Feb 02 2022
Management

How Thoughtful Cybersecurity Training Yields Benefits for Government Workers

Examine a host of resources for upskilling or reskilling agency employees.
by

Tanya Candia is an international management expert, specializing for more than 25 years in information security strategy and communication for public- and private-sector organizations.

State and local governments today face a perfect storm: incessant cyberattacks, increased demand for online services and an alarming shortage of trained security experts.

Cybercriminals are lured by a ­treasure trove of personal information essential to maintaining public safety, ensuring election security and providing vital services. Despite valiant efforts to avoid cyberattacks and ensure the ­availability of online systems, it’s a ­losing battle for many state and local governments. There are never enough people sufficiently skilled to address the myriad ways hackers can wreak havoc.

Hiring more security staff is a big challenge: State governments reported almost 9,000 open cybersecurity jobs as of summer 2021. The situation is not unique to state and local governments. Across the industry, 57 percent of ­organizations report a gap in cyber-security skills, resulting in increased workloads, unfilled jobs and high burnout rates. However, it is harder than ever to fill open positions, with low pay scales in the public sector and ­revenue shortfalls resulting in budget cuts or hiring freezes.

Click the banner below to get access to a customized cybersecurity content experience.

StateTech Insider - cybersecurity StateTech Insider - cybersecurity

Agencies Can Focus on Upskilling and Reskilling

One of the most expedient ways to tackle cyber talent shortages is by investing in two types of training: upskilling and reskilling. Upskilling involves implementing programs to increase the knowledge and abilities of the security team to fill in gaps. Reskilling, in contrast, is a way of ­training employees in other areas so they can be prepared to move into the security team.

Training requires a much smaller investment than hiring a new worker, and it creates a more effective ­workforce. It can lead to increased job satisfaction as new team members take on lower-level work, allowing skilled cybersecurity team members to ­concentrate on more intense and ­meaningful work.

It seems like a simple decision: Implement cybersecurity training instead of struggling to hire seasoned security experts. Still, state and local agencies continue to lag in this regard. Only 22 states offer voluntary ­cybersecurity training for state ­employees. Resources provided by these states include online cybersecurity training videos, toolkits and in-person classes through partnerships with higher education institutions.

Fortunately, state and local governments that have not yet implemented security training programs can access a number of resources designed to help agencies tackle cybersecurity talent shortages and implement effective ­training programs.

EXPLORE: Learn how zero trust will evolve in 2022 for state and local agencies.

A Wealth of Resources for Government Cybersecurity Training

Any effort to improve requires establishing a baseline. Michigan provides a ­valuable resource called CySAFE, a free security assessment tool to help small and midsized governments assess, understand and prioritize their basic IT security needs. Another resource for assessing current skill sets and ­proficiency levels is the Cybersecurity Workforce Training Guide released in August by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This guide provides roadmaps for ­developing or launching cybersecurity career paths.

22

The number of states offering voluntary cybersecurity training for employees as of spring 2020

Source: National League of Cities, “State and Local Partnerships for Cybersecurity,” April 2020

Each organization must determine what risks are most relevant and where gaps exist in its current skill sets. The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques that can help organizations identify their most prevalent risks. Then, in addition to the resources ­mentioned in the previous section, ­organizations can use the National Initiative for Cybersecurity Education framework from the National Institute of Standards and Technology (NIST) to inventory and track strengths and ­weaknesses in their workforces.

Training resources can be accessed from a variety of sources. CISA provides a toolkit for state, local, tribal and ­territorial (SLTT) governments, which identifies resources including ­self-assessments, tools and training environments. NIST offers an extensive list of low-cost resources available online, including free, on-demand ­training and discounted labs, as well as webinars, blogs, portals, courses and video training at all levels.

Another valuable source is the Resource Center for State Cybersecurity, which features plans and guidance for response planning, critical infrastructure and elections infrastructure cybersecurity, and workforce development.

DIVE DEEPER: How can security operations centers help state governments?

Management Must Support Security Training 

No resource can help close the skills gap unless security is a priority, and that calls for management support. 

Resources to help start the discussion and facilitate improved understanding and mutual responsibility for cybersecurity throughout the organization are available in the CISA SLTT ­toolkit, which also includes suggestions for making cybersecurity a budget ­priority, how to involve educational institutions in developing training (thus sharing the funding requirements), and how to facilitate the discussion with leadership to support and enhance cybersecurity preparedness. 

Just as senior management is key to ­success, so too are the students. Make sure the training is ­effective and engaging. Current and aspiring members of the cybersecurity team need relevant on-demand courses that will hold their attention even while under stress to complete their daily tasks. The most effective tools include highly ­interactive training and gamification. Cyberwarfare gaming, ethical hacking and simulations allow security professionals to experiment and hone their skills.

As with any complex but worthwhile venture, ­security training doesn’t happen overnight. Take it in steps: Lay out a reasonable schedule and syllabus that matches your organization’s specific needs and addresses its existing strengths and weaknesses. 

Most important, take advantage of the tools and knowledge of those who have already assembled impressive resources and pass it on.

Taylor Callery/Ikon Images

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now