In the Federal government’s Cybersecurity Workforce Training Guide, Department of Homeland Security (DHS) Secretary Alejandro Mayorkas makes clear that efforts to improve cyber defenses should focus on the people working to protect the nation from attack.
“Your talent is needed to advance the President’s commitment to elevate cybersecurity as a top priority across the government, strengthen partnerships with the private sector, and expand our investment in infrastructure and people,” Mayorkas wrote in the document, issued by DHS’s Cybersecurity and Infrastructure Security Agency (CISA).
His words reflect what experts call a people-first approach to defeating foreign and other cyber threats. America is facing a serious cyber skills gap, which the White House estimates at more than 500,000 open cybersecurity positions nationwide. In this climate, cyber experts call for the government and private sector to go all out to find people willing to serve – and intensively train them in all manner of cyber skills once they are on board.
“We have to invest, take a personal approach, and treat every person as the individual they are, figuring out what their passion is, and then providing them opportunities to grow,” said Terin Williams, chief of cyber operations and a senior cyber advisor at CISA, during a recent webinar discussion.
Intensified upskilling is paramount going forward because many specialists – especially in operational technology – now employed in government and industry are nearing retirement age. “A lot of that institutional knowledge of operations is about to disappear,” said Williams, who expressed concern that the nation will be left with “a national debt” in cyber and operational technology skills in Federal civilian and military organizations.
Aaron Rosenmund, Pluralsight cybersecurity author, agreed that helping employees grow their passion is a powerful workforce development tool. IT leaders need to be “engaging people on a one-on-one level, training them, and engaging with [the cyber skills] they are passionate about,” he said. “I think we need to be hiring and developing a culture of passion about this topic. There’s too much to learn, too much to secure, and too great of an active threat to have people who aren’t passionate” about cybersecurity.
Rosenmund and Williams bring a wide range of public and private sector experience to the cybersecurity arena. Rosenmund is a cybersecurity operations subject matter expert with a background in Federal and business defensive and offensive cyber operations and system automation. He contributes those skills part time in support of the Air National Guard to defend the nation in cyberspace. In addition to her role at CISA, Willams is a member of the Army National Guard and the vice director of operations (cyber) for the National Guard Bureau. Previously, she was the CIO of the Ohio National Guard.
Cyber Attackers’ Tactics Evolve
According to the U.S. government, the skills and methods of cyber attackers are growing in dangerous ways. “The threats we face remain daunting,” said a report in May from the Office of the National Cyber Director. It pointed to evolving risks to critical infrastructure from nation-state adversaries, the persistent threat of ransomware attacks, and potential supply chain exploitation from malicious actors.
Rosenmund categorized the biggest cyber threats against the United States in three ways: economic, such as ransomware; influential, such as threats centered around the presidential election that took place on November 5; and operational, such as threats to critical infrastructure. These critical infrastructure threats, in which foreign actors embed in U.S. systems to cause disruption or damage in the future, are the most critical, Rosenmund added.
Williams said concern about protecting the integrity of the election had galvanized “a small subset of” Federal agencies to work together to safeguard the vote. “There was a full court press since the [2020] presidential election to really get after it,” she said. “It came together, and we took the right approach.”
More broadly, Williams said a growing challenge for cyber defenders is the increased communication between cyber criminals, many of whom used to work alone. “It’s a big shift that we’ve seen over time,” she said. “We used to have individual actors working in their own silos. And we’ve seen them move into a space where they are … really working together. That makes it a much harder ball game.”
For the American public, the enhanced coordination of bad actors can pose additional risks because individual citizens may be more likely to be targeted. Most people think ‘a nation-state actor isn’t going to be interested in me.’ And what we’ve seen is that they are interested in connecting to anybody because you usually have connections to other people … that they are absolutely interested in,” Williams explained.
The Cyber Skills Gap Continues to Grow
As they confront the complicated threat landscape, cyber defenders are facing what has become a seemingly entrenched problem: the lack of people with the cybersecurity skills needed to defend against attacks.
In April, the White House announced an overhaul of the Federal hiring process to emphasize a skills-based approach to build the cybersecurity workforce. The development was a follow up to the Biden administration’s National Cyber Workforce and Education Strategy unveiled last year to help fill cyber job vacancies.
“People who are in the cyber workforce should be equipped with specialized cyber skills that will change over the course of their careers,” the strategy said.
Rosenmund said the greatest need is for experienced cyber professionals with high-level skills. “Entry-level positions have been filled,” he said. “That’s not to say there aren’t more that need to be filled, but really the gap is in intermediate and advanced skills.”
As an example, Rosenmund cited the 2021 SolarWinds hack that he said compromised about 30,000 organizations across the United States. He recalled that the government sent affected organizations a “blunt letter” that acknowledged a lack of highly skilled employees able to quickly fix the problems.
“The letter essentially said, ‘Just turn it off. We don’t have enough people with enough advanced expertise to come, respond, and do threat hunting at all these organizations, and neither do you,’’’ Rosenmund recalled.
“That was absolutely true. I think it’s still true.”
A People-First Approach Leverages Workers’ Passion for Cybersecurity
The solution is intensive training and upskilling of the Federal and private sector cybersecurity workforce, utilizing a people-first perspective. Experts say organizations should start by obtaining accurate technology skills benchmarks for employees and seek to hire a mix of specialists and generalists who understand multiple technology domains and can be trained on cybersecurity specifics.
As organizations invest in upskilling, Williams said, “It’s really about investing in that person, and making sure that they are well rounded and have all the skills that they really need. The idea is treating every person as an individual and leveraging the passion of each and every one of them, because there is such a broad range of skills you need in cybersecurity.”
The people-first approach is reflected in CISA’s cyber workforce training guide, which recommends a range of professional development, learning paths, and hands-on training, which Rosenmund said is critical to easing the skills gap.
“The space where we need to continue to invest in is …. technical controls. We have hundreds of thousands of different kinds of technologies that can be exploited,” he said. “It’s easier to teach concepts of risk than it is to teach technical controls, but that’s where the gap is.”
Such training involves “very quickly going from concept to the technical information you need to know about how to implement a control, how to assess that control, and then how to … give your team members hands-on experience.”
Williams also emphasized the value of hands-on training. “The hands-on piece is the most critical part,” she said. “Any [training] exercise I’ve been involved in, the hands on [activity is] where you start to build that trust. And you really take away lessons learned that you can go back and apply immediately into your organization.”