How technology, talent and teamwork drive cybersecurity that works
WASHINGTON 鈥 How do we empower America鈥檚 cybersecurity professionals to truly change the game in digital security?
That鈥檚 the question some of our finest practitioners and thinkers came together to discuss at 聽in Washington, D.C. recently.聽
The drumbeat of negative cybersecurity news is incessant and there are plenty of reasons to be concerned about the state of the federal government鈥檚 cybersecurity, particularly. Nearly 60 percent of released at the conference say their agency struggles to understand their vulnerabilities. Four in ten senior leaders say they couldn鈥檛 determine where their key digital assets were located.聽
Yet in watching the myriad conversations during the conference, I took away some key points for driving progress.
Primarily, I heard loud and clear that people can be an organization鈥檚 greatest cybersecurity asset, not just a great liability. The message that effective cybersecurity programs leverage excellent technologies but fundamentally start and end with the human factor is the underpinning of the data found throughout the following topical areas.
We need to deploy technically excellent products while focusing on making security as friendly to the operations of our organizations as possible. We need to bring more talent into our industry to further develop and strengthen our creative and technical capacity. And finally, we need to build teams that can deliver the security we need to keep our country and our economy moving forward.聽
Predictive analytics plus human-centric security
Federal cybersecurity executives have a clear idea about what technology will help them the most: 42 percent called out predictive analytics as the most significant game-changing security technology. No other solution or technology garnered more than 14 percent.聽
Getting those technologies into government has never been easy. Programs like , however, enable groups of technology change-agents to help transform the way technology moves from cutting-edge private sector tool to front-line technology defending the government by making the acquisition process more customer-centric.
With an eye toward future technology and a better way to get it into government, though, there was deep and consistent conversation about the need for a more human approach to cybersecurity.聽
鈥淭here鈥檚 still a perception out there that all of these issues can be addressed through a technology solution,鈥 said Janice Haith, deputy chief information officer, Department of the Navy. 鈥淎ll of us in this room recognize that people are going to be the heart of the issue.鈥
And recognizing that means coming at a fundamental aspect of the security mindset: that security should be difficult.
鈥淎 lot of what underlies security is this feeling that it should be hard,鈥 said Dr. Jen Golbeck, associate professor at the Human-Computer Interaction lab聽at the University of Maryland. 鈥淚f it鈥檚 hard, it must be much more secure. This is exactly the wrong attitude. If you make it easy for people to do security, security gets better and people get happier.鈥澛
鈥淧eople are not the most insecure part of security systems -- people are the center of security systems,鈥 Dr. Golbeck said. 鈥淚f we design around them, we can make security much easier for people to use and more secure.鈥
The talent crunch 鈥 breaking the 鈥榙oom loop鈥
So what about those people executing a more human-centered cybersecurity strategy? At CyberSecureGov, we grappled about how to find more of them 鈥 and how to keep them working in roles key to protecting the nation鈥檚 digital security.
Cybersecurity鈥檚 talent gap is not news. Whether measured by millions of global jobs left unfilled by 2020 or the fact that cybersecurity job postings are booming at 12 times the rate of the economy as a whole, our industry needs new talent.
The federal government faces particularly tough challenges in this regard.
Only six percent of the federal cyber workforce is under the age of 30, said David Shearer, CEO of (滨厂颁)虏, which amounts to a talent 鈥渢rainwreck鈥 if the government can鈥檛 attract the next wave of professionals into the industry.
And even if the government finds more young cyber talent, keeping them on board can be a massive challenge.聽
鈥淲e just can鈥檛 recruit and retain 鈥榚m fast enough,鈥 said the Navy鈥檚 Haith. 鈥淭hree years [after they are hired], one of our commercial partners is going to recruit them, and they are going to pay them three times what we pay 鈥榚m, and they鈥檙e like, 鈥榖ye.鈥 It鈥檚 a constant doom loop for us.鈥
How do we break the doom loop?
First is recognizing that it鈥檚 not all doom. While a quarter of top federal cybersecurity professionals are unhappy in their positions, the same proportion are are highly satisfied and motivated to stay and a majority of over 60 percent are highly or somewhat satisfied and motivated to stay.
The unique mission and opportunity of a career in federal cybersecurity is a powerful, powerful draw.
Second is improving the training and recruiting processes in place today. Fifty percent of those in the (滨厂颁)虏 survey said training and recruiting is a top three priority for applying new federal spending on cybersecurity.
Third, our industry needs to dive into mentoring young students by creating a path for growth-particularly women and minorities, to get into the cybersecurity field. Most cyber practitioners know of our CISSP (Certified Information Systems Security Professional) certification but few know about the , which was created to equip entry-level practitioners with practical knowledge and a path for growth.
Students need to know what 鈥渞oles in this field look like, and being able to translate this in layman鈥檚 terms to the average person,鈥 said Veda Woods, executive director of the International Consortium of Minority Cybersecurity Professionals. 鈥淚t鈥檚 amazing to me that people see cybersecurity in an esoteric way. They don鈥檛 see themselves playing a part.鈥
鈥淎s cyber practitioners,鈥 added Devon Bryan, the chief information security officer (CISO) of the Federal Reserve system and the co-founder of the ICMCP, 鈥渨e typically don鈥檛 do career days. We don鈥檛 have enough practitioners going out to the high schools, middle schools, to talk about what they do and make it sound sexy as heck. Our children can鈥檛 be what they can鈥檛 see.鈥
How do we fix this problem?
鈥淚magine how much we鈥檇 move the needle if all 70,000 CISSPs in the United States were to reach out and mentor one, just one, just one, student to get them into the field,鈥 said Mr. Bryan.聽 鈥淲e can鈥檛 wait for somebody else to solve this problem for us.鈥
Teamwork
Talent and technology, however, need to be put into practice. Without teamwork, the best of both worlds can鈥檛 be brought to bear in a way that makes us safer.聽
90% of respondents to our survey agreed that agencies cannot defend themselves in isolation and technology leaders across different agencies need to work together to defeat digital intruders.
What鈥檚 the secret to good cybersecurity teamwork?
It could be as simple as getting to really know the people who are going to be making the hard decisions when the chips are down, argues David Grady, security evangelist at Verizon Enterprise Solutions.聽
The typical procedure for figuring out what to do in a cybersecurity crisis 鈥 identify stakeholders from across the company, document the roles and responsibilities of each party, and practice the聽resulting plan 鈥 is good.
But Mr. Grady thinks the best security teams should add a step between identifying stakeholders and figuring out what everyone will do.
That step is lunch.
鈥淕et together with your stakeholders over lunch to demystify things,鈥 said Grady. 鈥淒o you want to meet them over lunch for a hamburger? Or do you want to meet them at 3 a.m. when they are a faceless name on the phone?鈥
Reinforcing good teamwork is the need for strong organizational accountability, many speakers noted.
A lack of accountability for cybersecurity decision making and results is a consistent theme through the (滨厂颁)虏 survey results. Twenty one percent of respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Just under half of the survey鈥檚 respondents pointed to an absence of accountability as a top three factor hindering their agency鈥檚 cybersecurity efforts, behind only a lack of funding (at 65 percent of respondents) as a top factor.
Accountability among decision makers is crucial, said the Navy鈥檚 Haith, noting cybersecurity dimensions being added to senior executive performance appraisals across the Department of Defense.
But it鈥檚 also important, said (滨厂颁)虏鈥檚 Shearer, that senior executives be held accountable for properly organizing and providing funding to sufficiently combat cyberthreats.
Dan Waddell is the managing director for the North America region of (滨厂颁)虏. You can follow him on Twitter .
