In part 1, we talked about some practical things we can do to grow our cyber workforce by expanding the competencies of general employee community, high risk staff, supervisors, and system administrators. In part 2, let’s look at our IT Security staff, executive leadership, suppliers, customers and how we might engage the wider community.

IT Security

Clearly, your IT Security staff require the highest level of competency in your enterprise. You will want to set aside at least two weeks of training for your staff to grow and maintain their cybersecurity skills. A couple of the formal training resources are SANS and the InfoSec Institute. In addition, there are great seminars and training events associated with conferences like RSA and Blackhat.

However, there are other important ways to grow your staff.

• Establish a rotation program within your teams for both the supervisors and the employees. It is very easy in this business to become pigeon holed into being “a network guy” or “a malware guy”. It is important to have exposure across the many aspects of IT Security, from policy to identity management to threat intelligence to incident response. Each skill builds on and enhances the others.
• Consider holding friendly competitions amongst your staff, or encourage them to become engaged in external competitions.
• Have your key vendors provide training on their tools; many will be willing to do this for free.
• Connect with your local colleges and universities; cybersecurity programs are becoming more and more common. You may be able to establish discounts for your employees. In addition, your staff may wish to become instructors themselves, and this is a great way to connect with the wider community and to enhance your own skills.
• Encourage your staff to join InfraGard, a partnership between the FBI and the private sector.

Executive Leadership

Your company executive leadership are in the best position to influence the culture of your company. Without their clear support and understanding, it will be very difficult to grow the cybersecurity competency of the company. They should be provided with at least quarterly briefings on cybersecurity activity within the company, in your specific industry or sector, and in the broad public. When there are high profile events in the press, be sure to summarize the event and its impact and communicate with your leadership in a timely manner. They should also be included in the High Risk Persons group and provided with those briefings. On an annual basis, your executive leadership should be briefed on the major cybersecurity risk areas that threaten the company operations and strategy. This should drive a dialog around targeted investments and policy adjustments to pull those risks back into tolerance.

Most importantly, recruit the leadership to become advocates for good cybersecurity practices and encourage them to speak to their organizations on the topic.

Suppliers

In any modern enterprise, your supply chain is a critical element in the information flow that drives your operations. At a minimum, your suppliers should be aware of their obligations with regard to your information and the services they operate for you. They should be providing you with an annual attestation of their compliance with your applicable policies and guidelines (they will obviously need this in a checklist format), and should be providing you with timely reports on events and the disposition of those events. The language driving this should be part of the contract enlisting their services. If a supplier tells you that you are the only one asking for this, or that they cannot provide you with this information, then do not do business with them. The Internet Security Alliance published a couple of excellent documents on “Contracting for Information Security in Commercial Transactions” in 2005 and 2007. They are still excellent and relevant today.

Invite your key suppliers to some of your cybersecurity awareness events. Share some of your relevant training material with them and solicit feedback. Ask them what they are doing to drive cybersecurity awareness and how they are elevating the competency of their employees. Invite them to speak to your employees on their best practices and experiences.

Customers

Depending on your business, you may want to connect with your customers on matters of cybersecurity. This is particularly true if they are providing you with sensitive information or if they are logging into on-line resources you are providing them. At a minimum, be prepared ahead of time to communicate with them on any cyber events that your organization may suffer that affects your customers’ information. Don’t wait until the event occurs to start putting a communication package together. In addition to crisis communications, however, consider offering guidance on how they might protect any user accounts and the information moving between your companies.

[Note: At some time, your customers or your suppliers may suffer a cyber compromise that affects your operations; for example, you may start receiving spam from them, or you may receive trojanized documents from their email accounts. Be prepared to help them with understanding what you are seeing. A company is often judged with how they respond to sensitive problems like these more than they are when things are running smoothly.]

Community Engagement, including Universities and High Schools

Building a cyber workforce necessarily means engaging with your community. But, this should not be limited to job fairs. We must foster cybersecurity as a profession if we are to fill all the positions that we will need. Become engaged with your local colleges, universities and schools. Let them know what kinds of jobs you are seeking to fill, and what this type of profession entails. Get involved with the National Cyber Security Alliance. They have resources to help you with your own business, and you can encourage your staff to support them through teaching in their communities. Look into the National Initiative for Cybersecurity Education, check out their conferences and workshops, and make sure that your local communities are engaged.

Take Away

Building a cyber workforce and filling the talent pipeline involves more than just our IT department. We need to connect with our entire enterprise and wider community to develop interest and competency in cybersecurity as a profession. By involving the many other disciplines in our companies and communities, we will foster new talent and find innovative ways to combat cyber threats and make our businesses more resilient.