Last month, the Commission on Enhancing National Cybersecurity delivered its report to the President of the United States, providing six Imperatives and other, associated recommendations and action items with the goal of improving the overall security posture of the nation’s public and private infrastructures. These commendations cover a range of both technical and non-technical guidance, with a very substantial weight placed in Imperative 4 for training, hiring and increasing the overall cybersecurity workforce in order to match the growing need for such expertise.
Specifically, Action Items 4.1.1 and 4.1.2 recommend the training of 100,000 new cybersecurity practitioners for the workforce by 2020 and an additional 50,000 trained through an apprenticeship program within the same timeframe. This signifies an enormous increase to the current total number of trained cybersecurity workers, and should make a large indentation in the endless need for more security experts everywhere.
However, most every Chief Information Security Officer (CISO) or Chief Security Officer (CSO) today has an immediate need for this kind of expertise, and as the number of cyberattacks continues to explode, most can’t afford to wait until 2020 to tap into this flood of eligible, and available, potential employees.
Thankfully, the Commission has presented a few other recommendations that, in my view, recognize the need for additional, more socially-focused security measures which should help to improve the overall effectiveness of individual security programs and augment the proposed increase in the workforce.
Two in particular are:
- Action Item 2.2.2 which states, “The U.S. government should support cybersecurity-focused research into traditionally underfunded areas, including human factors and usability, policy, law, metrics, and the social impacts of privacy and security technologies…”
- Action Item 3.2.1 which states, “The next Administration and Congress should prioritize research on human behavior and cybersecurity, of the basis of the 2016 Federal Cybersecurity Research and Development Strategic Plan.”
These two, seemingly small statements represent a massive shift in the thinking of not only the government in how it approaches cybersecurity strategy, but the industry as a whole. Specifically, in putting a focus on the more human and policy-centric needs for strengthening cybersecurity, it starts to move away from the idea of simply acquiring the latest and greatest piece of software, all-in-one appliance or other security technology which promises the solution to all of your security despairs.
However, applying more and more technology is not adequate to fully protect a network infrastructure and the critical data stored there. Attackers will simply fine-tune their tactics to evade new protections put in place and continue to launch assaults against their targets.
After all, no matter the number of layers of defense put in place, it only takes one authorized user within your organization to click on a malicious link in a phishing email that captures their credentials and feeds them to an attacker who can then use those credentials to sidestep every security control that a user is allowed to navigate.
Since humans will make mistakes like this, social engineering continues to be an effective form of attack, no matter the technology controls put into place. It has been long past time for organizations to put more focus on the human side of their security program, specifically in the areas mentioned by the Commission in Action Items 2.2.2 and 3.2.1.
Any security program can benefit immediately by beginning a review of their own internal policies, improving the types of metrics used to measure the success of the program, and consulting with legal counsel to ensure proper insurances and other risk mitigation plans are in place. These activities cost very little, have immediate turnaround timeframes, and can deliver quite a lot of return to the organization.
Perhaps most importantly is to comprehend the behavior of their employees and implement programs to help them work and operate in a more secure manner. Security awareness training and education programs may not be the glitziest pieces of a security program, but they are critical to its success. Even beyond that, is to involve employees more directly and understand why social engineering attacks work on them and to help address any questions and concerns.
Security teams who sit down with staff at all levels, whether it’s through roundtable sessions, town hall forums, brown bag lunch sessions or other similar gatherings have a much stronger understanding of the needs and challenges of the employees in the organization who are the front line of defense for the entire infrastructure. With this understanding comes the means to develop more germane policies and procedures, offer better, more focused solutions for the security problems being faced by staff, and can even guide technology purchasing decisions to help best fill in the gaps.
At AsTech Consulting, we believe that there is plenty of work yet to do, and we will certainly need a larger cybersecurity workforce. Nonetheless, while waiting for that to come about, there is a lot more that every organization can do today to refocus their efforts around the more human elements of information security and bring about a much stronger security posture for everyone.