Yesterday, DorobekINSIDER Live welcomed an impressive panel to discuss cybersecurity (Listen to the archive here):
Ron Ross, Fellow at the National Institute of Standards and Technology’s Information Technology Laboratory’s Computer Security Division
W. Hord Tipton, Executive Director of (ISC)², the cyber-security education and training organization. Hord has served in a number of key posts, including as the chief information officer for the Interior Department.
Quentin Hodgson, Chief of Staff, Cyber Policy at US Department of Defense Director, Cyber Planning, Operations and Programs, CIV OSD OUSD Policy
Patrick Fiorenza, Senior Research Analyst, GovLoop. Pat also wrote the new GovLoop Guide on Cybersecurity: Winning the Cybersecurity Battle.
Quentin Hodgson was asked to discuss the key messages he emphasized when discussing cybersecurity to colleagues within DOD. He began his answer by describing how the DOD needed to address both internal and external needs - to strengthen their capabilities and support broader US efforts against cyber threats. The main priority of DOD’s plan, however, had to be securing DOD’s networks. After all, if they could not protect their own information, how could they be of service to other departments?
Then, Hodgson shifted to an even more foundational issue, training and education. From the start, breeding talent to address the cybersecurity threat had been a major theme in the panelists discussion. Pat Fiorenza had mentioned the topic in his opening remarks, and Tipton mentioned that we did not have the capacity to fill the 300,000 jobs required to tackle cyber threats successfully. Speaking on the topic, Hodgson added that we need to ensure we have a military, civilian, and contracting talent pool. This has been a challenge. To address the issue, he said we needed to train, retain, and develop ways to keep current professionals in sync with technology and changing landscapes. Ross added that we needed to identify what skills were essential and ensure their incorporated in computer science programs at universities.
Coming from cybersecurity training and education organization, Tipton also had many insights to add to the conversation. He explained how (ISC)² saw the issue of talent in the short and long term. Short term, there will be a certification mindset, which means people will move from one form of engineering into computer engineering. Long term, he said, (ISC)² would be looking to identify talent at young ages and encourage them to train for the field. His organization, for example, is working with educators from grade schools up to universities with the goal of developing learning opportunities. "Many schools aren’t aware that these are lucrative and challenging careers," he said. In addition, Tipton pointed out that only 11% of people working in cybersecurity are female, which means the deficit of cybersecurity workers can be turned around by addressing the lack of gender diversity in the field. One solution would be for "companies to do what many aspects of governments do, which is go into schools, particularly tech schools, and provide education in exchange for a promise to work."
Education and training emerged once again in the panelists' closing remarks when Dorobek asked each person to give one recommendation regarding cybersecurity. Quentin said, it "Starts with thinking about how we educate our workforce" and that one training a year does not make people aware of the threat. Tipton urged government to take certification and authorization more serious. The bottom line: As we think about avoiding a cybersecurity nightmare, training and education should be a top priority.