle and somebody out there is willing to make it better by providing them with resources to pay for access. And so this is becoming a growing concern in our nation and the nations of the world have also had this kind of insider type threat, where someone will sell their organization and sell their soul to make their life a little happier.

Michael Gelles
So it's important to recognize that it goes well beyond just the technology –it really does have a lot to do with people. And to some extent, you're talking about folks who become disgruntled – those who feel devalued. I think it goes back to a workforce environment where there's respect and regard for each other, where there's collaboration and where we become sensitized to issues that might be arising in the workplace, specifically with people who have access to very sensitive systems and can cause tremendous risk, based on just complacency.

Jane Norris
So what role do managers play in that, in that oversight and just to ensure that they have people in place that are acting appropriately?

General Raduege
Obviously, managers have a tremendous role in this. The leadership – it has to start right at the top, in making the proper investments in all this. Today leaders and managers are betting their business on protecting their data and their intellectual property. And many now are realizing, in both government and industry, that human capital is the top priority. It takes priority, even over hardware and software, frankly. Because you can’t defeat hardware and software without the properly educated, trained, and aware individuals. Underinvestment by an organization can leave you really hanging out there, with the higher risk and being very vulnerable to serious and potentially devastating cyber attacks.

Michael Gelles
It's really creating that risk managed culture, where there is an attitude and an understanding about what we're trying to protect. It goes back to developing a secure workforce from who we recruit and what we recruit for, how we train and develop, and how we sustain that in a culture that is secure around cyber security.

Jane Norris
And we best do that by monitoring, right?

Michael Gelles
Well I think it's more than just monitoring. Monitoring is one piece of it. I think it's the engagement, with the workforce, from the leadership down.

Jane Norris
Well, gentlemen, it's been an honor and a pleasure to be on the air with you again today. Thank you so much for joining us and thank you for listening. General Harry Raduege is the former Director of the Defense Information Systems Agency and he's now the Chairman of the Deloitte Center for Cyber Innovation and a Director with Deloitte Services. Michael Gelles is a former Chief Psychologist for the Naval Criminal Investigative Service and currently a Director with Deloitte Consulting. Thanks very much for listening today. You've been listening to Fed Central on Federal News Radio 1500 am. I'm Jane Norris.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Related links

Share this page

Email this Send to LinkedIn Send to Facebook Tweet this More sharing options

Stay connected