Getting in Front of the Cybersecurity Talent Crisis

Transcription

1 CYBERSECURITY WORKFORCE Getting in Front of the Cybersecurity Talent Crisis how-to-build-a-cyber-dream-team-when-it-comes-to

2 CONTENTS INTRODUCTION Introduction... 3 What is Driving Demand: Data Breach Response... 4 Getting the Right People... 6 What We Are Doing to Address the Cybersecurity Workforce Crisis... 9 Conclusion There is a human capital crisis in cyber security. Demand for skilled professionals currently outweighs supply, and the growing sophistication of cyber adversaries coupled with our increasingly networked enterprises means that demand will grow. Unless we increase the number of trained professionals coming into the workforce and become better at identifying, nurturing and retaining workers with the necessary qualities, this crisis will progressively drain organizations bottom lines. Organizations have begun to realize that cybersecurity problems involve more than just technology. There is also a people and business problem. Effective technology solutions are needed to protect IT infrastructures, and automation can help free humans to do what they do best: analyze, understand, anticipate and respond to security incidents. But technology is only a tool; security requires having the right people with the right capabilities on the job. Effective cybersecurity is a core business requirement in today s global economy, and C-level executives are increasingly being held accountable for breaches. We re making progress professionalizing and institutionalizing cybersecurity. Ten years ago, security operations usually were underfunded and given low priority. The Chief Information Security Officer (CISO) did not exist. Today, however, cybersecurity is a high business priority, and among companies that employ a CISO, many are in the boardroom. But much remains to be done. Only 40 percent of Fortune 100 companies have a CISO, and organizations still struggle to build, recruit and retain a cybersecurity workforce. Competition for cybersecurity talent is fierce. According to a 2014 report from Burning Glass 1, cybersecurity job postings grew 74 percent from 2007 to 2013, to nearly 210,000 openings. This growth was more than twice that for all other IT-related job postings. Moreover, it is not enough to merely hire good people. Continual development and training are needed to ensure that employees keep pace with evolving threats and new technology. Getting in front of this manpower crisis requires: + + Increasing supply through outreach and partnering to support professional development programs in universities, high schools, and even earlier + + Reducing demand through resource sharing within and between organizations, improving the quality of the cybersecurity workforce, and supporting it with the right technology + + Developing new approaches to identifying available talent, including looking for it in non-traditional places

3 WHAT IS DRIVING DEMAND: DATA BREACH RESPONSE Cyber adversaries and threats are constantly evolving; while tried-and-true attacks and exploits will never die, newer and more sophisticated ones are always appearing. Given the growing complexity of IT enterprises, the response to data breaches and other security incidents is a complex, labor-intensive, and time-sensitive task. In a large private sector or government organization, the direct cost of response and mitigation can easily be millions of dollars. The costs of lost business and damage to reputation can be even greater. The first 24 hours following a breach are critical. To minimize damages and costs of a breach, pre-planning is essential. Without a strategy, you will spend the first days getting organized, identifying resources, and putting them into place. By this time you will be far behind the game, struggling to catch up with the intruder while simultaneously managing the ramifications with partners, customers, and the public. This demand on preparedness puts a premium on understanding your enterprise and available resources, as well as being able to quickly evaluate the extent and complexity of the attack. An effective response requires interior lines of communication for mobilizing resources throughout the organization, not just the IT shop and security operations center. To evaluate your readiness, ask yourself these questions: + + Do I have an up-to-date plan in place one that is more than shelfware? + + Have I tested this plan recently? + + Do I have the staff I need to respond to the incident or do I have access to surge support? + + Does my staff understand the threats, the adversaries they face, and their roles in the response plan? + + Is my CISO prepared to handle the threat to deal with the public, senior management, and the rest of the organization while directing the response? An effective, prepared workforce is needed to carry out your plan. Staff must include threat analysts who can combine outside sources of intelligence with data from enterprise sensors and logs to anticipate incidents and help direct the response. This can reduce the needed manpower. Many organizations, however do not have the necessary resources permanently on-staff, or know precisely how much manpower they will need when an incident occurs. They will need to be prepared to quickly surge their workforces to meet the need. Determining the right size of your cybersecurity staff is a matter of risk management. This will vary depending on an organization s size, IT enterprise, the threats it faces, the value of its assets (to itself and to adversaries), and the level of risk it chooses to accept. Response planning should include plans for mobilizing outside personnel, as needed. It is too late to begin assessing needs and looking for help after an incident has occurred. Your contact list, or calling tree, should already include the necessary points of contact, whether they are from other divisions within your organization, contractors and third-party service providers, or partner organizations. To quickly surge your workforce, you should know: + + What help you need. + + Who will you call for help? + + Are standing support agreements in place? 4 5

4 GETTING THE RIGHT PEOPLE Being prepared will help in managing and deploying a cybersecurity workforce, but you still must identify, recruit, and retain qualified people. This is not a simple job. Make sure that your human resources office understands the needs of cybersecurity and speak the same language as the IT departments. Cybersecurity is becoming professionalized, with a growing number of academic institutions offering degree programs at the undergraduate, graduate, and post-graduate levels. This is a positive development. But experience and professional certifications that demonstrate the ability to meet industry standards are proving to be just as important, if not more so, as academic degrees. A junior employee without a degree who has front-line, hands-on experience could be as valuable as a graduate from a university program. People can learn technology; in the end, personal characteristics that demonstrate the ability to perform on the job might be just as good an indicator as formal education. Striking the right balance between people and technology and determining the right size for your staff are just as important as getting the right people. Although technology cannot provide cybersecurity on its own, it is a valuable tool that enables staff to do their jobs more effectively. Investing in the right tools can help reduce the number of people required to provide the appropriate levels of security. But beyond this point, technology produces diminishing returns. A few good people with the right technical and leadership skills can become force multipliers, helping your team become greater than the sum of its parts. The proper balance of technology with the right people can let a cybersecurity team be lean, but still effective. To find the right people, you first need to understand what qualities are required for the job. What should you be looking for in a cybersecurity professional? Technical skills AND personality: + + People who are inquisitive, who like to take things apart to find out how they work or don t work + + People who are persistent, who continue working on tough problems until they are solved + + People who can collaborate and communicate across the organization, not just with other cybersecurity professionals + + People who demonstrate leadership, with the ability to create and direct multidisciplinary teams + + People who understand business and policy beyond IT and the impact that disruptive technologies have on business Finding all of these qualities in a single person is not easy. A master cyber Jedininja would be great, but even if found, he or she would likely be out of the price range of most organizations. You should look for someone with as many of the above qualities as possible, with the understanding that most of your cybersecurity workers will have specific technical strengths and areas of expertise that they can bring to the job. Teams of highly capable cybersecurity experts whose skills complement each other better enable organizations to meet their needs. This team-based approach can produce more innovative and creative solutions to challenging problems, and reduce the inherent risk in placing all of your organization s security in one all-encompassing expert. Identifying potential cybersecurity workers with these qualities can mean going outside the standard resume and interview process. One executive who wants to know what prospective employees are like outside of the workplace asks how many computers they have at home and how many are in working order. A candidate with two or three computers in pieces could indicate the kind of inquisitive, break-it-andfix-it mindset that the executive is looking for. If they re the kind who likes to take things apart, that s who I want. You can also gather insights from workplace style. Is the worker a cube-dweller, headdown and focused on the immediate task? Or is he or she working in an open environment with others, seeking help, sharing insights, and looking for answers? The latter might be the better pick for a cybersecurity team that needs to understand, collaborate, share, and respond quickly when an incident occurs. Finding these people could require looking beyond the usual recruiting environments. The Silicon Valleys and Silicon Alleys are obvious places to start, but they are full of companies looking for the same talent, and there is a lot of competition for qualified people. Moving upstream to the universities and colleges offering cybersecurity degree programs can be productive. The National Security Agency and the Department of Homeland Security have designated 55 institutions as National Centers of Academic Excellence in Information Assurance/Cyber Defense. 2 Universities in Arizona, Michigan, Kansas, New York, Maryland, Texas, and Oklahoma are making big investments in cybersecurity programs. And a growing number of schools, such as the University of Southern California Viterbi School of Engineering, Pennsylvania State University and The Johns Hopkins University have highly regarded online degree programs. Organizations can get needed talent into their recruiting pipelines by partnering with these institutions and others, helping to provide educational resources and ensuring that educators understand what the curriculum should include so that students are trained in the skills that organizations need

5 Some question the value of academic degrees for a hands-on, quickly evolving multidisciplinary field such as cybersecurity. While this is open to debate, it is true that on-the-job experience and professional certifications are proving to be just as important. Those without a four-year degree might not make the first cut in the traditional Human Resources recruiting process. But you shouldn t overlook professional experience, time spent in the trenches, and continuing technical training just because a candidate comes with an Associate s degree or a high school diploma. Finding these candidates can mean going to non-traditional settings. Every year there are gatherings of cybersecurity professionals and talented amateurs at events such as DEF CON, Black Hat Briefings, the RSA Conference, the Consumer Electronics Show, and numerous smaller hackathons and meetups. These can be rewarding venues for spotting less traditional talent. Because personal qualities can be important in making a successful cybersecurity practitioner, consider looking for these qualities in current junior level and non-technical employees. When you find workers with the right stuff, you can train them with the technical knowledge they need, creating an in-house source of professional talent. Booz Allen is meeting the human capital challenge head-on. We offer professional services to build cybersecurity capacity in government and the private sector, and partner with government and academia. We also are putting these practices to work within Booz Allen, developing and strengthening our own cybersecurity workforce. An example of Booz Allen s leadership in this area is in the development of the NICE-supported National Cybersecurity Workforce Framework. The National Initiative for Cybersecurity Education (NICE) is a public-private partnership focused on developing a technologically skilled and cyber-savvy workforce to help meet the exponential growth in demand. The initiative is led by the National Institute of Standards and Technology, [ gov/nice/index.htm] and includes partnerships with other government agencies and private companies. Booz Allen not only helped to develop the NICE-supported National Cybersecurity Workforce Framework, but it has been using it internally for five years. The framework provides a common taxonomy and lexicon to describe the cybersecurity workforce. It defines 32 specialty areas, their common tasks, required knowledge and skills, and specifies the necessary training and education. Although developed in part as a guide for federal workforce development, it can be a practical guide for any organization with cybersecurity priorities. WHAT WE ARE DOING TO ADDRESS THE CYBERSECURITY WORKFORCE CRISIS Workforce requirements identified by NICE include: + + Agility: the ability to shift between roles or needs should a threat warrant different support + + Multi-functional: the ability to maintain and execute a variety of activities at any given time + + Dynamic: the ability to provide for constant learning to effectively approach new endeavors and problems + + Flexible: the ability to move into new roles or environments quickly to increase knowledge and skills + + Informal: the ability to work in a nontraditional environment In addition to putting the National Cybersecurity Workforce Framework to work in our own organization, Booz Allen is working to develop talent before it is needed through outreach, identification of early talent, and by providing opportunities for training and education. Internally, Booz Allen has invested in the creation of a Cyber University where staff can gain access to training, certifications, information learning resources and academic programs to deepen their cybersecurity skills. This program was named Outstanding Training Initiative by Training Magazine in 2013 and has been instrumental in developing and retaining cybersecurity staff. 8 9

6 CONCLUSION Reciprocal research and development agreements with government agencies and partnerships with educational institutions support Cyber University. Booz Allen has partnered with academic institutions to create Cyber programs that are responsive to business needs. These partnerships focus on the design of curriculum and the integration of business insights into the courseware, making the content relevant to staff confronting challenges on the job. By working with our industry partners, we can create training for emerging technology solutions that are on the cutting edge. Cyber assessment and training tools such as CyberSim also support this effort. CyberSim provides assessment and learning exercises for cyber professionals, with content that can be geared to different skill sets and levels. Tailored and validated for the cyber needs of individual organizations, it helps identify internal employees ready to take on new roles, or those who need additional training in order to continue their growth. Utilizing gaming principles using a capture the flag format, organizations can use CyberSim as an ongoing program, or as an on-site event for training and team building. Booz Allen can help organizations develop cybersecurity capacity, both in government and the private sector. We can help develop organizational structure necessary to help the CISO during a crisis. We have the solutions to: + + Define the skills and competencies needed and map those skills to cybersecurity roles + + Forecast needs and develop a workforce plan + + Develop recruits to fill mission gaps + + Hire and retain skilled professionals + + Prepare workers to meet evolving mission requirements + + Cultivate leaders to continue the vision and carry it forward + + Provide recommendations on how cyber organizations should be structured and aligned within an organization With our blend of management/strategy consulting and technology, we are uniquely positioned to bring technology and human capital consulting to bear in planning for, developing, and maintaining the cybersecurity workforce an organization needs. The human capital crisis in cybersecurity is real, as illustrated by persistent data breaches and security incidents despite heightened attention to security. Organizations that cannot identify their needs and the people with the skills and qualities to meet them will find themselves increasingly at risk. The crisis must be addressed with a sense of urgency to deal both with current and future demand for skilled professionals. This requires immediate and long-term planning. Decision-makers should be ready now to look outside traditional recruiting avenues and be open to considering non-traditional candidates with the qualities needed to become cybersecurity professionals. At the same time, organizations can take steps to reduce demand by using the right technology, developing leadership skills in capable workers, and sharing resources to anticipate attacks rather than merely respond. Talent issues will define the foreseeable future of the cyber community. Organizations that can equip themselves to get ahead of these issues will position themselves for success. If we as nation can prioritize building a strong cyber talent base then our cybersecurity community will have a much better chance at beating bad guys in the future. About Booz Allen LORI ZUKIN PHD Principal zukin_lori@bah.com JAMIE LOPEZ PHD Senior Associate lopez_jamie@bah.com ERIN WEISS KAYA Lead Associate weiss_kaya_erin@bah.com ANDREW SMALLWOOD Lead Associate smallwood_andrew@bah.com

7 About Booz Allen Booz Allen Hamilton has been at the forefront of strategy, technology, and engineering for more than 100 years. Booz Allen partners with private and public sector clients to solve their most difficult challenges. To learn more, visit (NYSE: BAH) 2015 Booz Allen Hamilton, Inc. DSI how-to-build-a-cyber-dream-team-when-it-comes-to