Our electric grid is undergoing a major transformation, with $4.5 billion in Recovery Act funds being used to help catalyze the adoption of smart technologies and systems designed to increase the electric grid’s flexibility, reliability, efficiency, affordability, and resiliency. Grid resilience encompasses an all-hazard approach that involves protecting the energy infrastructure from threats, regardless of whether they are caused by natural disasters, deliberate attack, or are the result of human error.
The Energy Department has a long history of working closely with Federal partners, including the Department of Homeland Security, and private partners on cybersecurity of critical energy infrastructure. Earlier this week, the Department released new versions of the Cybersecurity Capability Maturity Model, which helps organizations assess their own cybersecurity capabilities and identify steps to help strengthen their defenses.
Having a strong, well-trained cybersecurity workforce is critical. I recently talked with Tim Conway, Technical Director at the SANS Institute, which provides information security training and security certification, about how organizations can address the challenges of strengthening their own cybersecurity workforces.
Q: What has led to the large demand for cybersecurity professionals?
A: The pipeline of people moving into the workforce who have the necessary knowledge, skills, and capabilities to perform the critical cybersecurity jobs, compared with the pipeline of people exiting those positions, is out of balance. As the number of individuals exiting the workforce is increasing, the need for cybersecurity professionals across multiple sectors is growing. There is also a growing need for cybersecurity awareness in positions that traditionally focused on engineering or field technical service, but now use a number of digital assets in ways that need to be protected.
Q: What skills and educational backgrounds are valuable in the cybersecurity industry?
A: I had the opportunity to participate in a multi-phase initiative that was led by the Council on Cybersecurity (formerly the National Board of Information Security Examiners) and funded by the Energy Department. This initiative provided analysis to examine critical jobs roles and how they align with existing industry cybersecurity frameworks, certifications, and university degree programs. This effort identified a number of gaps in available resources and provided a list of short term and long term recommendations for the energy sector to pursue.
After the analysis was performed, a number of universities began developing and expanding their curricula for control systems. Also, cybersecurity training organizations, like the SANS Institute, have created industrial control system-focused training curriculums and certifications.
Q: How can organizations identify qualified candidates?
A: Organizations today focus on education background, work experience, and interview performance which are all essential components in candidate selection. However, the gap that remains is the candidate capability or “fit” issue. Entities will continue to face challenges in assessing a candidate’s capability, until a method of performing true job performance assessments exists.
Q: The cybersecurity field encompasses many interdependencies. How can this be addressed as organizations are looking for qualified candidates?
A: For organizations and hiring managers facing this question today, there is a benefit in building a hybrid team with diverse educational backgrounds, skills, and work experiences such as engineering, operations, information technology, and operations technology, Ensuring that everyone on the team has a foundation level of knowledge in operations, cybersecurity, and the technical roles performed by the team such as vendor-specific certifications is also valuable.
When looking for candidates, the key is for organizations to manage and leverage a portfolio of diverse backgrounds and skills in a way that complements the greater team they are trying to build.
To learn more about national efforts to modernize and protect the electric grid, visit the Office of Electricity Delivery and Energy Reliability’s website.