When one cannot define something it poses a problem of sorts. Without definition, which would suggest clarity, boundary and form, something which is indefinite is, by its nature, vague, ambiguous and hazy.
While this may sound obvious, it is said in response to some reading we came across recently. A report from the Government Accountability Office (GOA) revealed that various federal organisations in the US were, to all intents, in the dark as to how many people they had under their wing with regards to cyber security. A lack of definition at this level as to what constitutes a cyber security workforce is most worrying indeed.
“With respect to other workforce planning practices, all agencies had defined roles and responsibilities for their cyber security workforce, but these roles did not always align with guidelines issued by the federal Chief Information Officers Council and National Institute of Standards and Technology,” the report stated.
“Agencies reported challenges in filling highly technical positions, challenges due to the length and complexity of the federal hiring process, and discrepancies in compensation across agencies.”
Let us reiterate the problem here – technically these federal agencies, including the US department of defence – are unable to put an exact number of the number of people it employs in matters pertaining to cyber security.
What it highlights is the need for lucidity in defining how security of this kind fits into any organisation working in information security & risk management. Is it a departmental thing? Is it integrated into other positions?
These things need to be known not just for the sake of making things clear, but to ensure that important facets of an organisation are visible. In matters of national security for example, knowing ‘what is what’ so to speak is essential in maintaining an effective level of professionalism.
Furthermore, not knowing or having a dedicated cyber security team and/or framework can be – and is – a massive hindrance to one) progressing as an outfit in terms of skill development and acquisition of knowledge and two) a colossal barrier developing a focused workforce. How can, for example, professionals and experts in various fields like forensics or ethical hacking apply for positions in relevant organisations?
This in itself is a misleading predicament because while there actually are jobs out there, they are, ironically, hidden in a swathe of unintentional encryption. Though this report focused on the US, the problems it identifies is nonetheless universal. When such failures lead to a shortage of staff whose skills are needed, a lack of definition as we stated from the outset, does pose a problem of sorts. A big problem we’re sure you would agree.