A National Cybersecurity Strategy has the potential to transform our ability to fight and defend against cyberattacks across the public and private sectors.
But at least in the short term, it highlights a fundamental challenge for organizations large and small, governments and industry at large. That is, there is a crater-sized gap between the number of cybersecurity jobs and the number of people filling them.
Federal system integrators can be hired faster and often paid more than the public sector, but both government and industry are having a very hard time filling cyber jobs.
There are currently over 755,000 cybersecurity jobs open across the United States, according to Cyberseek, a project backed by the National Institute of Standards and Technology. Of that, approximately 710,000 are in the private sector and 45,000 are in the public sector.
Of course, many FSIs help federal agencies improve cybersecurity through technical solutions, implementation and integration, staffing, or all of these. Federal agencies rely on private sector partners to understand and help implement cyber solutions that can address agency-specific challenges.
This also means understanding federal requirements and how to best incorporate them into your project design or integration.
That said, contractors do not always understand the required cybersecurity standards and cannot implement them in their environment. This could increase the exposure of government agencies to cyber threats and, in turn, increase the burden on already overburdened agency cybersecurity personnel.
For example, defense contractors with federally controlled unclassified information must implement the 110 security practices outlined in NIST Special Publication 800-171 for several years, which contracting officers do. I have not.
That could change this spring when 110 (Level 1 controls plus 17) security controls and practices become core requirements under the Department of Defense Cybersecurity Maturity Model Certification 2.0 rules. This is a good and necessary step.
Federal contractors are required to meet the same standards that apply to government customers, whether required by law or not. For example, meeting the requirements of NIST SP 800-53 and SP 800-171 is a trivial task.
Contractors must have in-depth knowledge of the cybersecurity requirements they help government agencies meet. Acquiring that knowledge before entering into a contract will not only help FSI win contracts, but it will enable them to execute contracts more efficiently for their agents. Increased efficiency will reduce the burden on the agency’s cyber-his staff.
The National Cybersecurity Strategy calls for stronger public-private partnerships on many fronts. It acknowledges that closing the cybersecurity talent gap “will require federal leadership and enduring partnerships between the public and private sectors.” Recruitment, retention and training initiatives in both sectors are just the beginning.
However, the talent gap is so large, the cyber threat landscape is so vast and so dangerous that people alone cannot solve it. Nor is it a short-term solution for addressing pressing cybersecurity gaps.
Managed security services combined with cloud-delivered cybersecurity solutions that leverage artificial intelligence and machine learning are a more viable solution for closing the cybersecurity talent gap. Some estimates put up to 90% of cyber data unanalyzed.
Humans can’t keep up with exponential data volumes. But AI and ML are possible. Leveraging a cloud-delivered cybersecurity solution reduces the burden of managing and maintaining an on-premises security infrastructure.
AI-powered models can identify adversarial characteristics and contextual behavior to block even never-before-seen attacks. ML continuously updates models to enhance protection in real time as new threats are detected.
Managed services are also an essential tool for FSI to support agency customers. Standalone operations, whether public or private, are not sustainable in today’s environment.
Managed security services provide an integrated, comprehensive cybersecurity solution, cost savings, scalability, 24/7 monitoring, and offloading routine tasks so security professionals can focus on security governance.
The value of managed security services to FSI and its agency customers is similar to the value of cloud services and on-premises data centers. Simply put, moving to managed services is also very easy.
Industry and government can work together to close a crater-sized cybersecurity talent gap. This will require sustained efforts on many fronts.
Zero Trust supported by cloud-delivered security solutions that leverage AI and ML, along with managed security services and alignment to government security standards, should be at the forefront for the most immediate and sustainable results. Combined with full compliance.
If we do these things now, we will see progress exponentially faster than we are now.
Danny Connelly is Chief Information Security Officer for the Americas and Public Sector at Zscaler. He was previously the Deputy Chief Information Officer and Head of Operations for the Centers for Disease Control and Prevention. During his 11-year tenure at the CDC, Connelly was responsible for implementing operational functions supporting incident response, forensics, cyber threat intelligence, and insider threat functions.