Today’s government managers face tough challenges in maintaining a skilled and ready cybersecurity workforce. Recruiting, training, developing and retaining enough people with the right skills is a constant struggle with ever-evolving requirements and a competitive labor market.
The federal government has implemented human resource flexibilities to help agencies recruit and retain cybersecurity workers as well as mandates to ensure agencies are documenting, monitoring and reporting on their workforce requirements. But how do federal managers make sense of the requirements and put those flexibilities to best use?
The Office of Personnel Management (OPM) recently issued guidance for the Federal Cybersecurity Workforce Assessment Act of 2015 mandate that government agencies identify, address and report on their cybersecurity “work roles of critical need,” as defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. This guidance requires agencies to use an established workforce planning process to report on the progress they have made in identifying and mitigating the root causes of critical needs beginning in April 2019 (and annually through 2022). Although these requirement changes clearly state what needs to be done, many agencies don’t know how to go about it.
Follow a structured, data-driven approach
Today’s government agencies need an agile, repeatable and data-driven assessment approach to continually evaluate cybersecurity workforce requirements and gaps while meeting the federal government’s evolving cybersecurity mandates. At LMI, we developed and honed a proven, phased approach and workforce tool, OrgIQ: Cyber, to assess government agencies'—and our own—cybersecurity environment, construct cyber workforce analysis frameworks, and develop action plans for federal customers. Our approach follows the five major steps shown in the figure below.
Figure 1: OrgIQ: Cyber enables organizations to meet current reporting mandates. Its flexibility and repeatability equip organizations with the information to build and maintain the cybersecurity workforce needed to carry out their mission.
We developed OrgIQ during our work with a U.S. Army office to conduct a career program–focused workforce competency assessment. The workforce analysis tool evolved into OrgIQ: Cyber when the office needed a competency-based assessment to select existing professional IT personnel to support an emerging mission. As a web-based tool, OrgIQ: Cyber can efficiently collect data across the enterprise, aggregate results, generate progress dashboards and visual status indicators to drive completion, and automatically feed dashboard outputs that inform data-driven workforce planning. Our tool gives managers the business intelligence to locate cybersecurity talent and risks across the organization for quick identification of gaps in staffing, competency and work roles of critical need. Our team at LMI helps agencies pinpoint the relevant insights from this data-driven approach to detect critical needs and their root causes.
Enable accurate data collection for enterprise results
The most effective way to ensure accurate data collection is also the most obvious—collecting it directly from the people closest to the work. Make sure your approach enables easy data collection—at as low a level as feasible—but with the ability to roll the data up for enterprise-wide results. The OPM guidance requires critical needs described by NICE work role, so your cybersecurity workforce should be described and categorized in those terms.
Figure 2: OrgIQ: Cyber efficiently collects, integrates and visualizes data from across the enterprise to quickly generate meaningful results.
Develop (and evolve) action plans based on the data
The OPM guidance requires agencies to develop solutions to address their critical work role gaps and mitigate risks. We recommend grounding action plans in best practices and expertise while addressing root causes with timeframes, targets and metrics to help agencies track and show progress. Our analysis and subsequent action planning with the Army enabled drilling down to each competency support area of the emerging mission to identify options for locating existing staff with the right qualifications, training current staff, hiring new staff or outsourcing work. The interactive OrgIQ: Cyber dashboards facilitate running and evaluating various scenarios without having to repeat any data collection. These interactive dashboards become the foundation for valuable strategic and tactical discussions, providing views of the cybersecurity workforce data by organization, resource, functional area, work role, competency, etc.
Figure 3: OrgIQ: Cyber provides the necessary data to facilitate and inform discussions that enable managers and leaders to answer these questions.
Enable an easily repeatable approach
With the rapidly changing cybersecurity landscape, no one has time to repeat or redo a lengthy, labor-intensive workforce assessment process. Make sure that your approach allows for quick and easy updating as needs and priorities change. Our LMI cybersecurity workforce assessment approach is easily repeatable, and OrgIQ: Cyber enables seamless, regular web-based updates to the data from across the enterprise to support refresh analyses periodically or as priorities shift.
Meet the deadline—get started with LMI
As OPM's April 2019 deadline approaches, government cybersecurity managers must have an approach for quickly and accurately assessing current and emerging workforce requirements per NICE requirements, identifying gaps and making strategic choices to mitigate workforce risks. With our accomplished data-driven workforce assessment and analysis approach, LMI is here to help.