1 / 0

The Challenge of Winning the Battle for Cyber Security WorkForce Talent

The Challenge of Winning the Battle for Cyber Security WorkForce Talent 14 May 2014 12:10 AM – 12:40 AM Presented by Dr. Christopher V. Feudo President, University of Fairfax. Whom Do You See . Topics. Introduction

idalia
Download Presentation

The Challenge of Winning the Battle for Cyber Security WorkForce Talent

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Challenge of Winning the Battle for Cyber Security WorkForce Talent 14 May 2014 12:10 AM – 12:40 AM Presented by Dr. Christopher V. Feudo President, University of Fairfax
  2. Whom Do You See
  3. Topics Introduction Security's Shaky State - What People in the Industry Have to Say Staffing Statistics What's It All About – Where’s The Beef How to Retain Key CyberSecurity Personnel How to Hire CyberSecurity Personnel Workforce Approach Knowledgeable Workforce Pyramid Summary 2
  4. The University of FairfaxThe Cybersecurity University Established in 2002 in response to the events of 9/11 Only Focused CyberSecurity graduate 100% Online University, awarding CyberSecurity Doctoral and Masters degrees, as well as critical CyberSecurity Certifications Career Path Focused: Helping CyberSecurity professionals to advance their careers – Certifications imbedded within the Program Enhancing CyberSecurity Thought Leadership Student-Centered Culture - Access to a community of 230,000 CyberSecurity professionals Curriculum developed and taught by CyberSecurity practitioners Curriculum is project-driven and job relevant VA/GI Bill Approved/2014 Top MAE Military-Friendly Colleges The University of Fairfax (UoF) is accredited 2
  5. The Threat and the Players Threat= [Equipment + Knowledge +Skills] + Intent [ Capability ] Information Warrior/Terrorists Reduce Decision Space, Strategic Advantage, Chaos, Target Damage National Security Threats National Intelligence Information for Political, Military, Economic Advantage Terrorist Visibility, Publicity, Chaos, Political Change Shared Threats Industrial Espionage Competitive Advantage Intimidation Organized Crime Revenge, Retribution, Financial Gain, Institutional Change Institutional Hacker Monetary Gain Thrill, Challenge, Prestige Local Threats Thrill, Challenge Recreational Hacker 3
  6. Attack Sophistication vs. Intruder Technical Knowledge Tools Zero Day “stealth” / advanced scanning techniques R APT High packet spoofing E mobile devices identity theft Intruder Knowledge D sniffers phishing, pharming attacks sweepers I DDOS attacks S automated probes/scans N GUI back doors disabling audits network mgmt. diagnostics I hijacking sessions burglaries exploiting known vulnerabilities password cracking Attack Sophistication self-replicating code Attackers password guessing Low 2010 1980 1985 1995 2000 2015 There are Tens of Thousands of Hacker Sites 4
  7. Security's Shaky State - What People in the Industry Have to Say “Cyber threat growing at unprecedented rate”, intel chief, Dennis Blair, the former director of national intelligence says. - Federal Computer Week 22 percent growth is predicted in employment in cybersecurity by 2020 - U.S. Bureau of Labor Statistics “There are too few people choosing technical careers.” - Google Senior VP, UrsHolzle The U.S. Cyber Command plans to boost its cyber-security agency to nearly 5,000, but knowledgeable security professionals remain scarce. “The search for technical talent in the US has become fiercely competitive.” - Yahoo, Heidi Burgett When it comes to security, most IT departments are underfunded, understaffed, and underrepresented, IT security pros say. - InformationWeek "Without the right people to fill the job, businesses may have difficulty formulating and effecting security policies," -Sol E. Solomon, ZDNet A study by JobsAhead and Nasscom also shows that in the United States alone, there will be a shortfall of around 25,000 to 50,000 Information Security professionals over the next few years and based on skills data, less than 2,500 workers have specific Information Security skills which represent a miniscule 0.5per cent of the IT workforce. 5
  8. High-Quality Employees 67% Strong Leadership 46% Sound Business Strategy 44% Exceptional or Unique Product(s) 37% Timing in the Marketplace 33% Being Well-Advised 29% Availability of Investment Capital 19% Proprietary Technology 15% Factors that Contribute Most to Agency Growth The Next-Generation of Cybersecurity Leaders Need to be Able to Understand Cybersecurity as it Relates to the Business, Legal System, and Society. - IBM 2013 Source: Deloitte Research 6
  9. Cyber Security Staffing Statistics Understaffed = 44% Severely Understaffed = 22% Just Right = 31% Overstaffed = 3% Data: Secure Enterprise Strategic Deployment Survey Base: 1510 Security Entities Recently, the Ponemon Institute’s study found that, among its 2,000 respondents responsible for security in organizations from around the world, the lack of a strong security posture is directly related to the lack of sufficient security expertise. Only 26 percent said they had the necessary expertise. 7
  10. Where is the Beef Demographics – Gen X [1965-1980]; Gen Y [1981-1990’s (Millennial)]; Baby Boomers [1946-1964] 8
  11. The Disengaged Employee Waves of downsizing, employer demands, job disenchantment, threat of unemployment More than half the workforce is fed up Pollster Gallup has found that 80 percent of workers lack commitment to their jobs, with a quarter of those being “actively disengaged” from their workplaces. Disenchanted workers pull down productivity, increase churn, and darken the morale of the people around them - a whopping $350 billion in the United States in economic cost Workplace relationships - workplace toxicity may trump other factors when it comes to employee morale and performance The Number One Reason People Leave Comes Down to Their Relationship With Their Boss Source: Deloitte Research 9
  12. EMPLOYEE ENGAGEMENT: ALL LEADERS MANAGE BUT NOT ALL MANAGERS LEAD! Learn how to communicate and motivate the performance of others and work effectively toward the accomplishment of common Learn how to motivate your people to listen - Your communication will influence people's judgments and actions. Learn how to invigorate your people to grow with you - You will do your best work, your people will do their best work and all involved will believe in their own greatest potential. Learn how to inspire your people to follow you - People will be committed to achieving what's most important to you. Learn how to influence others to trust you. Learn how to listen to communicate. Select the right management approach to match someone's ability and willingness to perform plus the behavioral styles involved. Appropriately communicate, compliment, correct, counsel, delegate, develop, motivate, solve problems, and make decisions with all direct reports. Learn how to invigorate, inspire, and influence others to achieve what's most important. Develop an action plan guaranteed to work for you right now, today. It is ALL about Leadership 10
  13. How Can You Meet the Challenge To Make You an “Employer of First Choice” Improve recruiting and employment Ensure compensation and recognition systems are in place to attract and retain top talent Develop and training the workforce to meet current and future needs Ensure that managers and supervisors are equipped to lead Your organization to the “employer of first choice” reality; and Promote and support a diverse workforce and cultural environment. 11
  14. What is in Place to Meet the Challenge Federal efforts – Programs provide capacity-building grants to academic institutions to bolster CyberSecurity education and workforce development (CSEWD). National Science Foundation (NSF) - the Scholarship for Service program (SFS) (2000) Department of Defense, the Information Assurance Scholarship Program (IASP) Increased Budgets Cyber Security Education And Training National Initiative for CyberSecurity Education (NICE) Goal 1. Raise National Awareness About Risks in Cyberspace Goal 2. Broaden the Pool of Individuals Prepared to Enter the Cybersecurity Workforce Goal 3. Cultivate a Globally Competitive Cybersecurity Workforce STEM Ed Initiatives - to bolster formal cybersecurity education programs encompassing kindergarten through 12th grade. Other CyberSecurity Initiatives, such as LifeJourney™, that are creating the STEM generation. There are also higher education and vocational programs, with a focus on the science, technology, engineering and math disciplines. These initiatives will provide a pipeline of skilled workers for the private sector and government Universities across the Nation with varied levels of BS/MS/DSc/PhDs in Computer Security, such as the University of Fairfax , a graduate CyberSecurity Institution awarding Masters and Doctorates in CyberSecurity 89% of IT security budgets are rising or holding steady ----2014 Cyberthreat Defense Report 12
  15. How Can You Cope How can you reduce the losses caused by an exhausted and demoralized workforce? Helping employees to effectively manage information overload is one important step. Providing them with the tools they need to get their job done in the most effective way possible is another. Redesigning jobs and working conditions are other important interventions, along with ensuring that key people are effectively developed and well-deployed. Rather than dive headlong into technology based solutions to ameliorate work overload and stress, organizations may want to kick off their talent strategies by first examining the deployment and development of the people tasked with leading others. 13
  16. What's It All About What Employees Say They Expect from Employers Interesting and challenging work. Open, two-way communication. Opportunities for growth and development. Note: Monetary rewards and recognition ranked eighth. 14
  17. How to Retain Key CyberSecurity Employees A Well Defined Career Path. Top achievers are normally highly motivated individuals. They require a well defined career path with clear milestones and checkpoints for them to measure their progress. Knowledge Improvement Resources. The best technical staff members are usually very keen on staying abreast of, and mastering new technology. This requires adequate training resources that allow them to do so - provide Challenging work. Providing them with a worthwhile annual education plan and a management grooming program is a good motivator and retention factor. Continuing education is a good thing. Scheduled Performance Management Reviews. Many key performers prefer a semi-annual performance review with quarterly progress checks. They want to know exactly how they are performing and do not want to wait an entire year to find out. Semi-annual reviews also allow them to make any mid-course corrections required to stay on the fast-track and achieve their objectives. Competitive Salary and Benefit Packages. There are many ways to obtain competitive salary and benefit information, including contacts in other network organizations, HR sponsored surveys, job postings in technical publications, Internet sites, the vendor community, etc. Consider variable bonus pay based on completing certain important objectives. Effective Retention Plans are Creative and Include any Appropriate Items that Will Help Motivate and Challenge the Key CyberSecurity Performers 15
  18. Career Path Flexibility – Management & Technical Options Career path diversification is a good thing. Moving between technical and management roles creates a well-rounded employee capable of assuming many different network infrastructure positions. Conversely, pigeon-holing valuable network personnel will help contribute to their rapid departure SMEs can cross into both the technical and management disciplines. In many companies, SMEs carry the rank of a senior manager or director and are responsible for both the technical and the management aspects of the network infrastructure Modify key employee job descriptions as required. Job descriptions should be dynamic in nature and not cast in concrete. As a key employee’s skill level grows, he or she should be capable of assuming a greater role in the network infrastructure group. Modify existing job descriptions as required to take full advantage of a key employee’s skills and expertise 16
  19. Bottom Line Employees are our biggest assets and that without such mission-critical CyberSecurity skills sets, YOU will not be able to meet and sustain mission and goals Key CyberSecurityemployeesare important assets implementing appropriate measures to achieve a high level of employee retention within their ranks however, the first requirement is to identify those key individuals and then take the appropriate steps to help them grow and entice them to stay, then, assign them tasks that are interesting, challenging, and fun! 17
  20. IT Training Requirements As part of companies’ efforts to protect themselves from costly security breaches, many provide security training to their staff. Nearly 60% of US companies require IT security training for IT staff and over half make training available to non-IT staff Companies are also increasingly requiring cybersecurity certification. Nearly 33% of US firms make certification required now compared to only 25% in 2006 and 14% in 2005. 80% plus of Government organizations are now requiring cybersecurity certifications However, with a full 78% of organizations in China requiring certification, US firms still have a long way to go to if they are to keep up. 18
  21. Directive 8570.1: Information Assurance Training, Certification and Workforce Management. It requires that all DoD Information Assurance technicians and managers are trained and certified. Same with NSA with 4011/12 Key Certifications CISSP® - Certified Information Systems Security Professional - CISSP certification is not only an objective measure of excellence, but a globallyrecognized standard of achievement. SSCP® - Systems Security Certified Practitioner - for personnel in many other non-security disciplines that require an understanding of security but do not have information security as a primary part of their job description CAP® - Certification and Accreditation Professional - this credential applies to those responsible for formalizing processes used to assess risk and establish security requirements CSSLP - Certified Secure Software Lifecycle Professional -is the only certification in the industry that ensures that security is considered throughout the entire software lifecycle. Global Information Assurance Certification (GIAC) – (SANS) GIAC's purpose is to provide assurance that a certified individual has practical awareness, knowledge and skills in key areas of computer and network and software security. CompTIA Security+™ Certification The Certified Information Systems Auditor (CISA) is ISACA’s cornerstone certification - for the IS audit, control, assurance and/or security professionals The Certified Information Security Manager (CISM) certification is a unique management focused certification – it is for the individual who manages, designs, oversees and assesses an enterprise's information security program. 19
  22. DoD8570 Requirements These are the minimum functional certifications for the different job levels Categories IA Technical (IAT) IA Management (IAM). Specialties Computer Network Defense Service Providers (CND-SPs) IA System Architects and Engineers (IASAEs). 19a
  23. Strategic Road Map Objectives Work with HR to set guidelines for hiring cyber security professionals; Assess qualifications of existing professionals; Workforce Trained Challenged Energetic Enthusiastic Success Driven Talented, Diverse and Versatile Establish qualifications requirements; and monitor progress toward meeting the qualification requirements. Provide general training to all employees to raise awareness and build on governmental Requirements training efforts Use senior management forums to put cyber security on the forefront – Certified and Qualified CyberSecurity Professionals critical to the survival of our Nation 20
  24. Establish certification qualifications and position descriptions for key positions – Identify critical talent Implement policy with HR to publish the qualification guidelines Knowledgeable Workforce Pyramid Create an Employee-centric environment Establish Performance Metrics Continuously improve the awareness program as required by the changing environment advances in cyber security technology Consistently analyze improve communications and outreach approach Implement process to monitor corrective action in training and qualifications Provide the right tools for the right jobs Integrate fully cyber security training with daily operations of all professionals Promote senior leadership information exchange on cyber security performance, issues, and incidents Define cyber security performance metrics 21
  25. Workforce Approach Explore innovative approaches to build and retain CyberSecurity employees by: Expanding internship programs Establishing “apprentice-like” programs that are formalized career training programs that offer a combination of structured on-the-job training and related technical instruction to employees to train them in positions that demand a high level of skill Building a stronger education/training pipeline to improve/enhance employees’ skillsets Expanding opportunities for continuous learning Enhancing employee’s ability to manage their careers Strengthening work supports to promote employment retention and career advancement Strengthening governance and accountability within the workforce system, and Establish Knowledge Management System Moreover, explore processes and tools that allow the organization to efficiently capture, maintain, and utilize its information 22
  26. Workforce Components Relationship Gives rise to Senior Management Support Recruit, Develop & Retain the Best & Brightest Exploits Employee Centric Environment Employee Centric Environment To Create Performance Metrics to Mitigate Employee Disengagement Directly affects Talented, Diverse, & Versatile Assets Institutional Knowledge Base Leads to Knowledgeable Workforce Which Complements Can contribute to Your mission success
  27. Conclusion Identify key CyberSecuritypersonnel. Stay flexible and modify approach as required to meet specific enterprise needs Focus on creative activities to retain key CyberSecurity employees. It’s not just all about the money. Key performers require strong ongoing education plans to keep them abreast of changing network technology. Provide management and technical career opportunities. Make it easy for key employees to move between technical and management roles. Provide them with growth opportunities and the ability to learn new skills Create a Talent Pipeline for CyperSecurity personnel - Internal: develop, train and retain ; External: attract, hire, and retain 24
  28. Thinking Outside of the Box Thinking Outside of the Box Cyber NNSA You cannot use the same You cannot use the same level of thought to solve a level of thought to solve a problem that you used in problem that you used in creating it. creating it. - Albert Einstein Albert Einstein Food for Thought 25
  29. Questions/Comments Dr Christopher V. Feudo President University of Fairfax Northern Virginia Campus cfeudo@ufairfax.edu 703-962-9252 cell: 703-798-1756 Enhancing Cybersecurity Thought Leadership with the Support of the University of Fairfax
More Related