Whether they like it or not, in this day and age nearly all organizations have to think about their cybersecurity posture and find a way to minimize cybersecurity risk.
But the main problem about doing the latter is that nobody can effectively assess the cybersecurity risk of organizations (or third parties, cyber insurance, or systems/devices/IoT and their transactions).
Boardroom discussions and cyber security workforce woes
“Prolific applications, devices, and systems are communicating without inquiry into, verification or assurance of cybersecurity risk. The IoT world we live in is – although hard to comprehend – introducing a scale of protection-worthy assets unlike anything we’ve ever seen. But there are many organizations still reporting risk on a three color scale of red, yellow and green, and until we get beyond that, I fear we will continue to garner blank stares at the board level and receive meager cybersecurity budgets as a result,” Paul Innella, founder and CEO of information assurance and cyber security consultancy TDI, tells me.
Another problem is that discussions about cybersecurity at the boardroom level are tantamount to people discussing sailing when they’ve never boarded a boat.
“When we discuss financials via various reporting mechanisms at the boardroom level (and even below), we have a universal language in our balance sheets, income statements and the like,” he says.
“Quarterly earnings reports to the board don’t begin with most of the board questioning what gross margin is. In other words, until we establish a substantive measurement system for reporting cybersecurity in a common language, we will continue to struggle with this problem.”
At the operational level, the cybersecurity workforce gap is a big obstacle to improving organizations’ cybersecurity posture.
Innella is of the opinion that we should re-evaluate certifications in the information security field, as well as requirements for entry.
A significant amount of people providing compliance and assessment services to the industry are not from traditional computer science and technical backgrounds, and that’s a state of affairs he would like to see change. He would like to see a stricter focus on educational and professional backgrounds versus certifications, which he finds, in many cases, to be outdated and inapplicable to the work at hand.
“There are many people in cybersecurity who come from non-technical fields and never bridge the gap to understanding our field. Addressing this requires weeding out the unskilled and attracting the skilled,” he notes.
“But attracting skilled talent will only happen if we address the commodification of cybersecurity services by paying realistic wages, institute policy moves towards educational incentives for cybersecurity and technical degrees, encourage more women into the space to ensure a diverse workplace and mindset, and increase the H1-B visa quota and stop sending away foreigners who receive advanced degrees in the US, as they are a tremendous source of security and innovation.”
Problems at the highest level
And things are far from ideal at the highest level, too. When it comes to efficient and effective governmental policy regarding cybersecurity, the current US administration leaves a lot to be desired.
“At present, the current administration has merely issued an Executive Order which appears no different than that of previous administrations in terms of its intent – protect our nation’s assets. In particular, the President’s Executive Order really lacks any teeth as it looks for federal agencies to assess their security and plan to address any deficiencies – something that we’ve been doing for the better part of two decades now,” Inella says.
There is no effectual move to improve the nation’s cybersecurity posture. Still, the good news is federal agencies for the most part are continuing in carrying out plans articulated in previous administrations, focusing on guidance provided by NIST and action plans like Obama’s Cybersecurity National Action Plan. But, he notes, that is not nearly enough.
“The emphasis needs be on making policy more substantive and effective in its application. As a start, significantly more directed cooperation between the Intelligence Community and functional cyber elements in the various federal departments should be mandated. Cybersecurity analysts require a great deal of understanding of traditional intelligence operations to become more effective at their jobs. Otherwise, we continue the cycle of collecting tons of cybersecurity data but lack the capacity to interpret, understand, and respond,” he opines.
In addition to that, he says that the US government cannot continue to forcibly commodify the cybersecurity labor force of hundreds of thousands of contractors who support its mission.
“You get what you pay for, and the government has reduced the amount it pays contractors for these increasingly challenging labor requirements by as much as 60% over the last ten years! Add to that a procurement policy that rewards such cost-cutting, and you have a reality in which we are trying to fight a battle but refuse to pay for the right armor,” he notes.
“And, finally, we must provide guidance from the top, and this starts with somebody actually being at the top. We still don’t have specific Federal leadership in the Federal CISO and White House CISO roles to ensure the ‘plan’ from each agency is carried out. If this administration wants to demonstrate its resolve in addressing cybersecurity threats, it must appoint people in the roles intended to do such a thing.”