Earlier this month the (ISC)² U.S. Government Advisory Board (GAB) invited me to present my views and opinions to the board. What a neat opportunity!
The GAB is a group of mostly federal agency Chief Information Security Officers (CISOs) or similar executives. Officially it comprises “10-20 senior-level information security professionals in their respective region who advise (ISC)² on industry initiatives, policies, views, standards and concerns” and whose goals include offer deeper insights into the needs of the information security community and discuss matters of policy or initiatives that drive professional development.
In terms of content, in addition to discussing my previous work on storage systems with autonomous security functionality, I advanced three of my personal opinions:
- Before industry can develop the “cybersecurity workforce of the future” it needs to figure out how to calculate the return on investment (ROI) for IT/security administration. I suggested a small initial effort to create an anonymized central database for security attacks and the real costs of those attacks. If such a database was widely available at nominal cost (or free) then an IT department could report on the value of their actions over the past year: “we deployed such-and-such a protection tool, which blocks against this known attack that caused over $10M in losses to a similar organization.” Notably, my suggested approach is constructive (“here’s what we prevented”) rather thannegative (“fear, uncertainty, and doubt / FUD”). My point is that coming at the ROI problem from a positive perspective might be what makes it work.
- No technical staff member should be “just an instructor” or “just a developer.” Staff hired primarily as technical instructors should (for example) be part of an operational rotation program to keep their skills and classroom examples fresh. Likewise, developers/programmers/etc. should spend part of their time interacting with students, or developing new courseware, or working with the sales or marketing team, etc. I brought up the 3M (15%) / Hewlett-Packard Labs (10%) / Google (20%) time model and noted that there’s no reason that a practical part-time project can’t also be revenue-generating; it just should be different (in terms of scope, experience, takeaways) from what the staff member does the rest of their time. My point is that treating someone as “only” an engineer (developer, instructor, etc.) does a disservice not just to that person, but also to their colleagues and to their organization as a whole.
- How will industry provide the advanced “tip-of-the-spear” training of the future? One curiosity of mine is how to provide on-the-job advanced training. Why should your staff be expected to learn only when they’re in the classroom? Imagine if you could provide your financial team with regular security conundrums — “who should be on the access control list (ACL) for this document?” — that you are able to generate, monitor, and control. Immediately after they take an action (setting the ACL) then your security system provides them with positive reinforcement or constructive criticism as appropriate. My point is that if your non-security-expert employees regularly deal with security-relevant problems on the job, then security will no longer be exceptional to your employees.
I had a blast speaking. The GAB is a group of great folks and they kept me on my toes for most of an hour asking questions and debating points. It’s not every day that you get to engage high-level decision makers with your own talking points, so my hope is that I gave them some interesting viewpoints to think about — and perhaps some new ideas on which to take action inside their own agencies and/or to advise the government.