U.S. cyber plan seen as good first step, workforce issues remain

A new cybersecurity framework unveiled by the Obama administration seeks to manage growing cyber risks, but industry groups warned that the number of qualified security specialists continues to lag behind threats to critical infrastructures.

The cybersecurity framework was released Feb. 12 by the Commerce Department’s National Institute of Standards and Technology (NIST) in response to a February 2013 executive order focusing on improving the cybersecurity of critical U.S. infrastructure.

“The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes,” the NIST report states. It also seeks to enable “organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.”

Industry groups praised the effort but noted that security professionals still aren’t equipped to cope with rapidly evolving cyber threats. “The lack of qualified information security professionals with the skills and knowledge to create, understand and implement such programs remains an area of improvement that must be further addressed,” W. Hord Tipton, executive director of the information security group (ISC)2, said in a statement.

“The success of the Cybersecurity Framework will depend on how quickly and effectively the area of workforce shortage is addressed,” Tipton added.