This is part of a continuing series of blog posts looking at
the comments that NIST has received on their request for information (RFI) on cyber
workforce development. The comments are posted to the NIST National
Initiative for Cybersecurity Education (NICE) web
site. The earlier posts in the series were:
There were comments received from 76 different organizations
this week, some with multiple submissions. There is no way that I am going to
do even a cursory review of that many submissions; I will leave that to the
professionals at NIST. Instead I’ll select some of the submissions and hit some
high points; all perfectly arbitrary and non-random.
One very important point was made by Anna
Johnston from the Information Systems Security
Association (ISSA) in Colorado Springs, CO. She noted that: “Too
many businesses are seeking to hire senior cyber personnel to do basic
diagnostics, patching, etc., when those tasks can be done by more junior cyber-skilled
people.” Everyone wants rock stars to be backup singers. Great if you can
afford it, but expect high-turnover.
The Automation
Federation asks an interesting question; why isn’t cybersecurity included
as a base fundamental skill in every part of our education system? They note: “Little attention is paid to the millions of workers in the middle, who are most likely
the ones who need the most knowledge on how to perform their
day to day tasks in a cyber secure manner.”
The California
Governor’s Office of Emergency Services response addresses an often
overlooked aspect of cybersecurity; emergency response. They that California is
attempting to develop a strategy “intended to strengthen cyber emergency
preparedness and response, standardize implementation of data protection measures,
enhance digital forensics and cyber investigative capabilities, deepen expertise
among California's workforce of cybersecurity professionals, and expand cybersecurity
awareness and public education”.
The Center
for Long-Term Cybersecurity (CLTC) points out a long standing problem with
government hiring of cybersecurity professionals; the “cumbersome security
clearance processes that often cause applicants to lose interest in government
jobs before their application process is completed, and security policies that
can unnecessarily isolate employees from their social and
professional networks”.
The Energy
Sector Security Consortium, Inc. (EnergySec) makes two important points.
First the continuing disconnect between IT and OT cybersecurity, noting that:
“Although NICE has a workforce
framework, it is not widely used in our industry to identify the security roles
or job descriptions. The roles identified in the framework are mostly
applicable to traditional Information Technology aspects of business vs. the
Operational Technology (e.g. industrial control systems).”
Second, they note the very real need for entry-level jobs “to
provide a bridge from the emerging academic programs to mid and senior levels
positions”.
While the Security
University’s response has a very odd organization it does make a series of interesting
points. Very importantly, they note:
“95% of cyber security
professionals do not require a cybersecurity degree for a high wage in demand
cyber job. They need qualified and validated skills learned from seasoned,
skilled cybersecurity professionals with a practicum that demonstrates the
student has learned a process and methodology that uses cybersecurity tools and
understands enough of the risk policy to determine how to defend based on known
threats in order to defend against unknown threats.”
Tenable
makes an interesting observation in their response:
“However, our efforts to expand the
human workforce will inevitably fall short of the insatiable demand for cyber
talent, and we have to prepare for that. We need to have a complementary focus
on technology and automation, enabling us to make the most of the human experts
we have. Asymmetrically leveraging our cyber talent through the use of
technology is the only path to success.”
The Coast
Guard response also makes a very important point:
“Cybersecurity training and
education must be agile in its planning, assessment, development and delivery
cycle to adapt to the speed at which technology drives change and the need to
adapt.”
Posts
No comments:
Post a Comment