We seen it, we talked about it, NOW let’s fix it. Numerous times, I have heard key leaders from a former President, members of Congress, to the Commanding General of USCYBERCOM state that cybersecurity is a team sport, and it even referred to as the ultimate team sport. I wholeheartedly agree, defending our networks and protecting the critical information they contain is impossible without teamwork. Cyber resiliency has three critical components—leadership (planning, policy, resources), IT/cybersecurity staff (identifying, protecting, detecting, responding and recovering), and the aware employee (understanding good network behaviors and hygiene). The glue that hold the cyber resiliency triad together is the IT/cybersecurity staff.
Teamwork Needed to Address the Skills Chasm
As I was writing this blog, I received an email from NC4 (www.NC4.com), it caught my attention. NC4 describes cybersecurity best practice—as a team sport and the more eyes and ears you have working for a common purpose; the more chance of success you will have to protect your systems. So, if the act of creating cyber resiliency is a team sport, then perhaps the act of developing its workforce perhaps be a team sport too.
Our current education and training methods are primarily knowledge-based delivery models, little to no skill-based training and assessment occurs in the education, training, and certification phases because they rarely leverage each other. Skill and ability development has been left to the employer causing a significant expenditure in time and resources. According, to a 2016 Intel Security and Center for Strategic and International Studies survey only 1 in 4 organizations feel that recent graduates from existing academic and certification programs are “fully prepared” to execute given tasks. Because current models do not address the three components require to perform a given task: knowledge, skills, and abilities.
By creating a team (employers, educators, trainers, and certifiers) from the start it is possible to develop all three task components within the workforce. All four must participate on the team. Employers must define their IT/cybersecurity roles. I suggest the use the tools available, primarily the resources made available by the National Initiative for Cybersecurity Education (NICE). Products available include the National Cybersecurity Workforce Framework, Workforce Development Tools/Best Practices Toolkit, and the Library of Resources (visit: https://niccs.us-cert.gov/). Employers then must engage with academia, trainers, and DEMAND they provide a workforce that meet their needs. Academia, trainers, and certifiers must shift to meet the demands of employers. Skills are the biggest shortfall we face, as mention in Monday’s post 7 out of 10 organizations report a cybersecurity skills gap exists. A partnership must be created between academia and the private sector to address the gap. By assimilating solutions between the right partners, we can shift from knowledge-based only instruction/certification to a model that integrates hands-on experiential-based education and training from the start. Certifiers must certify not only knowledge, but individual and team skills as well. For the technical cyber workforce, this is critical.
We only have to look at other professions to see the pathway; taking a page out of the aviation and medical schools, cybersecurity professionals must spend enough time in a lab/range environment to learn the tools of the craft and hone the tactics, techniques, and procedures required to defend information systems in the face of an agile adversary. Finally, developed skills must be measured through performance-based certifications and skills-based assessment tools to ensure those applying for or in current technical roles have the requisite skills to perform the tasks associated with their roles.
In my next blog in two weeks, I will suggest a pathway to build skills.