Governments are no stranger to budgetary challenges, and that extends to employee salaries, including IT security employees. With 11,000 IT and cybersecurity jobs currently unfilled in the state of Florida and state government agencies facing a very competitive talent market, the University of West Florida Center for Cybersecurity and the Florida Agency for State Technology (AST) have tackled the issue aggressively on their own and teamed up to build a pipeline of talented, trained cyber professionals who can support the state’s cyber resiliency and data security.
The AST oversees IT and cybersecurity for Florida state agencies, including the Department of Transportation, Department of State and Department of Transportation. The program unifies the jargon that each state department uses for IT security through the NIST Cybersecurity Framework, making it easier for agencies to share intelligence and information, says Eric Larson, Executive Director of the Florida AST and Florida State Chief Information Officer.
In addition to streamlining communication, the program’s first stage is to improve cybersecurity awareness across all state agencies.
“The obvious benefit for state personnel is to be more cyber aware so we can react when a cyber incident occurs,” Larson says. “Being able to act immediately and effectively can directly affect the outcomes of a cyberattack.”
According to Dr. Eman El-Sheikh, Director of the University of West Florida (UWF) Center for Cybersecurity, the program covers core concepts, such as vulnerability analysis, risk management and reporting. Moving forward, more specialized training will be offered, including courses tailored for specific work roles relevant to improving Florida’s security and resilience, such as cybersecurity incident management, network defense, operating system hardening, secure software development, cloud security and more.
“It’s important that we start with the first phase of our partnership with AST to really develop a culture of cybersecurity across the state,” El-Sheikh says. “The first phase really focused on how we can get everybody to know the core cybersecurity fundamentals and how we make sure that people who might think cybersecurity isn’t important to them know that there are core vulnerabilities or risks that may impact them.”
The partnership also includes training with the Florida Cyber Range, a sophisticated simulation system created though a UWF Center for Cybersecurity and Metova CyberCENTS partnership, so state cybersecurity professionals can get hands-on training within the program instead of waiting for a real-life incident. The system can emulate a state agency’s internal system or even the whole Internet, injecting simulated vulnerabilities or attacks to give employees more experience without threatening live systems.
“In cybersecurity, the hands-on skills tend to be the number one factor to deterring threats, mitigating threats as well as for developing workforce and getting people into jobs,” El-Sheikh says.
UWF has myriad resources to contribute to the partnership and the new curriculum, especially since the Center for Cybersecurity is designated as a National Center of Academic Excellence by the NSA and DHS, and it serves as the NSA/DHS Cybersecurity Regional Resource Center for the Southeast U.S. Within that role, UWF aims to advance cybersecurity education, research and workforce development in the region.
The workforce development factor for this program is essential, says Larson. “The problem in state government is, given the salaries that are available, it’s very challenging to hire qualified security staff within our budget,” he says. “Even as people get trained and become qualified, it’s expensive and challenging to retain them as they achieve higher skills. The goal is to create an environment where we can have a pipeline building qualified staff, not only within AST but within other agencies, so when the good people go on to greener pastures, we have an environment that constantly trains new people to address the threats.”
The variety of coursework available also helps security professionals continue their training at their current skill level, Larson adds. “By building a partnership with the University of West Florida, we allow the state to embed the entire cybersecurity curriculum into the state’s IT security departments. UWF has a lot of course material online, so no matter where someone is in their competency for security, we can meet them with an appropriate level of training, so we’re not always covering the basics and ignoring the third of your employees who are beyond that.”
Feedback has generally been positive so far. Training started in late March 2018, and according to Larson, there is a waiting list for state employees to get into upcoming training sessions.
The training can also be spaced out throughout the year, so it can fit into security professionals’ schedules as their working arrangements permit.
While developing the program, Larson and El-Sheikh discovered that there weren’t many other examples of similar partnerships to build off of, so their departments are working to build out a pilot program that other states and higher education systems can deploy.
In addition to improving the state’s resiliency against cyberattacks, the program will help keep Floridians’ information in those key state agencies secure, El-Sheikh says. The program “builds cybersecurity culture from within, making sure that current personnel have the proper knowledge, skills and training to ensure their jobs are done correctly – being able to detect breaches, being able to respond to breaches, to report and identify and manage those breaches as efficiently as possible,” she adds. “It provides that culture of continuous learning and collaborating, and it brings agencies together to collaborate, share expertise and resources, and advance cybersecurity resiliency for the state.”