Increasing the cybersecurity workforce won't solve everything

Many organizations focus on technology to solve their security woes, while desperately trying to hire more security practitioners. But there are other ways to address social cybersecurity challenges.

On Dec. 1, 2016, the Commission on Enhancing National Cybersecurity delivered its report to the President of the United States, providing six Imperatives and a number of associated recommendations and action items to improve the overall security posture of the nation’s public and private infrastructures. These recommendations cover the gamut of both technical and non-technical guidance, with a very heavy emphasis in Imperative 4 for training, hiring and increasing the overall cybersecurity workforce in order to match the growing need for such expertise.

Specifically, Action Items 4.1.1 and 4.1.2 recommend the training of 100,000 new cybersecurity practitioners for the workforce by 2020 and an additional 50,000 practitioners trained through an apprenticeship program in the same timeframe. This represents a huge increase to the current total number of trained cybersecurity workers, and should make a large dent in the constant need for more security experts everywhere. 

However, most every CISO or CSO today has an immediate need for this kind of expertise, and as the number of cyberattacks continues to grow, most can’t afford to wait until 2020 to tap into this influx of eligible, available prospective employees. Thankfully the Commission has offered a couple of other recommendations that, in my view, acknowledge the need for other, more socially-focused security measures which should help to improve the overall effectiveness of individual security programs and augment the proposed increase in the workforce. Two in particular are:

  • Action Item 2.2.2 which states, “The U.S. government should support cybersecurity-focused research into traditionally underfunded areas, including human factors and usability, policy, law, metrics, and the social impacts of privacy and security technologies…”
  • Action Item 3.2.1 which states, “The next Administration and Congress should prioritize research on human behavior and cybersecurity, of the basis of the 2016 Federal Cybersecurity Research and Development Strategic Plan.”

These two seemingly small statements represent a huge shift in the thinking of not only the government in how it approaches cybersecurity strategy, but the industry as a whole. Specifically, in putting a focus on the more human and policy-centric needs for bolstering cybersecurity, it starts to move away from the idea of simply purchasing the next latest and greatest piece of software, all-in-one appliance or other security technology which promises the solution to every organization’s security woes.

But, implementing more and more technology is simply not sufficient to fully protect a network infrastructure and the critical data  stored there. It’s a no-win game of cat-and-mouse with attackers who will simply adjust their tactics to circumvent the new protections put in place and continue to launch their assaults against their targets.

After all, no matter the number of layers of defense put in place, it only takes one authorized user within your organization to click on a malicious link in a phishing email that captures their credentials and feeds them to an attacker who can use those credentials to bypass every security control that a user is allowed to traverse.  

Since humans do make mistakes like this, social engineering will continue to be an effective form of attack, no matter the technology controls put into place.  It has been long past time for organizations to put more focus on the human side of their security program, specifically in the areas mentioned by the Commission in Action Items 2.2.2 and 3.2.1. Any security program can benefit immediately by beginning a review of their own internal policies, improving the types of metrics used to measure the success of the program, and consulting with legal counsel to ensure proper insurances and other risk mitigation plans are in place. These activities cost very little, have immediate turnaround timeframes, and can deliver quite a lot of return to the organization.

Perhaps most importantly, though, is to understand the behavior of their employees and implement programs to help them work and operate in a more secure manner. Security awareness and education programs may not be the flashiest pieces of a security program, but they are critical to its success. Even beyond that, though, is to engage employees more directly and understand why social engineering attacks work on them and to help address questions and concerns.

Security teams who sit down with staff at all levels, whether it’s through roundtable sessions, town hall forums, lunch-and-learn sessions or other similar gatherings have a much stronger understanding of the needs and challenges of the employees in the organization who are truly the front line of defense for the entire infrastructure. With this understanding comes the means to develop more relevant policies and procedures, offer better, more focused solutions for the security problems being faced by staff, and can even guide the technology purchase decisions to help fill in the gaps best.

There’s plenty of work yet to do, and we will need a larger workforce. But, while waiting for that to come about, there is much every organization can do today to refocus their efforts around the more human elements of information security and bring about a much stronger security posture for everyone.

This article is published as part of the IDG Contributor Network. Want to Join?

Copyright © 2016 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!