9 Key Cybersecurity Roles for GovernmentTraditional IT Skills Evolve into Needed IT Security Know-How
"When we talk about cybersecurity professionals, we're not necessarily talking about people who are typically identified as cybersecurity types," said Frank Reeder, a former Office of Management and Budget executive who with Karen Evans, a top IT official in the Bush White House, coauthored the white paper, A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters, issued this week by the commission.
The white paper identified the nine key IT security roles as:
- System administration: client systems and servers;
- Network administration and network security operations;
- Security assessment, security auditing and information assurance;
- Threat analysis, intrusion and data analysis, intelligence and counter intelligence;
- Forensics investigation;
- Technical writing;
- Security architecture and engineering; and
- Information security and incident management.
"Systems administrators, network administrators, those who write code are typically not identified as cybersecurity types," Reeder said in an interview Tuesday. "But what they do or the manner in which they do it is critical both to deploying technology that is to the extent that we can make it safe and given that there is no such thing as absolutely safe technology, having the skills necessary to protect it and defend it and ultimately recover when bad stuff happens because bad stuff will happen."
The Federal Chief Information Officers Council and the Office of Personnel Management, as well as other organizations, are working to develop occupational classes for cybersecurity professionals, and the commission recommendations are aimed at identifying the key roles in cybersecurity, the functions they perform and the specific skills - including requisite training and education - required to do those jobs.
Occupational classifications for IT security within government would help simplify recruiting - recruiters would know the specific expertise to seek - and facilitate training by defining what skills need to be developed. Today, most cybersecurity professionals are classified as information technology specialists.
"Because cybersecurity work is performed in many different positions and places throughout the federal government, it is not easy to identify them by looking solely at job titles or organization charts," John Berry, director of the Office of Personnel Management, said last November when he unveiled the government's IT security classification initiative.
By reaching a consensus on the roles and requisite skills, the commission report says, educators would have a much better understanding of the labor market their graduates will enter, purchasers of cybersecurity services could more clearly specify the qualifications they seek from service providers and the sometimes confusing regime of professional certifications programs could reflect the needs of potential employees.