In my last blog posting, I expressed my thoughts on the importance of taking a holistic approach specifically to addressing the recent proliferation of software vulnerabilities. But truly, this approach applies to addressing all cybersecurity vulnerabilities.
I was reminded of that this week when I read a well-known security figurehead’s very myopic response to a newly released cyber education strategy, called the NICE Strategy, implying that the strategy will have little or no impact if it is not updated to focus on developing critical ‘hands-on cybersecurity skills’.
Promoting one aspect of security as the solution to the “big picture’ security problem is like treating cancer in someone’s foot and ignoring that the cancer will spread throughout the entire body without the proper preventative measures.
For those who are not aware, as part of the National Initiative on Cybersecurity Education (NICE) Program, last month the White House released the NICE Strategy, or its ‘framework’ for addressing the information security human capital crisis and the need to “build an agile, highly skilled workforce capable of responding to a dynamic and rapidly developing array of threats.”
While The NICE Strategy outlines a very optimistic forecast in stating that, if all goes as planned, by 2015, the workplace will see a 20 percent increase in qualified cybersecurity professionals, NICE has done a thorough job of addressing the challenge from all critical perspectives. Several positive observations I made include:
• NICE collaborates with a number of external groups – non-profit, industry and public sector organizations – in developing its strategy.
• The strategy is focused on reaching the IT professional and beyond, including all those who must comply with sound cyber security practices.
• NICE takes a broad approach to meeting the demand for a skilled cyber workforce and to raising the bar with all involved publics – including public awareness among consumers and education and professionalization of cyber workers.
In contrast, those who single-out ‘hands-on experience’ or any other silver bullet as the only way to adequately prepare the cyber workforce of the future – or otherwise referred to as an ‘army of cyber warriors’ – have not fully assessed the magnitude of the issue.
This challenge cannot be solved with silver bullet solutions. Hands-on experience in identifying threats must be accompanied by training and continuing education. One does not preclude the other. While identifying the requirements of a skilled cyber workforce includes finding and mitigating threats, we can’t let the need for mitigation override the need for prevention.
Cyber professionals must also be skilled in developing better policies and improving an organization’s overall cyber security practices. Technicians, professionals, business managers, and end users must take advantage of all the means of communication available to learn and better prepare for the exploits our cyber warriors find through detection and mitigation of problems with our systems.
In this way, (ISC)2 members are unique in that they must comply with the requirements of both hands-on experience and ongoing education throughout the life of their credential. In our world, Knowledge plus Experience = Competence.
I think everyone would agree that you just can’t train people quickly, but I, for one, commend those who intently and strategically develop a holistic approach to the information security challenges we face as a nation – from the proliferation of software vulnerabilities to the human capital crisis. Kudos to those over at NICE who see and accept the challenge of developing the “Big Picture”.
W. Hord Tipton is executive director of (ISC)2 , the world’s largest non-profit body for certifying information security professionals; he is also the former Chief Information Officer of the U.S. Department of Interior and recipient of the President’s Distinguished Rank Award.