OPM Attack should put HR Managers on Notice
Technology has become so engrained and vital to our everyday lives, but with each new data breach, we’re reminded of the price we pay for its access and convenience.
The recent breach of federal government data at the Office of Personnel Management (OPM) is a prime example of the breadth of the cyber threat. When we think of the federal government and the need for cybersecurity, we naturally think of National Security Agency (NSA), National Institute of Standards and Technology (NIST), or the Federal Bureau of Investigation (FBI), but not OPM. And, yet, with this breach sensitive information for nearly four million current and former federal workers from nearly every government agency has been exposed. This demonstrates the proliferation of cyber threats, both privately and publicly, and the need for more cyber personnel to respond to this growing threat.
Over the last few years, security breaches have become all too normal – inevitable even. In 2013, close to 20 major retailers and financial institutions were targeted, while the FBI reports almost300,000 cyber-crimes that same year. In total, these breaches caused more than $525 million in losses.
The solution has been to revisit internal safeguards, analyze where and how the breach happened, and create new ways to prevent it from happening again. This conversation approaches the prevention of cyber attacks by creating and adhering to best practices and tougher security protocols. What this conversation lacks, however, is commentary about the overwhelming imbalance of qualified individuals to address these threats. Quite simply, there aren’t enough people to create secure environments across both public and private sectors.
In the last few years, we’ve seen the need for cyber security talent skyrocket. In the DC Region alone there’s been a 35% increase in cyber security job postings with over 23,000 job openings in the region during 2013 and more than 200,000 positions nationally. Today, cyber security jobs make up 10% of all IT positions. The process of filling open positions has become unbearably lengthy, taking roughly 24% longer to fill than any other IT posting and 36% longer than job openings in other industries. Far worse, however, is that nearly half of cyber professionals find it difficult to appropriately identify the skill level of candidates, especially in entry-level positions.
With such a shortage of qualified talent, one can see how it’s becoming increasingly difficult to detect and mitigate cyber threats. There’s a clear and urgent need for qualified and skilled cyber security workers. What if we could accelerate the number of viable candidates in the workforce, even if only at the entry level? This is the new conversation we should be having: how we can quickly and effectively prepare an eager workforce with the skills to meet the demands of both private and public sectors.
First, we need to realistically identify the skills needed by cyber security personnel to mitigate future breaches. By reworking tired job descriptions into actionable skills, employers can better articulate exactly what they’re looking for when they recruit and identify talent. The government has built important frameworks like National Initiative for Cybersecurity Education (NICE) and National Initiative for Cybersecurity Careers and Studies (NICCS) to start this process, but we still need the engagement of employers to validate the skills required for cyber security jobs in order to make these frameworks the most effective.
Second, we need a mechanism that allows individuals to demonstrate and understand how the skills they’ve developed from their work and other life experiences may prepare them for the cyber industry. Once they know how their skills translate into cyber, they can identify areas of growth by comparing their skills to what’s actually needed, and clearly identifying which skills or certifications they’re lacking.
Third, we need to highlight where individuals can develop the particular skills they may be lacking. Cyber security professionals have stated with increasing clarity that they’re looking for individuals with the skills needed to perform specialized tasks, but are less concerned with whether those skills were acquired through traditional education. As such, the cyber field – in part because of the prevalence and value of certifications – accepts and supports many avenues into the field. Accordingly, we need to identify the specific skills that traditional or non-traditional programs provide, so students can pursue the programs that develop the skills they need for success.
These three components must work together to quickly create and capture talent and build a pipeline that helps both private and public sectors thrive in combatting cyber threats. SkillSmart was designed to evolve the way employers and individuals interact by connecting them through their shared skills. Applying this model to cyber security could be the powerful tool needed to secure our data.