Federal agencies need to shift their focus on retaining cybersecurity talent because hiring it is not the issue, said Shane Barney, acting CISO of the U.S. Citizenship and Immigration Services (USCIS), speaking at a Meritalk's 2018 Cybersecurity Brainstorm in Washington Thursday. "I can hire people all day long" until a company like Cisco comes along and offers a much larger salary, he said. In the private sector, ideas aren't left in theory or mired in red tape, but can see application, according to Matt Conner, CISO of the National Geospatial Intelligence Agency.
To address retention, the government needs to reevaluate how it classifies and interprets skills, said Michele Thomas, CISO of the Department of Transportation, National Highway Traffic Safety Administration. Tech jobs aren't just about tech, she said. Professionals should have skills interpreting policies and how to communicate technology to non-technical leadership.
While policies are important, federal agencies cannot function properly when trying to design their actions around them, according to the panelists. Agencies can choose to ignore policies because they are outdated or don't make sense for the current framework, said Barney. Frameworks need to adapt to current environments but they aren't always reliable to help predict or handle future scenarios.
The biggest takeaway from the panel was that security experts and leaders across the public sector are still figuring out the most effective ways for the U.S. to address cyber risks, mandates and maintaining its defense against nation-state actors.
The federal government has seen its share of cyber woes. Federal agencies, in terms of cybersecurity, are still where they were five or six years ago, pre-OPM breach, said Thomas. Agencies are in need of getting the people who write the policies to "appreciate the things like risk management framework so the policy and mission intersect," she said.
The first questions CISOs ask is "what are our risks," not, "are we compliant," said Barney. Though compliance is always going to be relevant, it shouldn't be the core focus of actions. The USCIS is "not a compliance shop," though it still has to deal with checking all the boxes.
The issue of tackling a cyber event and protecting an agency of a breach is maneuvering around the policies, said Conner and agencies cannot rely on policies alone to drive change. "There's not going to be the cyber Pearl Harbor" because bad actors aren't bringing capabilities down, they are stealing data, according to Ron Ross, fellow at the National Institute of Standards and Technology.
There is a slow bleed that is a result of blips intentionally being placed by adversaries. Increasingly, bad actors are trying to take small action that appear to have little significance.