In this interview with Help Net Security, Amanda L. Joyce, Group Leader, Strategic Cybersecurity Analysis & Research, Argonne National Laboratory, offers her unique perspective on the modern information security landscape.
What are the most important takeaways from your decade of work in cybersecurity? How has your view of information security evolved with time?
This is largely a two fold answer that goes hand-in-hand: first, we need novel approaches to cybersecurity within our critical infrastructure. The day in which “one size fits all firewall or virus protection” is ancient. That leads to the second, we need smart, capable people that are interested in learning over and over. Daily, I learn something new about security. This field continues to grow and challenge us as professionals.
We are protecting assets that at one time were truly isolated. The internet wasn’t a “thing”. Now, we live through the use of “ease” or “simplicity” and because the internet provides that, we add a lot of risk into our systems. So, the out-of-the-box options are not really beneficial because every company, every piece of equipment is needing fine tuning to have the right amount of security to ensure its integrity while maintaining its operations and that requires us to continue to build up our security workforce.
You also work with budget control and effort allocation, which are critical pain points for global CISOs. What advice would you give to those that have a hard time justifying a cybersecurity budget?
Most times, we see that cybersecurity “budget” is spread throughout so many other budgets throughout a company or organization. It isn’t owned within a cybersecurity group. This leads to separate strategies, goals, and implementations of cybersecurity thus really wasting that budget entirely.
The larger problem of having no cybersecurity budget because “we’ve never had an incident” or “we aren’t a big enough target” is one that many will regret when it is too late. Everything and I mean everything is largely reliant on the internet these days.
I challenge companies to start thinking about their most valuable assets, those assets that if they were to disappear or be messed up they would likely have no company. I can guarantee that most of those assets sit on a computer system somewhere. May that be a water system, the grid, a chemical formula, a shopping system, cloud infrastructure, data feeds, medical records, personal records, etc.
Look at the cybersecurity budget as one would for regular home maintenance. You don’t have to do maintenance on your house but sooner or later the washing machine will die, the sink may clog, and the pipe may back up, and the windows may crack if you don’t put any regular maintenance into your home. But if you took even a small thing every year to keep your home maintained it would last so much longer.
Similar to a cyber budget, maybe a budget adds one new personnel to the staff this year, maybe next year you upgrade the firewall, the next year its reviewing all the rules and simplifying. If you don’t have a budget you just largely hope everyone is on the same page.
It’s no secret that the infosec industry is facing a significant skills gap. What can organizations realistically do in order to minimize this issue?
Take part in programs such as the Department of Energy’s CyberForce Program or look at recruiting students for internships or apprenticeships. Cybersecurity is very hands-on learning. Not to minimize what we learn in our educations but to bolster our skills and really understand where we are as a nation, the next generation of cybersecurity defenders need to start learning new skills earlier.
There have been countless times through the CyberForce Program that we have had collegiate students come to Argonne and get frustrated because we don’t just allow them to update their operating system. In the real world, you can’t just update Windows, there is a lot more that goes into that then clicking “Update Now”.
Personally I just feel like the more hands-on experiences we can give those that are interested in the field the better off we are overall.
Recently, The Department of Energy expanded its CyberForce program, and now offers more ways for students to test their cybersecurity skills. What are the main benefits of this program? Who can participate?
The Department of Energy’s CyberForce Program is a cybersecurity workforce development program which currently in 2021 has our main CyberForce Competition event which hosts US based collegiate institutions for a full day of red-blue exercise where students need to defend their operational technology infrastructure from the industry red team attackers (volunteer).
During this competition, we continue to provide competitors with challenges that emulate the daily tasking that may come from a job (looking at logs, meeting, forensics, etc.) all while maintaining and communicating with their customers/operators.
Our newest competition series, Conquer the Hill, has two competitions which are more narrow focused. Adventurer took those tasks from CyberForce Competition and expanded them even more to have students challenged in a 48-hour period to over 160 different tasked all mapped to the NIST NICE Framework. Reign will be a timed, capture the flag in which students will be placed in an escape room like machine and will look to be declared to the winner by gathering as many flags and racing to the end in the fastest time.
Additionally, for all those that participate in any of our events, there will be a virtual career fair in November where we invite industry to chat with some of the best and brightest from around the nation. Finally, we have a monthly webinar series that looks to highlight various topics within cybersecurity such as industrial control systems or the NICE Program. The entire CyberForce Program is currently marketed for collegiate students (bachelors, masters, and PhD) and technical colleges who are attending US based institutions.