Since the beginning of the COVID pandemic, cyberattacks have become increasingly frequent and sophisticated, looking to leverage a changing IT landscape that resulted as government agencies and their IT teams worked to enable the “new normal” of a distributed workforce.
The government, military, and the government contracting industry are working to adapt to this increasingly active and advanced enemy. Mandated checklists and processes like Security Technical Implementation Guides (STIGs), CIS (Center for Internet Security), and CMMC (Cybersecurity Maturity Model Certification) seek to simplify and standardize security practices in the government and defense industrial base (DIB).
But, while they cover the “what,” “why,” and “how” of protecting government assets, what about the “who?”
With nearly 600,000 unfilled cyber jobs across the U.S., the cybersecurity workforce shortage is proving especially dire in the public sector. The pay and perks in the private sector are a huge draw for the workforce, making it difficult for the government and military to compete for skilled cybersecurity professionals. So, what can the government do?
There are three ways in which the government and military can overcome the problems caused by the cyber workforce shortage:
Grow a cyber workforce
The first solution is to recruit and train a new army of cyberwarriors, which is something the government is actively working to accomplish with new legislation.
Last month, U.S. Senators Jacky Rosen (D-NV) and Marsha Blackburn (R-TN) introduced the Cyber Ready Workforce Act, a bipartisan bill to establish a grant program within the Department of Labor to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. This legislation enables the Secretary of Labor to award grants on a competitive basis to support the creation, implementation, and expansion of registered apprenticeship programs in cybersecurity. Support services may also include career counseling, mentorship, and assistance with transportation, housing, and childcare costs.
“When it comes to establishing and maintaining security controls such as those defined by STIGs, CIS, and CMMC, a bot is the best person for the job.”
While the Cyber Ready Workforce Act is not the first piece of legislation of this kind to be introduced, it may be the first to succeed with the current environment and two recent bipartisan attempts to make it happen.
Train to fight
If recruiting a cyber workforce takes too long, some agencies and military organizations may elect to retrain existing personnel to be cyberwarriors, instead. For example, the U.S. Army is not waiting for the Department of Labor to create an apprentice program. Instead, they are tailoring their cyber training to the knowledge and talents of their workforce right now.
A new approach to training will see the U.S. Army provide tailored cyber training to personnel based on digital knowledge and responsibilities. As a result, those individuals with more knowledge can be optimized to serve as leaders for other digital users. And those with less propensity can be trained to the level needed to do their jobs safely. The training will include artificial intelligence, machine learning, and deep learning, along with automation.
By instilling proper data literacy in the right personnel, the Army can develop an ecosystem of professionals to make as many data-based decisions as possible.
Automate wherever possible
When it comes to establishing and maintaining security controls such as those defined by STIGs, CIS, and CMMC, a bot is the best person for the job. Anyone who has worked in cybersecurity knows that manual security updates to existing applications and systems can sometimes be delayed by months due to backlogs and software conflicts.
“When you free your people to do the things humans do best…everyone is happier, quality goes up, and people stay longer in their jobs.”
Today’s leading cybersecurity automation solution in the Federal workspace can reduce initial hardening time by 90 percent while eliminating 70 percent of the costs. It can also speed the security process, helping you achieve authority to operate (ATO) in hours, not weeks.
Automation is a powerful tool for combating the shortage of cybersecurity personnel you need to harden your systems and lock down data, but there is another benefit. When you free your people to do the things humans do best—addressing those backlogs that take critical thinking skills to complete, for example—everyone is happier, quality goes up, and people stay longer in their jobs.
But which government cybersecurity processes can be automated to deliver the maximum benefit to the government?
Identifying automation targets
While the difficult work of securing government networks and data may not necessarily be something that can be entirely outsourced to bots and automated, there are some compliance processes that would make excellent targets for automation.
For example, here are four significant areas where automation can be applied to provide a real advantage to the operationalization of cyber compliance within the DoD, specifically:
1) Automate and reduce the effort/errors in merging non-technical CKL data with machine-generated technical data.
2) Automate and simplify the production and input of compliance data into eMASS.
3) Automate and reduce the effort to produce, name, and store fully populated STIG Viewer Checklist in bulk (by the 1,000s).
4) Provide complete CKL data to SIEM data feeds so that complete compliance data is easily accessible through integrated enterprise dashboards.