Cybersecurity Workforce Assessment

GAO has a report that is downright frustrating to anyone in the cyber workforce of the Federal government.

We have OPM, those brilliant people who lost all the security clearance data to the Chinese and have yet to correct the problems that led to that, leading the charge to find out what to do about coding the cyber security workforce so Personnel Departments can find the people who have certain skills.

We have NIST, which is basically clueless about classification of these kinds of positions still calling for "certifications" of every cyber person, putting them in vague categories of skills that look like a laundry list of what they wish somebody could do, but nobody can do.  They have fragmented the career field into subelements and knowledge/skills/abilities that tell the average person almost nothing about what kind of things they would have to be able to do to do this kind of work.

When we were trying to start a career field for cyber, none of this was ever contemplated.  It shows you what can be accomplished by people who don't do the work that is being described and want to help others figure out what the career field should look like.  I thought we did that pretty well in 1986.  At that time the need was driven by the financial community which was trying to identify the skills needed to secure financial systems.  They looked to the Feds to help them, going to NSA to lead the effort.  NSA would not do it.  They shuttled this off to NIST.  NIST is the place we used to send things that we did not want done.  The spin off of this effort was a certification requirement, which became an outlet for the CISSP to begin.  Has this helped?