One could argue that cybersecurity is by far the most important Homeland Security, National Security and Public safety issue of our time. In the age of terror specifically, groups like ISIS, Al Shabaab and AQAP have managed to use the Internet to recruit and successfully spread their message with little to no counter narrative of merit. Cybersecurity has been rightfully picked up and vocalized as high as the President himself as a top National and Homeland Security priority. With the increase usage of technology by nation states, rogue groups and specifically terrorists with their growing focus on attacking the west, cybersecurity must be treated with utmost importance. Here is the problem... We still treat cybersecurity like it’s an IT problem, or worse a compliance problem. Cybersecurity must be seen, trained, understood, planned and executed from a broader perspective than IT and or compliance. Risk to our economy, our infrastructure and public safety warrant far more than the IT and or compliance outlook on security issues. We have many IT tech savvy folks in this country, as well as auditor- and legal-minded types. However, we have a huge shortage of what I call hybrids—those people who can see across the various spectrums and domains of the issues of our time and tie cybersecurity into those issues ubiquitously. Those people are rare but greatly needed. The other problem... There is a lack of true leadership for cybersecurity. Not merely a lack of leadership but a lack of well-rounded cybersecurity professionals who are hybrids that also possess leadership skills, authority and influence throughout the nation. Without more cybersecurity professionals obtaining such status and influence, then we should expect many of the issues of our time to continually go unresolved in the manner of which they could or should be resolved. Here is how we fix it... We need to emphasize, encourage and fund continuous learning. We also need to teach broad methodologies as the standard such as what the International Information System Security Certification Consortium, Inc., (ISC) ²® creates within its community of Certified Information Systems Security Professionals (CISSP). But bringing everyone both technical and non-technical together for one global and broad standard is only the beginning. Next, we have to continue deeper dives in various areas, such as critical infrastructure, control systems, malware analysis, forensics and penetration testing.
The Cyber Professional
Clearly, the cyber professional should have some technical background. However, they must also have a security, risk, legal, political, financial, operational and otherwise diverse organizational and public-safety-oriented skillset. In order to excel in cybersecurity, your education, certifications and experiences must be diverse. This cyber professional must become the expert problem solver and advisor to decision makers. They must be able to link and integrate natural and man-made world events that will or may impact the organization and public safety, all while trying to keep up with the latest trends simultaneously. It is critical that you learn and also understand the supply chain, money, risk etc.
The IT Professional
Usually has a very technical and customer service delivery model focus and skillset. They generally focus on administration of daily technical functions, application development, help desk, engineering, systems design and/or architecture. They are more ITIL and CMMI service delivery focused, not so much security, threat, vulnerability or risk focused. Having cyber versus IT defined, we must also remove the culture of training just for the sake of maintaining certifications and instead, shift to a culture of continuous learning as a mode of survival and prosperity for our nation. Lastly, we must focus on enabling our people with the combination of higher education, certifications, continuous training, practice labs and on the job experiences. Instead of picking between them we need to encourage and accept the aggregate of them all. If we do these things, we can once and for all begin to close the resource gap while also shifting the focus to be as agile as we need to be in these times of terror. We will also allow for more cross pollination of previously isolated technical and non-technical disciplines to easily transition into the broader context of cyber and not see security as just an IT problem.
About the Author: Isiah Jones is a cybersecurity consultant, researcher and life learner that has been interested in and learning IT since 2004 and Cybersecurity since 2010. Also a former Federal/Navy Civil Service Cyber/IA and IT specialist with a variety of experiences such as Systems Analyst, Enterprise Resource Planning (ERP) SAP analyst, DON Lean Six Sigma Greenbelt analyst, Cybersecurity/Information Assurance Host Based Security System (HBSS) Analyst and an Information Assurance Officer (IAO)/Information Systems Security Officer (ISSO). Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
