Pros and Cons

Experts weigh in on Obama administration's guidance for recruiting, hiring and training the federal cybersecurity workforce.

The Obama administration recently released a blueprint outlining steps to improve the recruitment, hiring and training of the cybersecurity workforce.

The strategy is part of the National Initiative on Cybersecurity Education, or NICE, being developed by the National Institute for Standards and Technology in coordination with several other agencies, including the Homeland Security Department and Office of Personnel Management. The goal of the initiative is to bolster cyber awareness, education and training.

Is the road map right on track or fatally flawed? This week, the experts weigh in.

The Right Steps

Hord Tipton, executive director of (ISC)2, told Wired Workplace the administration's plans to adopt cybersecurity competency models, engage in cyber workforce planning and increase the number of cyber professionals nationwide are all welcome and effective steps to solving what has been dubbed a human capital crisis in cybersecurity.

The document is "validation in large part for many of the areas that we've identified are problems," Tipton said. "I'm left with the sense that we're on the same track here."

Tipton said he was most encouraged by the strategy's plan to open the discussion about the cybersecurity workforce to public and private groups. "It hasn't always been that way," he said. "All of this was trying to be developed inside government, and we felt they lost a lot of opportunity with that."

(ISC)2, which provides certification and training to cyber professionals, already has seen an increase in the number of people looking to obtain certifications, which in turn has caused the pass rates of certification exams to drop slightly, from mid-60 percent down to 50 percent, Tipton said.

"I think there's a recognition now in the hiring community that you have to validate that people can do the great things they claim to do," Tipton said. "We have a lot of people taking the exam now and more jobs that depend on certification. Our pass rates have dropped a bit because we have a lot more people who want to come into this space who aren't really qualified."

Fatal Flaw

Tipton's comments are in stark contrast to the opinions of Alan Paller, director of the SANS Institute, who said the strategy lacks a focus on building the computing, programming and networking skills necessary for effective cybersecurity work.

Tipton did agree that the plan could use some tweaking in areas like education and certification. He also noted that one major goal of the plan -- to increase the number of cyber professionals nationwide by 20 percent by 2015 -- may be a bit ambitious. "It may be optimistic, but you have to set your goals high here," he said. "We're ready to do our part."

Paller had earlier described in more detail for Wired Workplace what he sees as the missing piece in the blueprint. "There's no plan for developing the hands-on teachers or for using the existing hands-on people as teachers," he said. "It would be like having pilots trained by non-pilots; it would be scary."

Paller suggested that the blueprint focus on developing programming skills at the middle school level; security programming and networking management skills in high schools; and other advanced skills, such as script development and automation, reverse engineering, exploit analysis and forensics, in colleges and universities.

"Development of those skills requires an educational model much like that used for pilots and doctors," Paller wrote in a piece submitted to NICE leaders. "Teaching hospitals and flight training schools are the central ingredients. They are staffed by skilled pilots and skilled doctors with thousands of hours of hands-on experience -- not by academics who learned their medicine or piloting from books."

Paller added that the current strategy will have little or no impact in the coming years or even now if it is not updated to focus on developing the critical hands-on cybersecurity skills that are in such short supply.

"Unless the Strategy is amended, following it will lead to the training and development of thousands of people with the wrong skills and, by diverting people and money from the greater need, will exacerbate the shortages of talent needed to respond to a dynamic and rapidly developing array of threats," he said.

Wired Workplace is a daily look at issues facing the federal information technology workforce. It is published on Nextgov.com. Click here to read the latest entries.