Commentary by Earl Crane Senior Principal at Promontory Financial Group & former member of the White House National Security Staff
Industry and government adoption of revolutionary technologies, such as cloud and mobile computing, and the increased interdependency between information service delivery and business success is reshaping how managers look at information security. Increasingly, sophisticated threats target both businesses and the federal government for disruption and espionage. The federal government is looking to increase the efficiency and effectiveness of its cybersecurity programs. It has a long history of grappling with advanced cybersecurity threats, and has developed sophisticated capabilities to understand and mitigate cybersecurity risks. Industry, meanwhile, is driven to focus on cost- effective solutions through sound bottom-line arguments and market forces to push for efficiency for business competition in a way that government struggles to match.
Leaders in both government and industry, in short, have discovered they can learn a lot from each other.
One result of this growing focus on government-industry cybersecurity collaboration was the Aug. 20 report on Secure Government Communications by the President’s National Security Telecommunications Advisory Committee (NSTAC). At the request of the White House Cybersecurity National Security Staff, this report investigated how to improve federal government information security based on industry best practices, approaches and perspectives.
While the lack of cybersecurity talent is a concern for national security and U.S. competitiveness as a whole, it is promising news for cybersecurity professionals seeking mobility in the workforce as their skills are in demand. According to a recent Cyber Security Census from Semper Secure, Washington is emerging as an epicenter of cybersecurity talent. The D.C. metro area is tied with California for the highest concentration of cybersecurity professionals — at 19 percent each — and D.C. scored higher as a center of cybersecurity innovation — 44 percent versus California’s 33 percent.
As senior members of the federal workforce retire, new positions will open up for cybersecurity professionals. Additionally, as mid-career federal cybersecurity professionals look to industry to broaden their skill sets, they will find demand for their government cybersecurity skills in the private sector. Both businesses and government organizations willing to seek cybersecurity expertise outside of their traditional industry-specific workforce will find candidates with increasingly fungible cybersecurity skills. Drawing from the NSTAC recommendations, we can highlight three key crossover skill sets:
Federal employees with experience implementing the NIST Risk Management Framework may see increasing demand as industry looks to implement and improve their risk management program. The collaborative development process around the critical infrastructure cybersecurity framework is building a common conversation about how to effectively measure and manage cybersecurity across industry sectors.
Any risk management calculus must incorporate cybersecurity into the business decision making process. Data breach and denial of service can no longer be viewed merely as “IT issues,” and must instead be just as much a part of the business’ risk calculations as logistics breakdowns, strikes and overseas conflicts.
Companies will need professionals capable of translating highly technical concerns into actionable business strategy. The increased use of sector-specific maturity models to measure companies’ security program capabilities will provide flexibility for innovative cybersecurity defenses that static checklists cannot. The expertise required to perform these functions us both scarce and highly transferable between industries and will be in high demand.
An ever-growing number of businesses are recognizing the value in situational awareness delivered by intelligence capabilities. Increasingly sophisticated actors penetrate companies with intentionally targeted objectives, rather than targets of opportunity. Businesses, therefore, need to be proactive in their defense, by assessing and understanding what their adversaries will most likely target based on their current business operations, defensive profile and global geo-political environment.
Globalized connectivity has brought adversaries from around the world to your organization’s doorstep, and that is part of the new reality. Many federal agency CIOs get this and have integrated cybersecurity threat intelligence into their defensive plans. However, more must be done.
Threat intelligence is no longer a boutique offering for a select few organizations. Increasingly it is a relevant consideration for situational awareness across government and industry business lines. Dedicated cyber threat analysts must have real-time actionable information and an understanding of business operations and impact. A recent report from the Ponemon Institute highlighted this fact, citing optimal times for near-real-time intelligence as no greater than 4.6 minutes.
Enterprise Security Management
Finally, increasingly porous perimeters make traditional security architectures ineffective. Information security professionals must keep current with new technologies and defensive strategies like Moving Target Defense and Cyber Kill Chain. Cloud computing requires an understanding of data management and third- party risk management. Mobile computing requires visibility to mobile applications and data. Distributed endpoints require new architectures for centralized policy management with decentralized defensive actions.
As business practices, information technology and cybersecurity threats become more industry-agnostic, competition across and between industries for cybersecurity professionals will remain fierce. Though professionals will be in short supply for years to come, increased mobility among industries and government will bring a leveling of common cybersecurity skills across the profession.
Earl Crane, Ph.D., is an expert in information security and cybersecurity strategy and policy. He is a senior principal at Promontory Financial Group, a global consulting firm that helps companies and government around the world manage complex risk and meet their greatest regulatory challenges. Dr. Crane was previously a member of the White House National Security Staff, where he advised the president on cybersecurity policy.