Modern field guide to security and privacy

How technology, talent and teamwork drive cybersecurity that works

A gathering of top security minds points to collaboration as a key to driving change in federal cybersecurity.

|
(ISC)²
Dr. Jen Golbeck, associate professor at the Human-Computer Interaction lab at the University of Maryland, addresses the audience at the 4th Annual CyberSecureGov in Washington D.C. on May 19, 2016.

WASHINGTON — How do we empower America’s cybersecurity professionals to truly change the game in digital security?

That’s the question some of our finest practitioners and thinkers came together to discuss at CyberSecureGov in Washington, D.C. recently. 

The drumbeat of negative cybersecurity news is incessant and there are plenty of reasons to be concerned about the state of the federal government’s cybersecurity, particularly. Nearly 60 percent of senior federal cybersecurity executives surveyed in an (ISC)² report released at the conference say their agency struggles to understand their vulnerabilities. Four in ten senior leaders say they couldn’t determine where their key digital assets were located. 

Yet in watching the myriad conversations during the conference, I took away some key points for driving progress.

Primarily, I heard loud and clear that people can be an organization’s greatest cybersecurity asset, not just a great liability. The message that effective cybersecurity programs leverage excellent technologies but fundamentally start and end with the human factor is the underpinning of the data found throughout the following topical areas.

We need to deploy technically excellent products while focusing on making security as friendly to the operations of our organizations as possible. We need to bring more talent into our industry to further develop and strengthen our creative and technical capacity. And finally, we need to build teams that can deliver the security we need to keep our country and our economy moving forward. 

Predictive analytics plus human-centric security

Federal cybersecurity executives have a clear idea about what technology will help them the most: 42 percent called out predictive analytics as the most significant game-changing security technology. No other solution or technology garnered more than 14 percent. 

Getting those technologies into government has never been easy. Programs like FedRAMP, however, enable groups of technology change-agents to help transform the way technology moves from cutting-edge private sector tool to front-line technology defending the government by making the acquisition process more customer-centric.

With an eye toward future technology and a better way to get it into government, though, there was deep and consistent conversation about the need for a more human approach to cybersecurity. 

“There’s still a perception out there that all of these issues can be addressed through a technology solution,” said Janice Haith, deputy chief information officer, Department of the Navy. “All of us in this room recognize that people are going to be the heart of the issue.”

And recognizing that means coming at a fundamental aspect of the security mindset: that security should be difficult.

“A lot of what underlies security is this feeling that it should be hard,” said Dr. Jen Golbeck, associate professor at the Human-Computer Interaction lab at the University of Maryland. “If it’s hard, it must be much more secure. This is exactly the wrong attitude. If you make it easy for people to do security, security gets better and people get happier.” 

“People are not the most insecure part of security systems -- people are the center of security systems,” Dr. Golbeck said. “If we design around them, we can make security much easier for people to use and more secure.”

The talent crunch — breaking the ‘doom loop’

So what about those people executing a more human-centered cybersecurity strategy? At CyberSecureGov, we grappled about how to find more of them — and how to keep them working in roles key to protecting the nation’s digital security.

Cybersecurity’s talent gap is not news. Whether measured by millions of global jobs left unfilled by 2020 or the fact that cybersecurity job postings are booming at 12 times the rate of the economy as a whole, our industry needs new talent.

The federal government faces particularly tough challenges in this regard.

Only six percent of the federal cyber workforce is under the age of 30, said David Shearer, CEO of (ISC)², which amounts to a talent “trainwreck” if the government can’t attract the next wave of professionals into the industry.

And even if the government finds more young cyber talent, keeping them on board can be a massive challenge. 

“We just can’t recruit and retain ‘em fast enough,” said the Navy’s Haith. “Three years [after they are hired], one of our commercial partners is going to recruit them, and they are going to pay them three times what we pay ‘em, and they’re like, ‘bye.’ It’s a constant doom loop for us.”

How do we break the doom loop?

First is recognizing that it’s not all doom. While a quarter of top federal cybersecurity professionals are unhappy in their positions, the same proportion are are highly satisfied and motivated to stay and a majority of over 60 percent are highly or somewhat satisfied and motivated to stay.

The unique mission and opportunity of a career in federal cybersecurity is a powerful, powerful draw.

Second is improving the training and recruiting processes in place today. Fifty percent of those in the (ISC)² survey said training and recruiting is a top three priority for applying new federal spending on cybersecurity.

Third, our industry needs to dive into mentoring young students by creating a path for growth-particularly women and minorities, to get into the cybersecurity field. Most cyber practitioners know of our CISSP (Certified Information Systems Security Professional) certification but few know about the Associate of (ISC)², which was created to equip entry-level practitioners with practical knowledge and a path for growth.

Students need to know what “roles in this field look like, and being able to translate this in layman’s terms to the average person,” said Veda Woods, executive director of the International Consortium of Minority Cybersecurity Professionals. “It’s amazing to me that people see cybersecurity in an esoteric way. They don’t see themselves playing a part.”

“As cyber practitioners,” added Devon Bryan, the chief information security officer (CISO) of the Federal Reserve system and the co-founder of the ICMCP, “we typically don’t do career days. We don’t have enough practitioners going out to the high schools, middle schools, to talk about what they do and make it sound sexy as heck. Our children can’t be what they can’t see.”

How do we fix this problem?

“Imagine how much we’d move the needle if all 70,000 CISSPs in the United States were to reach out and mentor one, just one, just one, student to get them into the field,” said Mr. Bryan.  “We can’t wait for somebody else to solve this problem for us.”

Teamwork

Talent and technology, however, need to be put into practice. Without teamwork, the best of both worlds can’t be brought to bear in a way that makes us safer. 

90% of respondents to our survey agreed that agencies cannot defend themselves in isolation and technology leaders across different agencies need to work together to defeat digital intruders.

What’s the secret to good cybersecurity teamwork?

It could be as simple as getting to really know the people who are going to be making the hard decisions when the chips are down, argues David Grady, security evangelist at Verizon Enterprise Solutions. 

The typical procedure for figuring out what to do in a cybersecurity crisis — identify stakeholders from across the company, document the roles and responsibilities of each party, and practice the resulting plan — is good.

But Mr. Grady thinks the best security teams should add a step between identifying stakeholders and figuring out what everyone will do.

That step is lunch.

“Get together with your stakeholders over lunch to demystify things,” said Grady. “Do you want to meet them over lunch for a hamburger? Or do you want to meet them at 3 a.m. when they are a faceless name on the phone?”

Reinforcing good teamwork is the need for strong organizational accountability, many speakers noted.

A lack of accountability for cybersecurity decision making and results is a consistent theme through the (ISC)² survey results. Twenty one percent of respondents were unable to identify a senior leader at their agency whose sole responsibility is cybersecurity. Just under half of the survey’s respondents pointed to an absence of accountability as a top three factor hindering their agency’s cybersecurity efforts, behind only a lack of funding (at 65 percent of respondents) as a top factor.

Accountability among decision makers is crucial, said the Navy’s Haith, noting cybersecurity dimensions being added to senior executive performance appraisals across the Department of Defense.

But it’s also important, said (ISC)²’s Shearer, that senior executives be held accountable for properly organizing and providing funding to sufficiently combat cyberthreats.

Dan Waddell is the managing director for the North America region of (ISC)². You can follow him on Twitter @DanWaddellCISSP.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to How technology, talent and teamwork drive cybersecurity that works
Read this article in
https://www.csmonitor.com/World/Passcode/Security-culture/2016/0610/How-technology-talent-and-teamwork-drive-cybersecurity-that-works
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe