DHS is behind in assessing its current cybersecurity workforce and its future needs, an IG report has said, leaving it “not well positioned to carry out its critical cybersecurity functions in the face of ever-expanding cybersecurity threats.”
“As threats to DHS become more and more sophisticated, DHS must have a cybersecurity workforce that is well trained, resilient, and dedicated to the mission,” a report said. DHS has some 14,000 employees in cybersecurity functions in at least 18 components—with the heaviest concentration in three, the Cybersecurity and Infrastructure Security Agency, ICE and the Secret Service—and 96 programs. However, the average age is 46, with 61 percent older than 40 and only 2 percent who are 30 or younger, and the vacancy rate increased from 9 to 12 percent over 2017-2018, it said.
DHS has missed the last four annual deadlines for reporting on its cyber workforce assessments and “did not include all required information in the assessments once they were submitted”—missing, for example, full information on the readiness, capacity, and training needs of its cybersecurity workforce.
“Lacking an assessment, DHS cannot provide assurance that it has the appropriate skills, competencies, and expertise positioned across its components to address the multifaceted nature of DHS’ cybersecurity work. In addition, the department may not have an understanding of its future hiring or training needs to maintain a qualified and capable workforce to secure the nation’s cyberspace,” it said.
The department also did not submit an annual cybersecurity workforce strategy to Congress, as required between 2015 and 2018 and the one it did submit during that period similarly did not include all required information, it said. Reasons included overlapping requirements imposed by several different laws and the department’s lack of readily available information to comply with them.
The report said that management agreed with its recommendations to devote the staff needed to conduct assessments and issue strategies, to set a coordinated department-wide effort, and to oversee compliance with the requirements.