How well does your company define its cybersecurity work force? Is it part of the overall IT department or does cybersecurity have its own division? What are the responsibilities of your cybersecurity work force?
If you aren't sure of the answers to these questions, don't feel bad. You aren't alone. The General Accountability Office (GAO) recently released a report that found that eight federal agencies with the biggest IT budgets have trouble handling their cybersecurity work forces and don't know how to determine their responsibilities. The eight agencies are Defense, Homeland Security, Health and Human Services, Treasury, Veterans Affairs, Commerce, Transportation and Justice.
According to ExecutiveGov.com:
While security is dependent on the workforce, the GAO found that none of the agencies examined could accurately account for the number of cybersecurity personnel they had. This issue is being attributed to the recently discussed notion that there is not a clear definition of what defines the cybersecurity and IT workforce.
The report goes on to say that IT infrastructure depends on a knowledgeable and skilled work force, but the environment is too fragmented. The GAO audit pointed out:
All of the agencies GAO reviewed faced challenges determining the size of their cybersecurity workforce because of variations in how work is defined and the lack of an occupational series specific to cybersecurity.
Yes, this is the federal government we're talking about, so perhaps we shouldn't be too shocked that the agencies struggle to identify their cybersecurity work force and can't define exactly what makes someone cybersecurity personnel. And yet, looking at the agencies that are involved - Defense, Homeland Security, Justice, Treasury - you would want to see cybersecurity at its cutting edge. How can Defense or Homeland Security defend against potential cyber attacks or cyber war if they can't even identify cybersecurity positions within their own agencies?
The GAO report does provide action plans for individual agencies, but they are fairly similar. Develop a real cybersecurity plan. Update the work force with skilled cybersecurity personnel. Address gaps in the system. All the suggestions are pretty straightforward and should really be implemented by any company in need of better cybersecurity.