Cybersecurity Skills Gap: Will New Executive Order Help?
The cybersecurity skills shortage is a serious issue. There is a necessary urgency for companies to hire or cultivate cybersecurity professionals as threats become more sophisticated and sinister. The cybersecurity industry has discussed the problem of finding a well-trained workforce for as long as I’ve been writing about security, and it was a hot topic at RSA this year.
It is also a problem that caught the attention of someone in the White House. On May 2, President Trump signed an executive order addressing the cybersecurity workforce. It order stated, in part:
“The United States Government must enhance the workforce mobility of America’s cybersecurity practitioners to improve America’s national cybersecurity. … The United States Government must support the development of cybersecurity skills and encourage ever-greater excellence so that America can maintain its competitive edge in cybersecurity. … The United States Government must create the organizational and technological tools required to maximize the cybersecurity talents and capabilities of American workers.”
White House Cybersecurity Initiatives
This is not the first time the administration has addressed the national cybersecurity crisis. In 2017, Trump signed the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and, in 2018, the administration introduced the National Cyber Strategy, promising initiatives that have gotten very little attention. The executive order on America’s Cybersecurity Workforce falls in line with the administration’s cybersecurity agenda.
It also closely mirrors a bipartisan bill passed in the Senate—a body that historically has been behind the times when it comes to cybersecurity legislation. Under the Senate’s bill, “Existing federal tech talent would have avenues to bolster their training and experience, while smaller agencies would gain access to cyber employees who can improve their security posture,” according to NextGov.
The cybersecurity experts I’ve heard from praised the executive order. “It’s great to see that the current administration recognizes both the importance of cybersecurity and the shortage of qualified practitioners,” Dan Tuchler, CMO at SecurityFirst, said in an email comment. “Our customers, in both the private sector and in government, are challenged to meet ever increasing threats to data security, while on a constrained budget. They need workers with the right skills to combat these threats.”
Pravin Kothari, founder and CEO of CipherCloud, agreed, stating in an email comment that this initiative has been long overdue. “The level of hacking against the U.S. has created an extraordinary threat to the national security targeting our businesses, infrastructure, stealing trade secrets and meddling our election, challenging our democracy and freedom,” Kothari said. “This is a defensive step in protecting America by addressing a key aspect of cybersecurity—workforce—with education and preparedness.”
Is It Enough to Meet the Cybersecurity Skills Shortage?
However, even though experts think that this is a step in the right direction, there is concern that this may not be enough. As Kothari pointed out to me, this initiative is going to require major funding and continuous investment for years and will require a buy-in from future administrations before we see real, measurable results.
“For this directive to succeed, government officials must do more than acknowledge the difficulty and urgency of addressing cybersecurity threats,” noted Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
The executive order is big on ideas—such as a “President’s Cup” competition as a way to reward current cybersecurity staff in government agencies, and identifying employees who show potential in cybersecurity skills—but it comes up short on how to accomplish the listed mandates.
“It’s especially noteworthy that this new directive concentrates on addressing the U.S. federal government’s lack of competitiveness when attracting and retaining talent,” said Bocek. “If the government wants to recruit the greatest minds in cybersecurity, it must make sure our tools and technology are the best in the world and demonstrate their commitment to success by partnering with industry on key policy questions.”
The biggest concern is one that has plagued any cybersecurity-related initiative introduced Washington: Nothing happens after the call to action. Trump isn’t the only president who initiated executive orders surrounding cybersecurity. There’s been legislation introduced in the past to better protect our internet infrastructure. But as a Forbes article pointed out, “… while the internet has become as embedded in modern life as the automobile and television did in earlier generations, nobody would describe the online world as having become safe and secure.” While we had the order to strengthen the critical infrastructure in 2017, attacks against those networks are increasing. And when will someone truly address our vulnerable election system?
This executive order brings light to a serious problem, and that’s the good thing. But it isn’t going to solve the cybersecurity skills shortage anytime soon—or maybe not at all, if the past is any indication.