The cybersecurity workforce hears too much about what it is not allowed to do and does not focus enough on what it can do, according to Matt Conner, deputy chief information security officer at National Geospatial-Intelligence Agency (NGA).
He stated that a shift in workforce education is necessary to improve cybersecurity. Instead of enumerating a long list of rules, he said that agencies and companies should instruct employees on what is allowed. Conner compared educating the workforce to building guardrails rather than speed bumps.
“There is no substitute for an educated workforce. Of course we need an educated workforce. What we need to educate them on are the things we’re offering to make them more effective,” Conner said. “Cybersecurity is unique in that we’ve got to tell you all the stuff you need to know. After years of doing that, here’s where we are. Phishing is still the most effective type of compromise. Humans are still the weakest part after 20 years of trying to educate people. Maybe we need to educate people differently.”
Conner also stated that divining intelligence from data relies on teamwork between agencies and private vendors. NGA collects reams of GIS data from satellite imagery. Conner said finding useful intelligence in the midst of all this data is like finding a needle in a stack of needles.
Articulating cybersecurity needs and working with partners is the key to discerning threats for NGA and other agencies, according to Conner. He said that cybersecurity actors can point out ways to help.
“There’s just a glut of information. It’s a challenge for us. We are working with partners in industry to extract intelligence from info,” Conner said. “We’ve got a glut of information. We don’t have a glut of intelligence. The discipline of cybersecurity is challenged to extract intelligence from information.”
Another challenge Conner discussed is cultivating new members of the workforce, in addition to educating current employees. He said that thousands of cybersecurity jobs go unfilled, and that one solution was to look beyond hiring solely Certified Information Systems Security Professionals (CISSPs).
“It’s easy to ask for more CISSPs, but there’s a risk that the solutions those people offer are the same solutions that got us to where we are,” Conner said. “I’m not denigrating CISSPs. I’ve been certified since 2003. I think building the workforce of tomorrow is open to completely new perspectives and new sets of skills. I look to those people.”