How agencies can build mission-capable talent with security skills

As security skills gaps grow, agencies are struggling to hit mission-critical objectives. Aaron Rosenmund, Senior Director of Content Strategy and Curriculum at Pluralsight and National Red Team Lead for CyberShield, explains what the Department of Defense (DoD) and federal agencies need to create a security talent pipeline and succeed in today's cybersecurity environment.

• The biggest government security threat to federal agencies
• How to build a cybersecurity talent pipeline
  • Require relevant hands-on experience for cybersecurity skills
  • Bring in civilian experience to respond to security threats faster
  • Conduct a cybersecurity skills inventory
• Build security skills in your agency

There’s no shortage of new cyber attacks or emerging technologies, but the biggest security threat for the DoD and federal agencies may not be what you expect.

“Avoiding talking about actual threats like other nations, of course, I think the biggest issue is the skills pipeline,” says Aaron. “And not just the skills pipeline, but getting the talented people that we do actually have access to in the DoD and federal government to have access to impactful parts of the mission as quickly as possible.”

Depending on your mission, it can take up to three years to train someone to be effective in a government security job. That means people aren’t even mission capable for the first three years.

During that time, they need to complete on-the-job training, too. The process takes too long, especially when agencies need to become more nimble.

To become mission critical faster, federal agencies need to address the cybersecurity talent shortage and improve security readiness. Aaron explains how agencies can get there.

First and foremost, agencies need security training that’s applicable to their mission and addresses current security threats and vulnerabilities. 

Security professionals also need hands-on learning tailored to their role. “There's been some really good progress, especially with some of the new work roles and work role IDs [in] the DCWF,” explains Aaron. “Part of that is you have to get hands-on, and you have to have someone check off that you've done that hands-on capability before you're qualified in your work role.

“Now, that makes sense, but right now it isn't really fully aligned to the job that you necessarily came in to do with the Army, Air Force, Marines, or Coast Guard. They're two separate things. So I'm a qualified capability developer but my job is cyber warfare officer, and they're two separate trainings. 

“So one of the big things we need to do is enable the DoD to have that hands-on space to be able to very quickly prove and check off sections of knowledge that they already have, and get practice with sections that they don't, so you can really quickly get mission capable or qualified in your work role to be able to then go beyond mission.”

While the DoD and federal agencies face unique challenges (and require unique security training because of it), they share certain security tools and threats with the civilian sector. Sharing this knowledge between sectors is key to boosting cybersecurity readiness.

Aaron leans on his experience in the National Guard. “Essentially half of our job is to go do as much support for the DoD as we possibly can,” he says. “Now there's a lot of concern because of the training pipeline and how that impacts the private part of your life, like what you're doing on the civilian side.

“And so the better we can partner to bring in civilian experience, especially if it's through some program like the National Guard, [we] let them be effective in as quick an amount of time as possible. And then [we] get them back to their civilian jobs and allow that to be a rotational process where we can share knowledge back and forth.

“It's beneficial on both sides. I think that is our best way to keep the people and talent that we need to be able to kind of dominate in the information space.”

Agencies that want to meet mission-critical needs faster must understand their team’s current skill levels. To do that, Aaron recommends conducting a skills inventory or asking team members to complete skills assessments. By benchmarking the team's current skills and experience, agencies can distribute work to the right people quickly.

“We need to be able to be more nimble,” says Aaron. “If there's something coming up that we can execute on in two weeks, let's go get the people that we know. Let's have a skills inventory within the DoD of the people who are capable and qualified. Let's get them together very quickly. 

“And then let's get spaces where they can do those missions that are regionally available to them so they can go execute in two weeks [then] go back home . . . It needs to be just quite a bit more nimble, and our policy has to be able to be aligned to authorize that capability as well.”

Aaron explains how Pluralsight creates security skill development specifically for the DoD and federal agencies: “What we can do, and already do, is structure [our content] around the DCWF, or the DoD Cyber Workforce Framework, but then also really heavily focus on exactly what those missions are. 

“So for instance . . . with the Hunt Forward mission, we can directly align our training in a way that looks consumable and makes sense for the components of a Hunt Forward mission. 

“We [also] provide a full set of training that fully emulates our most current advanced persistent threats,” he explains.

Ready to get started? Explore Aaron’s Pluralsight Skills courses and learn more about how Pluralsight partners with federal agencies to close the security skills gap.