(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)
How can government tackle the cybersecurity talent search in a way that strengthens skills, experience, and knowledge both within government CISO/CIO and partner organizations and externally from contracted services?
Increase the professionalism and provide additional incentives to the government cyber workforce by creating a separate career path, job series, and incentives demonstrating the criticality and importance of cybersecurity throughout the government.
(non-ITAPS) Move the CISO function out from under the CIO (potential conflict of interest, IT is now a critical part of conducting the business and fulfilling the mission) and recognize Cybersecurity as a critical business function and elevate it in stature and incentives, and provide independent budget.
(non-ITAPS) Continue to support National Cyber Scholarships and provide fully funded follow-on positions within the Federal agencies. Frequently scholarships are awarded and personnel are unable to find positions within the Federal government and are released from obligations to work for government. Must take full advantage of these skilled resources within the Government workforce.
Ensure that federal government employees understand that information security is everyone’s job and a condition of employment, understand their specific roles, and that information security will be an essential part of their performance reviews.
Increase information security training and awareness at all levels and in all areas in the government (e.g., elected officials, appointed officials, senior executives, IT personnel, users, contractors) and the number of information security professionals.
Identify the unique aspects of the operational environment as a marketing tool to improve workforce hiring and retention. For example, for recruitment and retention, the government should tout that it is a highly-attacked network posing unique security challenges and the Department of Homeland Security (DHS) should leverage the special pay incentives provided by recent legislation. Other agencies should work to identify and use similar hiring and pay incentives or exceptions.
Establish protocols for, and encourage and incent federal government employees to use, a reporting mechanism for information security concerns or weakness within their department and agency first and then outside the standard chain of command (e.g., risk executive, IG, computer incidence response team) without fear of reprisal when normal processes are not providing necessary results.