OPM provides guidance to address cybersecurity skills gap

It’s hard to find (read: near impossible) an organization that thinks it has all the cybersecurity expertise that it needs. Whether it’s finding good CISOs, cloud security architects, application security experts, or whatever — finding skilled cybersecurity talent is one of the biggest challenges that face technology teams today.

Recently, the human resource department of the federal government issued an advisory that details how federal agencies need to address their cybersecurity workforce gaps over the next four years. In the first-year, agencies must identify their information security workforce gaps. This is an ideal exercise for any organization that has data that they must protect and, if this is an exercise the organization has not conducted, there’s no better time than the present.

“I am pleased to provide guidance that will help Federal agencies pinpoint their cybersecurity workforce’s most critical skill shortages. This guidance is based on the requirements contained in the Federal Cybersecurity Workforce Assessment Act of 2015 (Act),” said Mark Reinhold, associate director, employee services at OPM.

According to the memo, the Act outlines steps the Federal Government should take to identify its cybersecurity workforce capabilities and gaps. The assessment is largely based on NIST’s National Initiative for Cybersecurity Education (NICE) Workforce Framework (Framework). That framework provides a common description of cybersecurity work:

Table 1 – NICE Framework Workforce Categories

Securely Provision (SP)

Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.

Operate and Maintain (OM)

Provides the support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.

Oversee and Govern (OV)

Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work.

Protect and Defend (PR)

Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.

Analyze (AN)

Performs highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.

Collect and Operate (CO)

Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.

Investigate (IN)

Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.

Based on the analysis of each individual agency, the OPM will attempt to identify common information security needs across the federal government. There are two criteria agencies should use to determine whether or not their need is critical. The first is to determine the most prominent skill shortage the agency identifies for itself, based on current staffing as well as overall competency levels. The second is how important the missing skills are for that agency to be able to achieve its overall organizational mission.

The self-examination should also attempt to identify the agencies root causes for its skill shortages, such as availability of skills it requires in the talent pipeline, its own recruitment and retention efforts, training, performance management and, of course, resources and budget.

You can find the full framework, here (pdf).

*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: