CISA Shores Up Workforce to Protect Organizations From Cyberattacks

WASHINGTON — The U.S. Cybersecurity and Infrastructure Security Agency has issued a series of warnings to health care systems and other organizations that Russia’s invasion of Ukraine could increase the risk of malicious cyberattacks. The agency now seeks to increase the cybersecurity workforce to meet the rising demand.
“Building the cyber workforce is a major priority for CISA. The United States has an estimated 500,000 vacant cybersecurity jobs, more than 35,000 within the government,” said Michael McCarthy, spokesperson for CISA, in an email to The Well News.
The U.S. cybersecurity workforce needs to increase by 65% to fill all the unknown demand in cybersecurity, according to a 2021 report from the International Information System Security Certification Consortium known as (ISC)², a non-profit organization which specializes in training and certifications for cybersecurity professionals and consists of over 140,000 members.
Data from another (ISC)² report shows that only 24% of the cybersecurity workforce is currently women.
“Without women pursuing careers in cybersecurity, the industry is missing out on more than half of the population’s talent pool. The gender gap that exists in the cybersecurity workforce contributes to the overall cyber workforce shortage that persists in the United States and globally, which ultimately makes us less prepared to deal with the threats of today and tomorrow,” said McCarthy.
McCarthy said CISA awarded $2 million to develop cyber workforce training programs to better recruit workforce talent, and has established partnerships with organizations like Girls Who Code, Girl Scouts, and CYBER.ORG.
CISA also partnered with Mass Insight Education & Research on May 31, to introduce nearly 300 Massachusetts Advanced Placement® STEM and English students from 15 bay state high schools to cybersecurity scenarios and concepts, as well as post-secondary education and career paths, during a four-hour virtual field trip.
“We are therefore focused on inspiring the next generation of … talent, long before they enter the workforce,” said McCarthy.
The ransomware attacks specifically on hospitals have in some cases necessitated diverting patients to other hospitals and led to an inability to access patient records to continue care delivery, according to a notice released by CISA for health care systems and public health sectors to prevent cyberattacks.
According to the notice, cyberattacks can also expose sensitive patient information and lead to substantial financial costs to regain control of hospital systems and patient data.
“The big risk is we have a whole lot of small and medium size businesses that aren’t shoring up their cyberdefense,” said Clar Rosso, CEO of (ISC)², during a phone call with The Well News.
The 2021 survey from (ISC)² was taken by nearly 5,000 cybersecurity professionals, and shows that while the cybersecurity workforce increased globally during the COVID-19 pandemic by 700,000 individuals, the demand for professionals shrunk overall.
“You would have expected the demand to have gone way up,” said Rosso. “And it did in all parts of the world except Asia-Pacific.”
The greatest decrease in workforce demand was seen in Asia, as Rosso said companies in this region have recovered more slowly from the pandemic and in such situations, organizations tend to view cybersecurity as an expense instead of a strategic imperative.
The COVID-19 pandemic also transitioned many in-person jobs to remote work, which Rosso said opened up a whole host of vulnerabilities to organizations who do not have protected networks.
“When you’re working in an office, [an employer] would likely have secure Wi-Fi but you’re in a closed network. When everyone in your organization is working from home and everyone is logging in from different locations … it creates vulnerability,” said Rosso.
Rosso said that in the 2021 survey cybersecurity professionals were asked what happens when you don’t have enough cybersecurity staff.
“What they said is, we misconfigure systems, we don’t spend enough time on proper risk assessment and management, we rush deployment of new technology oversight in process and procedures, and we don’t do enough threat-hunting to look for vulnerabilities,” said Rosso.
In 2019, (ISC)² surveyed 192 respondents specifically from the health care sector, and found that 41% of respondents felt they needed additional certifications and training for future roles.
Nearly 28% of the respondents felt they needed to develop skills like cloud computing security or intrusion detection skills in the next two years to advance in their careers.
The data from (ISC)² also shows that 58% of the cybersecurity workers in health care were men, and most held job titles as an IT manager or IT director, and had held those positions for about 11 years.
“There are a lot of connected devices in a hospital, like digital record keeping. There is a dependency on connected devices to provide top notch medical care, and if you don’t have someone looking at those systems … [such as] a software update that needs to be done, your risk [of cyberattacks] increases,” said Rosso.
The president’s FY 2023 budget request includes $2.5 billion in funding for CISA, nearly the same amount as the FY 2022 levels for the agency.
The budget request includes funds for CISA to increase engagement with cybersecurity stakeholders, ramp up cyberdefense and education and training, and provide grants to support additional K-12 cybersecurity education programs.
“The Appropriations Committees will now begin discussions on their FY 2023 funding bills, and budget hearings for the agencies will commence in the coming weeks,” said Rosso.
Alexa can be reached at [email protected]