Apr 19 2023

Managed Services Buy Agencies Time to Acquire Zero-Trust Skills

The government hasn’t begun forming the identity teams that will ensure agencies achieve a zero-trust posture, whether through job schools, certifications or recruitment.

With no formalized training paths available, an intelligence community customer approached CDW’s Workforce Development team 14 years ago needing a reverse-engineering capability.

Our team beta-tested the training paths we created with the Air Force in San Antonio before they were eventually adopted by the customer, with whom we’re now in the third contract cycle.

The classes supporting midlevel cyber development roles now total 22.

More than a decade and one federal zero-trust strategy later, the challenge the cyber talent gap presents hasn’t fundamentally changed.

Agencies still need long-term knowledge management programs that refresh the federal cyber workforce’s skills at pace with regular software and tool updates. At the same time, industry managed services can bridge their security while they acquire the skills to manage, say, a new identity and access management platform once it’s in place.

ZT Sidebar


Zero-Trust Training Is a ‘Venn Diagram’ of Skill Sets

The creation of a zero-trust certification is unlikely because zero trust is just the concept of extending identity and access control down to the human and application levels and networks without trust boundaries. The model enables our current lifestyle of accessing anything from anywhere.

Training the workforce to implement zero-trust security architectures is really a Venn diagram of skill sets, including identity and access management, authentication and control, network access control, and vendor security. Therefore, agencies and military branches are more likely to have job specialties for each area.

Government has relied on commercial partnerships because it could take two to five years to define a new cyber role, build the job task analysis and create a school — by which point the underlying technology has changed. That’s true even if it only takes three years to build a new identity and access management specialty.

LEARN MORE: How the DOD plans to target the talent gap.

Agencies and military branches may not be tracking the speed at which zero-trust technologies are being replaced, so training the workforce on one vendor’s offerings might be a disservice. Cyber personnel need initial training in core skills, followed by the various constituent tools available for identity and access management, such as SailPoint and CyberArk, because each has a niche role to play in the space.

The government hasn’t yet begun defining the identity and access engineer role or forming identity teams, which is how it will achieve a zero-trust posture. Industry managed services will buy agencies and military branches time to invest in upskilling the current workforce or recruiting to fill such roles.

Click the banner below to learn how federal agencies are implementing zero trust architecture.

Challenges to Validating Zero-Trust Skills Remain

Cyber recruiters currently have three paths to obtain the talent they need:

  • Continually creating job schools that align with commercial skill sets, as the military does
  • Relying on certification bodies such as CompTIA and (ISC)2
  • Onboarding people who already have computer degrees

In all of these cases, personnel often remain unable to perform job-specific tasks on arrival, requiring a year or two of additional training before they can be productive.

EXPLORE: How federal agencies are ramping up their cyber hiring efforts.

The Department of Defense’s new Cyber Workforce Strategy emphasizes acquiring the desired skill sets at the high school or even middle school level, but that’s tough to implement nationally. Not all high schools have good relationships with local community colleges or technical schools, and rural areas may lack strong cyber programs or talent to teach students.

Another challenge is that most cyber certifications are applied knowledge rather than a skills validation. Applied knowledge involves simulations that test a person’s ability to:

  • Configure IP addresses
  • Correct masks on interfaces
  • Enter command line commands
  • Correct configurations based on their understanding of subnetting, Domain Name System resolutions or routing

Skills are more task-oriented to job roles, and only together will government and industry find ways to validate them beyond certifications.

This article is part of FedTech’s CapITal blog series.

CapITal blog logo

Image by Staff Designer

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.