海角大神

The US government needs a lot more cyber professionals 鈥� and needs them fast.聽

In a recent White House blog, the Office of Personnel Management聽(OPM) announced the new Federal Cyber Workforce Strategy in which it identified the target goal of 3,500 new hires by January 2017.

Even if the government moved with uncommon speed, moving so quickly to staff positions in a field with close to zero unemployment is an ambitious goal, to say the least.

But that鈥檚 no reason for despair.

I would suggest that the cyber workforce shortage could be managed if the government applied the perspective of a prior occupant of the White House: 鈥淒o what you can, with what you have, where you are,鈥� said Theodore Roosevelt in 1913.

The 26th president鈥檚 theory does seem to collide with our current reality: not enough trained cybersecurity workers and the assumption that non-cybersecurity workers can鈥檛 easily attain enough technical skill to be useful.

With so few skilled cyber professionals in the pipeline, though, I don鈥檛 think the government has a choice but to rethink assumptions. It must place an immediate focus on its existing resources instead of trying to speed up a talent pipeline that will take years to establish.

What many do not know is that advancement opportunities for government personnel with little to no security experience do exist.聽

For instance, (ISC)²鈥檚 SSCP certification requires only one year of experience and is ideal for non-security IT personnel who focus on day-to-day operations. Another example is the Associate of (ISC)2 that bridges that gap between needing certification and needing experience. If someone does not have that experience but can pass one of our exams, they can become an Associate.

Both the Associate and SSCP programs provide employers (or potential employers) confidence that an individual鈥檚 cybersecurity skills are up to date and that they are knowledgeable of internationally recognized standards.

While such training won鈥檛 stand in for hard-won聽experience聽defending networks, an organization that encourages its personnel to pursue these designations works to help bolster security throughout the organization, ultimately changing the organization鈥檚 culture into one that accepts cybersecurity as a business reality rather than just a technology challenge.

In other words, pursuing such measures reflects President Roosevelt鈥檚 wisdom of using the tools and talents we have at hand.聽

The next step? Organizations which help grow their employees鈥� talents must dedicate ongoing resources to the retention of its existing cybersecurity professionals.聽

Given the multiple factors working against the government鈥檚 efforts to build a skilled workforce, existing cyber professionals must be nurtured and rewarded with training and continuing education opportunities to help contend with the lures of the private sector.

Clearly, not every non-security professional wants to become a security professional. But if we鈥檙e going to break the bottleneck of cybersecurity talent, we must do what we can, with what we have, where we are. And that means breaking old assumptions and cultivating talent in the workforce that鈥檚 right here, right now.

Dan Waddell, CISSP, is the Director of US Government Affairs and the Managing Director for the North America Region of (ISC)². You can follow him on Twitter @DanWaddellCISSP.