When the United States Government published the Comprehensive National Cybersecurity Initiative in 2008, cyber education was identified as a critical area of improvement. By 2010, the National Initiative for Cybersecurity Education (NICE) was created. The NICE Team identified four distinct components of the cybersecurity education mission: Awareness, Formal Education (K-20), WorkforceStructure (HR Framework), and Professional Development (Training). Eight years later, the cybersecurity workforce shortage continues to exacerbate, both domestically and internationally. Given that significant resources have been allocated without positive results, it makes sense to determine if the understanding of the root cause of the problem is flawed. Is it a labor shortage that is being faced or has industry failed to effectively communicate its needs?
The NICE Framework focuses on two areas: Awareness and Workforce Readiness. Attempts at workforce modeling are frustrated by the lack of a unified definition for “cybersecurity.” There are different, often conflicting notions depending on whether the perspective is managerial, policy-making or technical. Training requirements for managers and policymakers are more mature, but at the same time slower to adapt to change. The educational needs of the technical workforce are more fluid due to changes and advances in technology (and thus, in the nature of the threat) and the need to both understand and balance the skills and capabilities provided in-house and those that are outsourced.
Awareness emphasizes the idea that every person, regardless of whether they are a student, parent or employee, should have some level of cyber awareness training.
Awareness emphasizes the idea that every person, regardless of whether they are a student, parent or employee, should have some level of cyber awareness training. In the workforce, every employee or contractor should be trained to, and assessed to have attained a level of basic operational competency before they are permitted to access the organization’s networks. To be effective, cybersecurity awareness must become as common as the knowledge that one always wears a seatbelt when driving and the potential consequences of not taking that precaution. Cybersecurity awareness reduces the likelihood of realized cybersecurity risks, and thus enables responders to be more efficient and effective.
Ensuring workforce readiness requires a careful balance of individual training and organizational resourcing. Large enterprises may have dedicated security operations teams with well-defined job roles such as blue team defenders, red teams, and hunt teams. Mid-size organizations may not have similar resources and are dependent on two or three “technical professionals” who are dual-hatted. Often, small organizations have no staff actively monitoring for threats. Job requirements and mandatory skill sets are often conflicting. For example, some call for a journeymen level professional with defensive skills who has also been a red team member and has expert level ability when it comes to threat hunting, an undergraduate degree in cybersecurity, one year of experience, and certifications which do not match the skills for the specific role they are recruiting for all at the salary of an entry-level system administrator.
Many organizations outsource their security functions, choosing to contract with security consulting firms or system integrators. While this model is proliferating, there are still internal needs. In order to make the best use of the consultants’ skills and abilities, the company must know when it needs help.
An emerging staffing trend is the presence of two or three “Information Technologists” who know enough about security to identify an issue or a potential threat. As a result, they become the organization’s security experts. There is a training solution that builds upon this trend that can be rapidly implemented. Such a solution emphasizes general awareness, but is much more technical in its content and is intended to be offered to the entire IT staff or, in large enterprises, to a core security team of between 15 and 20. There are many IT professionals with the core skills to be crossed trained as “cyber first responders.”
A cross-trained IT workforce is a force multiplier, creating options for a long-term security strategy and enabling the creation of an organic SOC team.
Such training adds another layer of risk mitigation, decreases the time between threat identification and response, as well as the time needed to marshal security experts. It also reduces the time to bring a new employee to a state of productivity. A cross-trained IT workforce is a force multiplier, creating options for a long-term security strategy and enabling the creation of an organic SOC team. The organization can focus on cross-trained employees and develop their skills in outsourced areas to reduce dependency on outsourcing in the short-term with little or no risk.
Given the expanding success of the Security-as-a-Service model, service consultancies must continue to ensure not only that their staff has the necessary technical skills, but that they are continuing to enhance those skills consistent with advances in technology. Simultaneously, ensuring that the general workforce is aware of cybersecurity risks and ensuring that IT professionals are cross-trained, will limit the likelihood of an attack’s success. The NICE Framework is not a silver bullet; it is a framework from which to build. However, it must be tailored to the organization’s specific needs, the size of its workforce and the technical and financial resources available.