Budget and Talent Shortfalls Undermine Public-Sector Cybersecurity, Study Says

Public-sector agencies invest in technology for IT security, but one thing they lack is warm bodies.

Budget and talent shortfalls have a significant impact on cybersecurity in the public sector, according to Cisco Systems’ 2017 Midyear Cybersecurity Report.

Former federal CIO Tony Scott said in November 2015 that there were an estimated 10,000 cyber-related federal job openings. The government hired 3,000 cyberworkers in the first six months of fiscal 2016 and aimed to add another 3,500 by January 2017. 

David Berteau, president and CEO of the Professional Services Council, a trade group that represents government technology professionals, recently told FedTech that most federal cybersecurity workers need a security clearance. Currently, the government has an investigations backlog of at least 500,000 people waiting for clearance, Berteau said.

A Lack of Talent Can Harm Security

Cybersecurity has been a major IT focus so far for the Trump administration. Agencies likely won’t have trouble getting money to hire for cybersecurity roles, according to Berteau. Instead, the greater challenge the government faces is attracting top cyber talent.

That can have deleterious effects on security, the Cisco report finds. Agencies may be slow to adopt certain tools because it requires knowledgeable staff to implement those tools and analyze the results, according to the report.

Only 30 percent of public-sector security professionals say their organizations use penetration testing and endpoint or network forensics tools, the Cisco report says. The vendor notes that such tools are considered key pillars of a defense-in-depth security strategy, making their lack of adoption worrisome.

Agencies that do not have enough cybersecurity staff may also not investigate threats as thoroughly as they need to. According to the report, nearly 40 percent of public-sector organizations say that of the thousands of alerts they see daily, only 65 percent are investigated.

Worryingly, 32 percent of those investigated threats are identified as legitimate, but only 47 percent of those legitimate threats are eventually remediated, Cisco says.

“The number of threats that go uninvestigated is evidence of the need for tools that share information about alerts and provide analysis,” Cisco says in the report. “Such tools add texture and understanding to alerts (making them more valuable), so that staff can determine which ones need immediate attention.”

Automation technology can help agencies address cybersecurity threats with less staff. Additionally, agencies can use historical data, modeling and machine learning techniques to help predict cyberattacks before they occur.

To truly examine a large number of daily cybersecurity alerts, the report notes, a public-sector agency might need dozens of security staffers, yet they rarely have enough staff. The report says that 35 percent of public-sector organizations have fewer than 30 employees dedicated to security.

Additionally, 27 percent believe a lack of trained personnel is a major obstacle to adopting advanced security processes and technology, the report says.

Feds Make Effort to Boost Cybersecurity Ranks

Federal IT officials and agencies continue to push to hire more cybersecurity personnel. In January, the Office of Personnel Management launched the cybercareers.gov website as part of its effort to recruit, hire, develop and retain cyber talent. 

In April, OPM issued a memo to note the Federal Cybersecurity Workforce Assessment Act requires that all agencies “must establish procedures for identifying and coding encumbered and vacant civilian positions with information technology, cybersecurity, and cyber-related functions.”

The law also notes that agencies must complete the coding by April 2018, and that coding is “foundational to cybersecurity workforce planning.” However, a group of lawmakers in May called for OPM to be more flexible in its cybersecurity hiring practices, FCW reports.