Industry and government can both fill that crater-sized gap, but doing so will take sustained efforts on many fronts.
The National Cybersecurity Strategy has the potential to transform our ability to fight and prevent cyberattacks across the public and private sectors.
At least in the short term, however, it underscores a fundamental challenge for organizations small and large, across government and industry: the crater-sized gap between the number of cybersecurity jobs and the number of people to fill them.
Although federal systems integrators can hire faster and often pay more than the public sector, both government and industry struggle mightily to fill cyber jobs.
According to Cyberseek, a project supported by the National Institute of Standards and Technology, more than 755,000 cybersecurity jobs are currently open across the United States: approximately 710,000 in the private sector and 45,000 in the public sector.
Many FSIs, of course, are helping federal agencies bolster their cybersecurity, through technology solutions, implementations and integrations, staffing, or all of these. Federal agencies depend on private-sector partners to understand the cyber solutions that could address the agencies specific challenges and for help implementing them.
This also means understanding federal requirements and how to best incorporate them into the design of a project or incorporate them into the integration.
That said, contractors don’t always understand the required cybersecurity standards let alone implement them in their own environment, which could increase agencies’ potential exposure to cyber threats – and by extension, increase the burden on already overtaxed agency cybersecurity personnel.
For example, defense contractors working with federally controlled unclassified information have been required to implement the 110 security practices outlined in NIST’s Special Publication 800-171 for several years, but contracting officers haven’t enforced it.
That is poised to change when 110 (for plus 17 controls for level 1) security controls and practices become the core requirements under the Defense Department’s Cybersecurity Maturity Model Certification 2.0 rule this spring. This is a good – and necessary – step.
Federal contractors should meet the same standards that apply to their agency customers, whether this is required by law or not. Meeting the requirements of NIST SP 800-53 and SP 800-171, for example, should be a straightforward task.
Contractors must have in-depth knowledge of the cybersecurity requirements they are helping agencies fulfill. Acquiring that knowledge before entering a contracting engagement will position the FSI not only to win the contract, but also to fulfill it more efficiently for the agency. Greater efficiency alleviates pressure on agency cyber staff.
The National Cybersecurity Strategy calls for increased public-private partnership on many fronts. It acknowledges that closing the cybersecurity talent gap “will require federal leadership and enduring partnership between the public and private sectors.” Recruitment, retention, and training initiatives in both sectors are a start.
But the talent gap is so vast, and the cyber threat landscape is so broad and so treacherous, that people alone aren’t the answer – and they certainly aren’t a short-term fix to address urgent cybersecurity gaps.
Managed security services, coupled with cloud delivered cyber security solutions that leverage artificial intelligence and machine learning, are a more realistic solution to closing the cybersecurity talent gap. Some estimate that up to 90 percent of cyber data is never analyzed.
Humans simply can’t keep up with burgeoning data volumes. But AI and ML can. Leveraging cloud delivered cyber security solutions takes the burden off of managing and maintaining on-premise security infrastructure.
AI-powered models can identify characteristics and contextual behavior of adversarial actions and block them – even attacks that have never been seen before. ML ensures that models are continually updated, improving protections in real time when new threats are detected.
Managed services, too, are an essential tool for FSIs in their support of agency customers. Standalone operations, in either the public sector or the private sector, simply aren’t sustainable in today’s environment.
Managed security services provide integrated, holistic cybersecurity solutions, cost savings, scalability, around-the-clock monitoring, and offload routine tasks so security personnel can focus on security governance.
The value of managed security services to FSIs and their agency customers is akin to the value of cloud services vs. on-premises data centers. Moving to managed services is another no-brainer, simply put.
Together, industry and government can fill the crater-sized cybersecurity talent gap. Doing so will require sustained efforts on many fronts.
The front line, for most immediate and sustainable results, should be Zero Trust, supported by cloud delivered security solutions that leverage AI and ML, coupled with managed security services and across-the-board adherence to government security standards.
If we do these things now, we will see exponentially faster progress than we’re seeing today.
Danny Connelly is chief information security officer for Americas and public sector at Zscaler. He previously was the associate chief information officer and operations branch chief for the Centers for Disease Control and Prevention. During his 11-year tenure at CDC, Connelly was responsible for implementing operational capabilities to support incident response, forensics, cyber threat intel, and insider threat functions.