CYBER SECURITY EMPLOYMENT POLICY AND WORKPLACE DEMAND IN THE U.S. GOVERNMENT
In today’s increasingly digitized workplace, computer literacy is a requirement. Individual and organizational computer and digital security literacy has become as important as computer application software literacy. Current research indicates that an organization’s staff tend to expect consequences of poor Information Technology (IT) habits in the workplace to be mitigated by the IT department, rather than staff taking proactive responsibility for poor IT habits. This lack of workplace IT literacy has contributed to “record years” of security challenges and security breaches, with each new year superseding the last. Organizations, no less than individuals, need familiarity and compliance with digital security best practices.
While workplace unemployment for potential employees with information technology skills is under 2% in the U.S., workplace unemployment for potential employees with cybersecurity skills is 0%. In addition to the competition for qualified employees, government organizations have various hiring filters that may screen-out otherwise qualified persons, further complicating their hiring efforts. With the increasing demand for workplace cybersecurity skills, cyber “units” focus on prevention, maintenance, and deterrence of cyber security breaches of infrastructure, of proprietary information, and of political discord, and are becoming an increasingly integral component in business and nation-state governments. Rather than developing separate, distinct and potentially confusing additional certifications, the U.S. Department of Defense (DoD) established staff position requirements based on existing vendor and vendor-neutral information assurance (IA) and cybersecurity professional certifications. DoD Policy Directive 8570 (2004) and Policy Directive 8140 (2015) address mandatory requirements for relevant DoD staff, contracted civilian employees and liaison personnel. Given the size of DoD, this has created a de facto “ripple effect” throughout the US cybersecurity employment market. Organizations (contractor, state and local) that do not have a similar policy find themselves in compliance with it - just in case they find they need to interface with DoD at some point. Other human resources departments could easily use a similar technique. Gauge new applicants’ qualifications using a checklist of required vendor and vendor-neutral security certifications as a minimum baseline for relevant positions.
The purpose of this paper is to suggest that understanding an information assurance policy, such as the U.S. DoD's, with established structure and requirements for all information assurance personnel, may be of value for individuals seeking to obtain desired positions, establishing exactly what credentials the organization is seeking, and for organizations and governments seeking to find qualified job candidates for those positions.