Over the past few years, industry surveys have highlighted the demand for technically skilled cybersecurity professionals, exposing a fundamental workforce shortcoming. The way industry identifies, trains and validates cybersecurity skills is outdated and misaligned. If the current training paradigm continues, the workforce will not grow in a manner responsive to the threat environment, and we will fall behind our adversaries’ capabilities. Our adversaries are well organized, trained and motivated, have unlimited resources and don’t play by any rule or law. It will take more than knowledge-based certifications achieved through bootcamp-style training to defeat these threats.
The standard certification development process starts with a Job Task Analysis (JTA) followed by the Knowledge, Skills and Abilities (KSA) required for each task within a given role. The current cyber professional development models are driven by certification exams that confirm knowledge competency with limited “skill in” and little or no way to measure ability. Some of these certifications are recognized for managerial, technical and policy roles, which increases the confusion for technical managers working with human resource professionals trying to recruit the person with the right skills.
Typically, a student attends an academic degree program that uses industry certifications as a benchmark. Unfortunately, such programs often lack up to date operationally focused training and outcome based evaluations. In part, this is because the content and learning environments are developed within an academic context that doesn’t account for fielded enterprise tools or the experience of organizations that train the Department of Defense (DoD) cyber workforce. Students also rely on one-week, industry driven, “bootcamps” focused on passing a knowledge based certification exam. It’s worth noting that for many certifications, the only requirement for demonstrating three (or more) years of skills sustainment is attending industry conferences and talks, regardless of the topic.
The current model validates a professional’s understanding of terminology and common knowledge competencies within certain domain areas. However, the training is more limited as it focuses on evaluating test taking skills and short term information retention. This limitation is compounded by the speed at which technology and threats evolve and eclipse the effectiveness of such training and the resulting certifications.
The way forward: Train for the fight, not for a test
Role Based Training
The training process should require students to demonstrate the ability to identify, respond to and recover from cyber-attacks in ways relevant to their job roles. The first time a cybersecurity professional responds to an incident should be in training, not on the job. Performance based training, crafted by professionals with intimate knowledge of adversary tactics, provides the experience operators need before they enter the workforce. Think about it. Soldiers do not fire their weapons for the first time in combat. They spend countless hours training in live environments, emulating hostile situations before they deploy. Cybersecurity training should be no different.
Much of the information about attacks rapidly becomes classified or declared sensitive by the government. There is a critical difference in the way public and private sectors collaborate, share information, and report cyber attacks. This makes any sort of data sharing between government agencies and private industry difficult.
Despite these limitations, the ways our nation’s cyber professionals should train to combat these attacks, validate critical skills and maintain them, should not be different between the public and private sectors. If an adversary’s tools, tactics, and techniques do not discriminate between public and private sector targets, then the defensive and response training provided to public and private sector entities must overlap as well.
Public or private sector, the fight is the same, against the same enemy. The gap resides in the standards, competency levels and expectations that are applied to cyber defenders in the public and private sectors. Understanding the value provided by operationally oriented practical training is increasing, however, there is still a disparity in the effectiveness of the training offered.
For example, while the number of cyber ranges, cyber exercises and cyber competitions is increasing, not all are created equal. In the majority of competitions, game playing skills are developed and refined, but these do not transfer to the competencies required to respond to a real nation state adversary and threat methodologies.
Public or private sector, the fight is the same, against the same enemy.
Adversaries are not constrained by established rules while prosecuting their targets. To be effective, standards within these competitions and exercises must align with the competency level that industry demands within the job role. Effective defense means training against opposition that simulates actual adversary operations.
Building cyber tradecraft for the individual is the foundation of a proficient workforce.
Building cyber tradecraft for the individual is the foundation of a proficient workforce. The key is continual competency evaluation coupled with a responsive learning development process throughout the professional’s career. The following is a high level blueprint for such continual evaluation and training:
At the beginning of a role focused training program, evaluate the individual’s level of knowledge to identify strengths and weaknesses. This allows for customized and focused content to maximize the individual’s progress. This is in marked contrast to the one size fits all training to certification model.
Continual evaluation throughout the training process. This identifies potential proficiency gaps, enabling real-time remediation within the training cycle. Waiting until the end of a training event to conduct an evaluation is inefficient, frustrating and results in corrective resources being spent on identifying the problem rather than crafting the solution.
Performance Based Role Validation. This is a full-scope exercise to validate the professional’s skills and competencies within a Job Role or Domain focus. It is conducted using live scenarios that the professional would encounter in the job role. The scenarios encompass relevant competencies and proficiency levels needed to execute in a specific role. Importantly, they are not approached in a generalized manner and emphasize the who, the how, and the why.
Sustainment training after validation. Continual refreshers and maintenance ensuring that the professional remains proficient and up to date on the current cyber threat environment. Refreshers can be tailored for given situations and run from multi-hour campaigns to 20 minute exercises. They can focus on individual skills or range to full KSA compilation within the job role. The three year recertification paradigm simply does not ensure the required level of competency maintenance. Professionals should be in continual sustainment. Just because you trained and ran a marathon in the previous year does not mean running once or twice after that race will keep you at the same level to run a marathon a year later. The adversary never stops. Neither should the cyber professional.
The market is saturated with tools. Today’s tools, hardware and software that promise full scope protection are not the problem. People are the problem. Our inherent reliance on tools and automation to combat a highly trained and specialized human that thinks and operates outside of the box has not, to date achieved the levels of security required. Our people are the answer; highly trained, appropriately evaluated and measured, with access to continuous and relevant skills sustainment environments. Train for the fight.