Saturday, August 5, 2017

NIST Cybersecurity Workforce RFI Comments – 08-05-17

This is part of a continuing series of blog posts looking at the comments that NIST has received on their request for information (RFI) on cyber workforce development. The comments are posted to the NIST National Initiative for Cybersecurity Education (NICE) web site. The earlier posts in the series were:


There were comments received from 76 different organizations this week, some with multiple submissions. There is no way that I am going to do even a cursory review of that many submissions; I will leave that to the professionals at NIST. Instead I’ll select some of the submissions and hit some high points; all perfectly arbitrary and non-random.

One very important point was made by Anna Johnston from the Information Systems Security
Association (ISSA) in Colorado Springs, CO. She noted that: “Too many businesses are seeking to hire senior cyber personnel to do basic diagnostics, patching, etc., when those tasks can be done by more junior cyber-skilled people.” Everyone wants rock stars to be backup singers. Great if you can afford it, but expect high-turnover.

The Automation Federation asks an interesting question; why isn’t cybersecurity included as a base fundamental skill in every part of our education system? They note: “Little attention is paid to the millions of workers in the middle, who are most likely the ones who need the most knowledge on how to perform their day to day tasks in a cyber secure manner.”

The California Governor’s Office of Emergency Services response addresses an often overlooked aspect of cybersecurity; emergency response. They that California is attempting to develop a strategy “intended to strengthen cyber emergency preparedness and response, standardize implementation of data protection measures, enhance digital forensics and cyber investigative capabilities, deepen expertise among California's workforce of cybersecurity professionals, and expand cybersecurity awareness and public education”.

The Center for Long-Term Cybersecurity (CLTC) points out a long standing problem with government hiring of cybersecurity professionals; the “cumbersome security clearance processes that often cause applicants to lose interest in government jobs before their application process is completed, and security policies that can unnecessarily isolate employees from their social and
professional networks”.

The Energy Sector Security Consortium, Inc. (EnergySec) makes two important points. First the continuing disconnect between IT and OT cybersecurity, noting that:

“Although NICE has a workforce framework, it is not widely used in our industry to identify the security roles or job descriptions. The roles identified in the framework are mostly applicable to traditional Information Technology aspects of business vs. the Operational Technology (e.g. industrial control systems).”

Second, they note the very real need for entry-level jobs “to provide a bridge from the emerging academic programs to mid and senior levels positions”.

While the Security University’s response has a very odd organization it does make a series of interesting points. Very importantly, they note:

“95% of cyber security professionals do not require a cybersecurity degree for a high wage in demand cyber job. They need qualified and validated skills learned from seasoned, skilled cybersecurity professionals with a practicum that demonstrates the student has learned a process and methodology that uses cybersecurity tools and understands enough of the risk policy to determine how to defend based on known threats in order to defend against unknown threats.”

Tenable makes an interesting observation in their response:

“However, our efforts to expand the human workforce will inevitably fall short of the insatiable demand for cyber talent, and we have to prepare for that. We need to have a complementary focus on technology and automation, enabling us to make the most of the human experts we have. Asymmetrically leveraging our cyber talent through the use of technology is the only path to success.”

The Coast Guard response also makes a very important point:


“Cybersecurity training and education must be agile in its planning, assessment, development and delivery cycle to adapt to the speed at which technology drives change and the need to adapt.”

No comments:

 
/* Use this with templates/template-twocol.html */