A shortage of cybersecurity know-how is a genuine problem – but if we don’t apply what we know, it won’t matter how many computer science graduates we produce.
In a recent article, Nada Marie Anid makes a compelling case for dramatically expanding computer science education to fill the growing shortfall in cybersecurity talent. With 200,000 unfilled positions in the U.S. and 1,000,000 total worldwide, global demand is estimated to reach 6,000,000 positions by 2019. The program she leads at NYU has increased its “cybersecurity course offerings, hiring expert faculty in biometrics, swarm intelligence, cryptography, data mining and forensics, and network security. We’ve even added a cybersecurity concentration for undergraduates and a master’s program.”
Her commitment is commendable. A shortage of cybersecurity know-how is a genuine problem – but if we don’t apply what we know, producing more computer science graduates won’t provide the return that it could.
Some of our best and brightest minds are engaged in maintaining standards that delineate the steps organizations can and should take to reduce their cyber risk profiles. While you might expect to see broad implementations of the standards, even federal agencies seem to ignore the top methodologies offered by the National Institute of Standards and Technology (NIST) and the Department of Energy (DoE).
The highly respected and widely recommended NIST Framework was developed “to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Without prescribing specific technologies, it describes “a set of industry standards and best practices to help organizations manage cybersecurity risks.” (NOTE: NIST will conduct a NIST Framework Workshop on April 6-7 in Gaithersburg, MD.)
DoE, in partnership with DHS, developed another publicly available framework called Cybersecurity Capability Maturity Model, or C2M2. The methodology was developed to enhance the security and resilience of the nation’s critical infrastructure. Implementing C2M2 provides a comprehensive view of an organization’s cyber risk posture by monitoring ten different organizational domains. C2M2 meshes easily with the NIST Framework; in fact, DoE employs both in programs that help utilities improve their cyber breach readiness. (FULL DISCLOSURE: the DoE lab tasked with assessing and improving the nation’s utilities’ cybersecurity infrastructure uses Cybernance’s platform to gauge NIST and C2M2 compliance.)
According to the Identity Theft Resource Center, 781 data breaches were reported in the U.S. in 2015, including 63 government and military breaches. Federal agencies with recent high profile breaches include the Internal Revenue Service (700,000 social security numbers, February 2016) and the Office of Personnel Management (21.5M records and 5.6M fingerprints, June 2015). Before we had engaged with them, very few public sector and commercial organizations had taken the foundational step of tracking cybersecurity compliance against leading standards like NIST.
Ms. Anid’s efforts and those of others in the academic community to address the shortage of computer science knowledge are vital. Cyber breaches threaten the very existence of many organizations, and increasing the number of knowledgeable cyber experts is mandatory. Yet, as leaders purchase more and more technology based on threat intelligence reports, their approach is incomplete. They too often proceed without a clear plan to address the entire challenge, which would require changes to the culture and improved handling of external vendor and partner relationships.
Cybersecurity is a business problem that demands attention from all quarters – IT and Security, yes, but HR, Purchasing, and every other department that introduces risk and/or can mitigate it. The commitment must start at the top and permeate the entire organization. Adopting key standards to assess and monitor the status of the organization’s cyber readiness is critical.