Building our cyber workforce (part 1 of 2)

Practical advice to growing our cyber competencies

What can enterprises and governments do to ensure they have the cybersecurity talent they need?

First, we need to recognize that information technology is part of every element of the modern enterprise. Thus, if we are to achieve the cybersecurity posture required to meet the risk, we need to involve more than just the IT department. We must involve all of our employees, partners, and even customers.

On first blush, this would seem to exacerbate the problem of filling the talent pipeline. However, it is through outreach to all of these constituencies that we can grow interest and competency in cybersecurity as a profession. Furthermore, we can reduce our dependence on the few highly talented cyber experts by fostering a greater level of capability across the broader workforce. And, when we combine cybersecurity with the other domains in our organizations, such as legal, supply chain, engineering, human resources, etc., we will find new and clever ways to identify threats, defend ourselves and advance the resiliency of our operations.

building cyber workforce chalkboard Michael K. Daly

Engagement

By implementing a learning framework in cyber, we can apply the right level of resources to each element of our enterprise. The sketch above depicts this framework as a pyramid, with the broadest group of people provided general awareness, and the narrowest group achieving professional levels in IT Security.

Along the right-hand side of the pyramid, there are a few examples of engagement methods. It is important to remember that we all learn differently, we all tend to forget, and we all need to be in the right context to truly learn and adapt our thinking. This is why we need to create many different ways to engage our stakeholders.

Employees

Employees require different levels of capability and different skills depending upon their role. The general employee needs to understand basic computer "hygiene", how to label and handle information, and what to do if they have a question or if they recognize a problem. These competencies should be part of mandatory annual awareness training, typically delivered in a fun, web-based method, but could also be done in a group setting, depending upon your workforce arrangements. In addition, each year, you will want to identify key risk areas and deficiencies in employee behavior that are either causing you to assume unnecessary risk or to expend resources. Make these part of an annual awareness campaign that is branded and recognizable to your employees (e.g, use a logo and a catchy name). You will want to measure the change in behavior over time so you will know if the message is being received and acted upon positively. An annual awareness campaign should include multiple communication channels:

  • special events with give-aways (calendars with messaging, mouse pads and shirts with the security branding);
  • lunch-time events with guest speakers;
  • company web site articles;
  • posters in the halls and cafeteria;
  • FAQ and decision assistants on your web site; for example, how to encrypt documents; document labeling templates; what to do when you suspect a virus
  • top 5 dos and don'ts on a badge hanger; and,
  • positive messaging in the form of rewards for people who you catch doing the right things.

High Risk Persons

Some of your employees are more likely to be targeted than others. Typically, these are your business development staff, senior leaders, human resources staff, and your top experts who are publicly known and attending or speaking at conferences. These people should be given more targeted training – they need to understand the risks in a more personal way. A high risk person briefing should contain the following:

  • an overview of cyber attacks and advanced persistent threats, and how they can and have affected your business;
  • a summary of their public persona (search engine hits, publically disclosed contact information, mentions of attendance at conferences, social media profiles);
  • a list of any emails that you may have blocked (or have been delivered) targeting either the specific person or others in the company;
  • a list of any hits on the company web site from questionable ip-addresses retrieving information about them (their bio or articles they wrote) or about their programs/products/services.

Supervisors

Supervisors of other employees obviously need the basic employee training, but they also need some additional knowledge. They should have an understanding of insider threats – what to look for, who to call if they suspect an issue, and what actions to take (and not to take). Supervisors should also be cybersecurity coaches for their employees. They should know where to find training resources, and should know how to apply them. They also need to know what to do when they get a phone call from your Security Operations Center (or from Security Services, or Human Resources or Ethics or Legal).

System Administrators and Application Developers

For the folks who operate your IT services, you will want them to have a much higher level of competency in cybersecurity. This especially includes anyone who will have administrative privileges on IT systems (applications, servers, networking, storage, cloud services, databases, backup systems, etc.) You will expect them to have competency in their specific field, but you also need to ensure they understand your organization's specific policies and procedures. How do you classify and label your data? What are the handling requirements (protection, destruction)? What are the rules around remote access for administrative functions? Who do they call and what do they do when they suspect there is a problem? What is the patching cycle for high and low risk updates? What is the process for engaging vendors and subscribing to third-party services? What are the naming standards and user account requirements? Who is authorized to issue a disconnect order or to defer a patch or to mandate a patch? (et cetera, et cetera)

Depending on the size of your IT organization, a test and certification process should be established – [Your Company] Certified Information Systems Administrator and [Your Company] Certified Application Developer. The test should prove out that they know how to apply your policies and practices to their domain of expertise and know where to go to get help. In addition, they should understand that threats to your enterprise are real, and be provided with some examples of actual threats that have come to you, such as APT-sourced email, web site attacks, DDoS attacks, and the like.

You won't want to jump right in and start a certification process on day one, but will want to implement the program in stages. First, develop the training material and give it a trial run. Then, make improvements and engage the administrators and developers in developing the next set of materials and drafting the certifications. You may want to evolve to have multiple levels of certification with Green Belts and Black Belts, or some equivalent, by which the senior members can be mentors to the junior members.

[This is part 1 of 2 … In part 2, we'll look at some recommendations for our IT Security staff, executive leadership, suppliers, customers and then engage our wider community.]

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.