The Department of Homeland Security (DHS) stated recently that the agency will hire up to 1000 cybersecurity professionals over the next three years. This is good and bad.
Let’s start with the good. Anytime an organization realizes they have a significant a deficiency in a skill set and then commits to remedying it, I give them credit. The fact that DHS recognizes it is lacking professionals skilled in information security undoubtedly comes from the poor grades they received on their Federal Information Systems Management Act (FISMA) reports in earlier years. While last year the official score was a "B", the agency stated they felt they were closer to a "C" grade.
While FISMA isn’t really a good assessment of security in an organization, it is helping to identify some gaps. They don’t always get fixed because fixing it may or not improve their overall grade. Let’s face it; we do the things that allow us to check the box and get the passing grade.
So while the idea of hiring more security professionals sounds good, I have to wonder what roles those positions will play in effecting significant change in the organization. Will these roles be just added worker bees that identify gap after gap, only to have it de-prioritized by management? Or will these people actually be given responsibility AND authority to bring about change? Will they sit in key management positions or individual contributor roles? If so, I think this could be a great boost for the organization. If all they do is increase the bureaucracy by generating more reports and intelligence which is never acted on then they have failed.
I wish them all the best but history is not on their side.