In a recent report entitled “Keeping Talent” it was found that the federal cyber security workforce in the U.S. will erode due to fragmented governance and uncoordinated leadership, a complicated federal hiring process, a disconnect between hiring managers and the government’s human resource specialists, and more importantly, a lack of qualified and skilled talent to fill these jobs.
This report was sponsored and written by the cooperation of the Partnership for Public Service (PPS) and Booz Allen Hamilton groups, and, while it certainly talked of an apparent pending HR risk, of lacking future qualified and skilled workers needed to fill the federal cyber security workforce requirements, it also focused on a seemingly common element of many of the underlying causes of cyber incidents at all levels of government.
That element is the government worker and more importantly, it notes that how that worker behaves and conducts his job duties directly relates directly to much of the cyber security risk management challenges facing the federal government today.
Last year, for example, about 21 percent of all federal breaches were traced to government workers who violated policies; 16 percent who lost devices or had them stolen; 12 percent who improperly handled sensitive information printed from computers; at least 8 percent who ran or installed malicious software; and 6 percent who were enticed to share private information, according to an annual White House review.
On top of that implication is also the fact the risk of government workers being the cause of far too many cyber security breaches and incidents only gets more complicated when considering the large percentages of outside contracts given to contractors by the federal government.
Cybersecurity can be and often is a particularly thorny issue for contractors because they face greater legal and commercial risk than other companies.
Contractors often must navigate a thick forest of inconsistent rules and standards issued by different agencies that define key cybersecurity concepts in contradictory ways.
They also face compliance obligations even though the Federal Government does not always clarify what specific cybersecurity safeguards are actually required to meet them.
If all of this sounds like it might relate to where you work, then it might be good for you to add at least the following articles to your company’s risk management and cyber security issues reading library:
If applicable, please pass this information along to your firm’s ISO 27001 team members as well as to other risk management and disaster preparedness groups in your organization.