The People Behind Government Cybersecurity
Executive Summary.........01 Layered Approaches to Modernization and Cybersecurity.........03 Guiding Agencies to Stronger Hiring Practices.........04 Why Printer Security Matters for People in Government.........07 Identifying the Human Factor to Cybersecurity.........08 Persona 1: Information Technology Specialist.........10 NICE Framework: A Reference Guide for a Stronger Cyber Workforce.........12 Persona 2: HR Manager.........14 Defining the Future Cyber Workforce.........16 Persona 3: Acquisition Specialist.........18 Leveraging Integration and Security.........21 Persona 4: Agency Leader.........22 The People Behind State and Local Cybersecurity.........24 Persona 5: Cyber Intelligence Analyst.........26 How Open Source is Driving Innovation in Cybersecurity.........29 Persona 6: Communications Specialist.........30 Conclusion.........32
Executive Summary It has become abundantly clear that the issues of cyberthreats and maintaining security are not going away anytime soon for government. Every day, the number of vulnerabilities and risks to which agencies are susceptible grows. But the increasing success of cyberattackers shows that technology – while important – does not provide a silver bullet solution to the problem. That’s why agencies need to recognize the importance of the human factor in protecting information, assets and systems.
While IT professionals continue to play a leading role in securing government information, cybersecurity is the job of every employee. Frontline employees must secure their devices, follow cyber hygiene protocols and help identify potential insider threats in real time. Agency leaders must create and enforce robust cyber policies that tackle threats holistically across technological, organizational and cultural aspects. Meanwhile, IT staff must continue to balance operational needs with the creation of new cybersecurity tactics and tools. This guide dives into six personas that represent different types of agency personnel who can play a critical part in cybersecurity. Each persona describes their role in strengthening cyber posture, challenges they encounter in their jobs and tools available to help achieve their objectives while enhancing cybersecurity. Additionally, this guide provides an overview of key legislation concerning government’s cyber workforce, including the Cyber Workforce Assessment Act and the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. It also features interviews with leaders from government and academia to discuss where the cyber workforce gaps can be addressed. Ultimately, this guide provides agencies with a better understanding of who plays a role in cybersecurity, what their greatest challenges are and what can help equip such staff within an agency to enhance cyber posture. By better understanding the types of personnel behind government cybersecurity, agencies can tackle the most important component behind cyber defense: humans.
1
Layered Approaches to Modernization and Cybersecurity Interview with Morey Haber, Vice President of Technology, Office of the Chief Technology Officer, BeyondTrust The primary cybersecurity challenges facing government are modernizing legacy systems and strengthening defense against internal and external cyberthreats. Legacy systems suffer from security flaws as a result of not being updated even as frequently as the last month. These systems are easily exploitable by potential insider threats and external cyberattackers. The problem is replacing legacy systems with newer technologies can be costly and, if not done properly, can leave agencies more vulnerable to cyberattacks. For the government to address the challenges of modernizing IT systems while ensuring information security, agencies should turn to layered approaches and solutions that simultaneously support legacy systems and modern technologies. This will help mitigate risks associated with cyberattacks, insider threats and provide standardized controls that can be monitored and measured. In an interview with GovLoop, Morey Haber, Vice President of Technology in the Office of the CTO at BeyondTrust, discussed how layered approaches, in terms of adding levels of security, can help address these challenges. BeyondTrust is a leading company dedicated to innovative cybersecurity solutions. “A layered approach requires segmentation of systems or micro-segmentation,” Haber said. “This means that the devices, applications or systems are isolated from other non-mission critical environments.” A layered approach in cyber terms means adding different IT safeguards to different layers of IT, such as networks, hardware, or perimeters of your infrastructure. Layering makes it easier to add levels of security while making it more difficult for hackers to breach a system. Layered approaches can look like a two-factor authentication system, a new password management system or even a proxy session recording system that keeps track of who is accessing what information within an agency. Layering can help agencies add security on top of older legacy systems while enabling IT staffs to build in security protocols into newer systems. Two specific examples of layered approaches are a least privilege model and detailed session monitoring. A least privilege model reduces rights down to the lowest level of permission required for employees to perform essential functions. This helps prevent intentional or unintentional insider breaches. Detailed session monitoring comprises the tracking of keystrokes and commands so that anyone’s ses-
sion can be audited. Leaders can keep track of how people are using systems and make sure system administrators are not abusing their privileges or leaking information. Recently, a large government agency that requires scientists to run data and custom programs needed help with administrative access and privileges to control who could be privy to certain information. The agency leveraged BeyondTrust’s PowerBroker Endpoint Least Privilege, a solution that provides least privilege management across enterprise endpoints, while creating visibility and control over all privileged applications and accounts. Now, scientists in that agency can use a least privilege login without typing an administrative username and password to perform privileged activity. They can easily perform their jobs without having unnecessary access to the rest of the agency’s IT systems or being granted a secondary account for administrative purposes. To enhance the effectiveness of layered approaches, it is important to equip your agency’s personnel with the knowledge they need to navigate relevant cybertools and solutions. Applying frameworks, like the NIST Cybersecurity Framework, which provides best practices of risk management to improve critical infrastructure cybersecurity, can help. Frameworks provide organization leaders with the necessary guidelines to support layered approaches and risk-based decisions related to their critical missions. “These guidelines help quantify risks,” Haber said. “Nearly two decades ago, common scoring for vulnerabilities did not exist and there was no standardization. Now, with guidelines like CVE and the NIST Cybersecurity Framework, we can better communicate current standards across organizations and better identify any risks associated with internal and external systems.” Adding tools, like PowerBroker, to layered approaches can also ensure complete application control by blacklisting hacking tools previously used by cyberattackers, whitelisting approved applications and greylisting applications based on rules to keep systems safe. Ultimately, modernizing legacy systems while defending an agency’s valuable information requires layered approaches. Combining the right tools and frameworks, layering and least privilege management with session monitoring can help government keep up with the latest technologies while mitigating cyberthreats across any system, including legacy network environments.
3
Guiding Agencies to Stronger Hiring Practices How the Federal Cybersecurity Workforce Assessment Act and the NICE Cybersecurity Workforce Framework guide agencies to improved IT hiring practices
4
All agencies struggle to hire top-tier talent for crucial cybersecurity roles in government. As recently as 2014, civilian federal cyber employees exiting agencies outpaced the number of new hires, with up to 25 percent turnover rates. Before government can begin to fill cybersecurity personnel gaps, though, leaders must first understand and define what cybersecurity positions exist in their agencies to better grasp their workforce needs. The Federal Cybersecurity Workforce Assessment Act and the National Initiative for Cybersecurity Education (NICE) Workforce Framework will help leaders evaluate their agencies and understand which people are needed for cybersecurity. The goal of the framework and the act are to standardize definitions of cybersecurity positions and duties across the public, private and academic sectors. By creating consistent definitions in the cybersecurity field, academic institutions can efficiently educate students for cyber positions and agencies can target candidates for vacancies, strategically train current employees on new cyberthreats and retain top-tier professionals to maintain institutional knowledge. The Federal Cybersecurity Workforce Assessment Act and the NICE Cybersecurity Workforce Framework assist in the process by dictating timelines and guidelines for implementation of the new standards, so agencies can employ an effective and streamlined cybersecurity workforce.
Federal Cybersecurity Workforce Assessment Act of 2015
NICE Cybersecurity Workforce Framework
The Federal Cybersecurity Workforce Assessment Act, included in the 2016 appropriations bill, directs agency leaders, the Director of the Office of Personnel Management (OPM) and the Secretary of the Department of Homeland Security (DHS) to identify all positions within an agency that perform cybersecurity or cyberrelated functions. Once these positions are identified, each will be assigned corresponding employment codes based on the NICE Framework definitions.
The NICE Framework, most recently updated in 2016, acts as a dictionary for cybersecurity positions, duties and information, so that the public, private and academic sectors can consistently communicate on cybersecurity topics and challenges. It can be used by employers to identify cybersecurity needs and qualified candidates, current employees to understand tasks and roles, job-seekers to obtain in-demand skills and knowledge, educators to prepare students to enter the cybersecurity workforce and technology providers to adapt products to their clients’ needs.
An initial baseline assessment of the existing cybersecurity workforces was due to Congress by December 2016. In these reports, agency leaders needed to identify what percentage of positions had an impact on IT, cybersecurity or cyber-related functions, as well as the current and needed qualifications for these positions. If agencies found knowledge or certification gaps, leaders were required to submit strategic plans for correcting the deficiencies. The act also directed OPM to work with NICE to revise the Cybersecurity Workforce Framework, and collaborate with agencies individually to implement the new codes and standards. In January, OPM issued general guidance on using the framework and the new Federal Cybersecurity Data Structure, and their detailed instructions outline how managers and CIOs should assess vacancies, code position descriptions and assign codes for positions with multiple substantial functions. Once the new standards and codes have been implemented, agencies must then submit annual reports on the critical-need IT and cybersecurity positions in their organization to Congress. To assist in the implementation of these definitions and standards in position descriptions and workflows, OPM is partnering with Government-wide councils and NICE as agencies apply the requirements of the Workforce Assessment Act.
The NICE Framework is organized into categories, specialty areas, work roles, tasks and knowledge, skills and abilities or KSAs. By breaking down these definitions into different levels and identifying how each person performs these functions, agencies can better assess the breadth and depth of the cybersecurity gaps in their workforce. Non-cybersecurity professionals routinely perform cybersecurity tasks. Thus, the framework is designed to give leaders a realistic picture of their workforce and adapt the organizational structures or recruit candidates to fill cybersecurity needs in the agency.
Identifying and hiring top-tier talent to perform cybersecurity tasks in government can be difficult for agencies. By acting as a dictionary for public, private and academic organizations, the framework’s consistent cybersecurity definitions of roles and tasks will help leaders in these sectors synchronize recruitment efforts and organizational structures. The Workforce Assessment Act ensures that leaders can implement the new standards and definitions in an efficient and timely manner across agencies. Understanding the people involved in cybersecurity is the first step to modernizing the government IT workforce. When used together, the Cyber Workforce Assessment Act and NICE Cybersecurity Workforce Framework can help all employees and professionals understand their roles in protecting government IT systems.
5
Printer security breach? Not on your watch. Defend your network with the world’s most secure printers. New enterprise HP LaserJets with JetIntelligence provide the industry’s deepest printer security.1 Features including HP Sure Start with its self-healing BIOS, whitelisting, and runtime intrusion detection come built in. hp.com/go/printersthatprotect
2
The world’s most secure printers and deepest level of security: Based on HP review of 2015 published embedded security features of competitive in-class printers. Only HP offers a combination of security features for integrity checking down to the BIOS with self-healing capabilities. Available on the HP LaserJet M527, M506, M577 and as an upgrade on the M552, M553, M604, M605, and M606. Some features will be made available as a HP FutureSmart service pack update on selected existing Enterprise printer models.
1
Ponemon Institute, “Annual Global IT Security Benchmark Tracking Study,” March 2015.
2
© Copyright 2015 HP Development Company, L.P.
Why Printer Security Matters for People in Government An Interview with Ron Chestang, Worldwide Senior Print Security Consultant, HP Today, the public sector is focused on optimizing its work for an increasingly digital world, but printers still play a major role in government work, and office life in general. In fact, it’s estimated that federal employees print on average 30 pages per day – 7,200 pages per employee, per year. Unfortunately, even though printers are still widely utilized – even for confidential information – they are not properly secured throughout the public sector. This can be attributed to lack of regard in government surrounding printer security and difficulty achieving compliance success with printers. In an interview with GovLoop, Ron Chestang, Worldwide Senior Print Security Consultant at HP, discussed why printing should matter to government. He also explained how personnel could contribute to better printer security and achieve compliance with regulations. His suggested tactics are first to assess where your agency stands in terms of printer security and to use solutions that automate compliance as well as security. Government is just starting to recognize the importance of printer security and the expanse of printer networks and devices to protect. “If you don’t even recognize the risk in the first place, then you can’t mitigate it or respond to it,” Chestang said. “There are now multifunction printers that have web servers with access to an active directory. And these devices have so many capabilities that are exploitable.” Despite the importance of printer security, printers are often not included in security compliance plans with other devices. This doesn’t mean that government is intentionally ignoring printer vulnerabilities. The rapid development of printers from being single-function devices to multi-function devices connected to an array of devices of networks means government just has to catch up. But it’s difficult to consider all of the different vulnerabilities a printer can pose to an agency. As a result, agency employees contribute to faulty printing practices including by: • Failing to assign access rights • Failing to ensure that data is encrypted on printer hard drives and other storage devices • Failing to scan their printer infrastructure for vulnerabilities in order to remediate security risks Additionally, updating security practices can be daunting, especially when faced with the reality of incorporating hundreds or maybe thousands of printers into existing policies and protocols. Chestang recommended that agencies begin with an assessment of their current security situation. Agency leaders should ask:
• How many devices (printers) are connected to your agency’s network? • Who uses these devices? How are they authenticated to access your printers and the data stored on them? • What is being printed on your printers? Sensitive and confidential documents? • How else are your printers currently protected, or are they not protected at all? Such questions will not only provide an accurate snapshot of where your agency stands in regards to printer security, but it will also highlight the holes that need to be filled to properly address all network-connected devices. Once you’ve completed an assessment, the next step is to implement adequate security policies for these devices. First, set up the devices, enact policies and then layer solutions on top of these policies that take user behaviors into account. Tools like HP’s JetAdvantage Security Manager offer a policy-based printer security compliance solution. This tool lets IT professionals in an agency establish and automate the maintenance of printer security settings to a security policy, making it easier to achieve and measure compliance success. To address credentialing and keep track of access, HP also offers an Access Control Job Accounting solution. This tool makes it easy to accurately track and gather data, analyze the results and create and send reports. Your agency can gain control of printing environments and costs. You can also monitor, allocate and manage resources by tracking usage by device, user, project, department or cost center. In addition to assessing your agency’s current printer security environment and identifying the right tools and solutions, Chestang advised addressing user behavior of all employees within an agency. “Department heads or regular personnel go to department stores and buy their own printers without even letting IT know,” Chestang said. “Communication is key to addressing this. Leaders have to communicate with people throughout the agency what devices are allowed to be on the network and what shouldn’t be allowed.” Cybersecurity is everyone’s job. It’s up to agency leaders, IT and all employees throughout an agency to frequently communicate regarding printer policies and best practices for printer security. By critically assessing their environment and leveraging the right security policies and tools, agencies can continually monitor user behaviors while educating agency personnel on proper printer protocols.
7
Identifying the Human Factor to Cybersecurity While IT professionals typically come to mind when thinking of the people behind cybersecurity, there are a number of different personnel who play an important role in securing an agency’s information. That’s why it’s imperative for government to know whether employees – all of them – are capable of recognizing, responding to and recovering from a cyberattack. Personas can help. A well-rounded cyber workforce is imperative for strengthening cyber posture and staying on top of the threat landscape. What the six personas demonstrate is that, regardless of position, everyone plays a role in protecting an agency’s information and assets. These personas represent some of the different types of employees (some more surprising than others) who can play a critical role in an agency’s cybersecurity:
8
1
2
IT Professional
HR Manager
Serves as the frontline cyber personnel and defends networks, technology equipment and software.
Acts as gatekeeper of cyber training and is responsible for recruiting and hiring the right talent for cybersecurity.
What is a persona? Personas are typically used by the private sector to create realistic representations of key audience members from customer bases. Government, however, has begun to use personas more to improve user experiences (both internal and external). For this guide, personas are used to represent important agency personnel who work in and around cybersecurity. These personas represent a diverse group of government user backgrounds, their challenges and their needs in relation to their jobs and cyber. Ultimately, these personas can help agencies understand how to equip all employee staff, regardless of role, with the practices and tools they need to perform better while keeping cybersecurity top of mind.
3
4
5
6
Acquisition Specialist
Agency Leader
Cyber Intelligence Analyst
Communications Specialist
Ensures any products or vendors acquired in an agency comply with cybersecurity regulations.
Leads in the development and planning of cyber strategies and communicates them throughout the agency.
Gathers and analyzes data in relation to cyber trends, threats and potential strategies.
Creates and maintains positive relationships between agencies and external partners as well as public media while communicating strategies and priorities in relation to cybersecurity.
9
Persona 1
Information Technology Specialist An information technology specialist works with computer-based information systems and deals with a number of software applications, computer hardware or both. An IT specialist designs, operates or maintains the tech products and manages services related to databases, web resources, networks and enterprise systems. This person is in charge of working with outside business vendors and partners and facilitating changes and/or modifications to an agency’s systems. It’s especially important that this person stay up to date on emerging technologies and the potential effectiveness of those advancements on an agency’s current systems.
10
What’s their connection to cyber?
An IT specialist will most likely be the frontline of an agency’s cybersecurity personnel. That means an IT specialist can be in charge of one or all of these duties: • Protecting systems by defining access privileges, control structures and resources • Determining security violations and inefficiencies by conducting periodic audits • Upgrading systems by implementing and maintaining security controls • Keeping users informed by preparing performance reports and communicating system status Overall, it’s the job of an IT specialist to keep cybersecurity at the forefront of agency priorities. If a system crashes or a cyber breach occurs, the IT specialist will be the first one a team turns to.
Top Challenges
Tools to Help
There are a number of challenges facing IT professionals in particular and much of them are tied back to cybersecurity, including:
As hackers up their game, even the most heavily staffed agencies are challenged in countering cyberthreats. That’s why government should take advantage of intelligent security technologies to deter, detect and disrupt, such as:
1. New technology: As technology advances, it can be difficult to keep up with all the latest devices, apps and software. At the same time, cyberthreats are advancing as well. That’s why IT Specialists need a solid understanding of the threat landscape in addition to an agency’s needs. As technology becomes more fluid, it’s up to IT to evaluate the organizational value of each new technology and determine whether it’s a good fit or not for the agency and whether it can help strengthen cyber posture. 2. Unstructured data: The even bigger challenge for IT professionals is that 80 percent of data is unstructured. Unstructured data, like plain text, email, blog, formatted document and even videos or web search logs, is much harder to analyze, which means it’s more difficult to detect cyberthreats. But it’s increasingly important for IT professionals to be able to mine and analyze this information in order to provide value to the agency mission while protecting government. 3. User systems: Desktops, laptops, notebooks, tablets and smartphones are already an integral party of many users’ lives. And because of this, it has become increasingly difficult to draw a line between the devices as well as differentiate which can be brought into agencies or not. Since tablets and smartphones already perform a number of the tasks completed by desktops, IT professionals need to be ready to help their organizations adapt to multiple user systems and authenticate multiple devices and entities. It’s also important for IT specialists to develop applications that adjust to the device users have available. 4. Shadow IT: While IT departments do all they can to improve the internal IT experience, acquisition processes are often outpaced by freely available technologies. That’s when impatient users turn to intra-department “super users” for help instead of the proper IT teams. But this can create serious cyberrisks as IT teams are left unaware of devices and technologies being used at the agency and are unable to monitor endpoints and vulnerabilities as needed. That’s why IT professionals need the right training as well as backing to better communicate and provide support for the needs of individual agencies.
• Security automation: A method that replaces manual labor and is more efficient and quick in responding to cyberattacks. Automation provides the ability for IT Specialists to counter cyberthreats stride for stride, by streamlining processes and workflows to create a more uniform and efficient environment. Additionally, automated technology provides fewer errors than well-intentioned, but highly overworked staff. • Machine learning: A type of artificial intelligence that provides computers with the ability to learn without being explicitly programmed. It focuses on the development of computer programs that can change when exposed to new data. Not only does this provide more accuracy in advance cybersecurity analytics, but it can also help ease IT staff workloads and provides a predictive element in detecting cyberthreats. • Big data analytics: The process of examining large datasets to uncover hidden patterns, unknown correlations, and other useful information, especially within unstructured data. With big data analytics, IT professionals will be able to save on time and costs on mining data in order to reveal any potential cyberthreats. • Shared services: The consolidation of business operations that are used by multiple parts of the same organization. The funding and the resourcing of the service is shared and the providing department effectively becomes an internal service provider. This is especially helpful for IT Specialists in having to monitor cybersecurity while navigating complex technologies and networks. Shared services is a way of eliminating redundancies and making it easier for endpoint security.
11
NICE Framework: A Reference Guide for a Stronger Cyber Workforce An Interview with Bill Newhouse, Deputy Director, National Initiative for Cyber Education
The National Initiative for Cyber Education Workforce Framework (NCWF), developed by the NIST-led National Initiative for Cybersecurity Education (NICE), is designed as a fundamental reference that provides organizations with a common, consistent lexicon to categorize and describe cybersecurity work. The NCWF is a vital resource that defines cybersecurity roles that enable our training and education providers to help us develop a talent pipeline that can meet cybersecurity workforce need of agencies, industry and critical infrastructure providers. The document is a culmination of many years of collaboration between industry, government and academia with the US Department of Defense and Department of Homeland Security being significant contributors. The need for NCWF stemmed from the nation’s focus on developing the pipeline of talent for the cyber workforce in addition to making sure the workforce would be prepared to meet the most pressing cybersecurity challenges. Before the NCWF was created, there was little consistency throughout the Federal Government in terms of how cybersecurity work is defined, described, and how the workforce is trained. Establishing and implementing standards for cybersecurity workforce and training is a foundational component of the Federal Government’s workforce plan. NIST has published the NCWF as NIST draft Special Publication 800-181.
12
While the NCWF has been in the making since 2008, some agencies are still figuring out how to employ it. To understand how agencies should use the NCWF to assess workforce needs, train and recruit personnel, GovLoop sat down with Bill Newhouse, Deputy Director of NICE. Newhouse’s role in the development of the document was to evolve the document into being a NIST special publication. Since 1990, NIST’s primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials has been the 800 series of publications. NICE recognizes the importance of this special publication and made its publication and promotion a strategic objective under the NICE strategic goal, Guide Career Development and Workforce Planning, which aims to support employers to address market demands and enhance recruitment, hiring, development, and retention of cybersecurity talent. Newhouse explained that the NCWF, more than anything else, serves as a dictionary rather than a prescriptive document. “We didn’t just try to explore the term cybersecurity, but also define different personnel and the different types of roles people would be in,” he said.
Assess Your Workforce Needs Newhouse advised that agencies first gain an understanding of their workforce needs and identify the key players they are looking for. The NCWF describes cybersecurity work in terms of Categories, Specialty Areas and Work Roles and offers a list of cybersecurity Tasks and the Knowledge, Skills and Abilities (KSAs) that one needs to have to perform that work role. To help understand the various roles of members within a cyber workforce, Newhouse drew an analogy to a beloved American pastime: baseball.
“Baseball organizations are made up of skilled players who must have specific knowledge, skills and abilities to play the game on the field. They also need to have stadium groundskeepers, trainers, medical staff, statisticians/data analysts, front office staff, fan support teams, concessions and a myriad of people in other roles who influence the success of the organization in measures that grow beyond wins and losses. Cybersecurity much like baseball requires multidisciplinary excellence for success. Some members of the cybersecurity workforce will use tools to defend our networks and data while others will build the tools needed by those defenders. Others will be involved in procurement, training, legal matters and many other areas. The KSAs they bring to the tasks they perform are a key to an organization’s ability to address and mitigate cyberrisks.”
“Once you’ve identified work roles within your cyber workforce, you can start looking for some common tasks or KSAs within those work roles. This allows an organization to look for training courses which are often described by mappings to the NCWF to meet their workforce KSA or task gaps,” Newhouse said.
The NCWF outlines the interoperability of cyber skills through seven categories. These categories are designed to provide an overview of the primary areas of practice that agency leaders and recruiters should seek in the cyber workforce. For instance, there is “Oversee and Govern” catered to leadership and management of cybersecurity work and “Operate and Maintain” catered to providing support, administration and maintenance of IT system performance.
Lastly, Newhouse recommended agencies use the NCWF to recruit personnel based on more than just years of experience or number of professional certifications. According to Newhouse, it is important that agencies adjust expectations, especially of newer talent. Often, agencies post vacancy announcements calling for five years of experience in addition to an industry certification. The problem is that there’s little evidence of open positions for the entry level professional, who are vital as the next generation of the cyber workforce. The NCWF framework can actually help agencies attract more students to your agency by using tools like DHS’s Pushbutton PD Tool that builds draft position descriptions. Then adjust job vacancy announcements to use consistent language recognizable to students, education and training providers, and hiring managers.
Newhouse said that agencies can use the NCWF to assist them in evaluating their own workforce to decide which skills and personnel they need most. Leaders and recruiters can then look within the seven categories to identify relevant work roles and tasks. Once agencies complete this stage, the next steps are to develop training methods.
Train Your Current Workforce There are more than 50 work roles defined in the framework, which highlights the need for a more wellrounded and diverse cyber workforce. These roles range from “cyber legal advisor” to “vulnerability analyst.” Each work role is defined by extensive sets of related KSAs and tasks. To ensure agencies adequately prepare all members of their cyber workforce to perform their best, training should be based on specialized skills and work roles rather than on blanket approaches that aren’t tailored to individual skillsets.
Not only should training be catered towards personnel on the cyber frontlines of an agency, but they should also be geared towards other members of an agency. For example, training HR managers on how to use the NCWF is particularly important so they can most efficiently identify recruitment needs and the right candidates.
Recruit Your Workforce
By using specific work roles from the NCWF and relevant KSAs and tasks, agencies can better tap into the relevant talent they need for their cyber workforce. “As the language of the framework evolves, schools can do a better job of guiding students in terms of what they’ll learn or do in government if they applied to certain cyber vacancies,” Newhouse said. As a collaboration between the public sector, private sector and academia, the goal of the leaders behind the NCWF is to help agencies and our nation’s industries and critical infrastructure providers build the most well-rounded and capable cyber workforces possible. Ultimately, Newhouse emphasized that the NCWF, if employed correctly, can be used to help agencies better assess their cyber workforce needs, train current personnel and recruit for the future workforce.
13
Persona 2
HR Manager An HR manager plans, directs and coordinates the administrative functions of an agency. This person oversees the recruiting, interviewing and hiring of new staff; consults with agency leaders on strategic planning and serves as a link between an agency’s management and its employees. Additionally, an HR manager leads the programs and policies as they apply to employee relations, compensation, benefits, safety, performance and staffing levels.
14
What’s their connection to cyber? While they may not have the expertise of frontline cyber personnel, HR professionals are actually uniquely positioned in cybersecurity. They need to understand the role of trained employees in cyberrisk mitigation. An HR manager can help improve the overall cyber posture of an agency by: • Facilitating ongoing education and training of new hires in cybersecurity • Mediating mock phishing campaigns and cyberattack exercises for employees • Convening stakeholder support to equip the workforce with necessary security awareness • Attracting the best IT specialists and cyber personnel through effective recruitment efforts • Notifying individuals in an agency if individuals are affected in data breaches or cyberattacks where personal information is stolen HR managers may not be cyber experts, but they play a significant role in determining an agency’s overall cyber preparedness. Specifically, they can ensure that any employee coming into an agency is well aware of potential cyberrisks and that personnel are trained to handle any cyberattacks accordingly.
Top Challenges
Tools to Help
HR managers face a number of challenges when handling shrinking agency budgets and shifting priorities. These challenges are all amplified when combined with attempting to strengthen an agency’s overall cyber posture, including:
While HR professionals have many decisions and priorities to balance in addition to cybersecurity, it can help to break cyber priorities down into predicting, preventing, responding to and detecting threats through these methods. HR mangers can also leverage:
1. Evolving threat agents: One priority for HR professionals is to know the cyberthreat landscape and keep up with the latest types of attacks. Cyberthreats are not just individuals seeking personal gain anymore. They’ve evolved into social, political attacks funded by larger organizations and even nation-states. This makes it even more difficult for HR professionals to help equip agency staff against threats when cyberattacks are getting larger and more unpredictable. 2. Shrinking talent pool: With government agencies already understaffed and an entire generation of boomers getting ready to retire, the pressure is greater than ever on HR managers to recruit and retain highly qualified professionals for cybersecurity. HR professionals will have to be more creative in collaborating with academia and other institutions to build talent pipelines for the cyber workforce. 3. Multiple priorities: In addition to hiring and training for cybersecurity, HR professionals must juggle a number of other priorities in the cybersecurity realm. These include knowing how to identify disgruntled employees and potential insider threats, enforcing regulatory compliance, employee security education and protecting critical human resources data (such as sensitive information of employees).
• Intensified hiring practices: The thorough vetting of employees to defend against insider threats. It’s important to consider additional scrutiny for sensitive roles and to compartmentalize data and access accordingly. HR managers should be sure to minimize access to an agency’s vital data, including when employees shift roles. • Online, anonymous reporting portals: Tools to help employees report any suspicious activity. This is especially important for spotting any disgruntled employees who could become malicious insider threats. Additionally, HR managers should reinforce peer reporting of mounting issues and keep track of any variant behavior in technology use. • Web-based security awareness training: Online educational sessions for employees about key cybersecurity issues, like information protection, password security and mobile security, that can easily be integrated into an agency’s current program. HR leaders can then customize the training, provide communication tools and deliver other services to help meet the agency’s particular security awareness needs and goals. • Social media profiles within the cybersecurity community: Engagement with potential cybersecurity hires that takes demographics into consideration. Agencies should ensure that HR managers set up accounts and profiles across various social media channels. HR managers should then engage young and entry-level talent such as students in college or even high school and create. They should also maintain an active social presence on professional networks like LinkedIn, Twitter and Facebook.
15
Defining the Future Cyber Workforce An interview with Connie Uthoff, Associate Program Director, Cybersecurity Strategy and Information Management Program, College of Professional Studies, George Washington University
The cyber workforce has long been a challenge for government. But the reasons aren’t simply that it’s hard to hire the right professionals and retain the ones government has. It’s also because government needs more than just IT skills to really strengthen agencies’ cyber posture. In an interview with GovLoop, Connie Uthoff, Associate Program Director of George Washington University’s Cybersecurity Strategy and Information Management Program, said government needs to look not just for IT professionals, but also HR, law and policy experts who can add well-rounded skillsets to the cyber workforce. “We don’t just need technical people,” Uthoff said. “We need leaders who understand enough about this landscape to make informed decisions. We need
16
lawyers to understand cyber laws and policies. We need hiring managers and directors to understand what’s needed in their own environment so they can hire the right types of people and provide appropriate training.” Uthoff said a clear example of this was OPM’s breach in 2014. “The problem wasn’t a technical problem: It was with leadership,” she said. “The leadership failed to recognize the severity of the threat and basically lacked the capability and knowledge of how to appropriately address the attack and respond effectively.” For government to better define the needs of its cyber workforce and recruit accordingly, Uthoff recommends strong coordination between the public, private and academic sectors, as well as strengthened education and training initiatives. “In light of the recent hacks from foreign governments, we have to understand other methods that will be effective in cyberdefense and how we should prepare against future attacks,” Uthoff said. “We need people able to understand each new area of cyber, such as diplomacy or sanctions. It will take a conversation between government, academia and the private sector to understand where the gaps are and prepare for the future.” In fact, the Joint Task Force on Cybersecurity Education, a collaboration between major international computing societies such as the Association for Computing Machinery, recently updated its curriculum guidelines for undergraduate degree programs in cybersecurity.
The report acknowledged that cybersecurity is an interdisciplinary course of study and includes aspects of law, policy, human factors, ethics and risk management in addition to computer-based discipline. The report also lays out the primary characteristics of a cybersecurity program to help guide academic institutions, including computing-based foundations in addition to emphasis on ethical responsibilities in the field of cybersecurity. The thought model outlined in the report has six knowledge areas. The first three are primarily technical in nature and the last three include topics not commonly taught in computing and engineering programs but with significant relevance to cybersecurity. These areas include: • Data security: Focuses on the protection of data at rest and in transit. • Software security: Focuses on the development and use of software that preserves the security properties of the information and systems they protect. • System security: Focuses on establishing and maintaining the security properties of systems, including data, networks, software, hardware and devices. • Human security: Focuses on protecting individuals’ personal data, their privacy and threat mitigation and includes the study of human behavior as it relates to cybersecurity. • Organizational security: Focuses on protecting organizations from cybersecurity threats and on managing risk to support organizations’ missions. • Societal security: Focuses on aspects of cybersecurity that can broadly impact society as a whole and includes topics like social responsibility, cyber law, ethics, policy, intellectual property and cultural and international considerations.
That’s why there are more emerging training programs and higher education programs dedicated to equipping professionals (with all types of backgrounds) with a broader understanding of cybersecurity. George Washington’s Cybersecurity Program, for example, trains professionals from various government agencies, as well as those in the private sector who seek to advance their careers by having a better understanding of the cyberthreat landscape while learning best practices for cyber hygiene. “Our program gives students a large overview of current and emerging challenges in cyberspace,” Uthoff said. “We discuss strategies and best practices so they can manage critical information and other systems when fighting against a variety of cybercriminals.” George Washington’s program provides a multidisciplinary curriculum, including concepts pertaining to criminology, law, public policy, technology management and military strategy. Such programs are now becoming the norm in the world of cyber academia and it’s important that government tap into the talent pipeline stemming from such programs. “Everyone needs to have awareness about human behavior. At this point, we need to talk about every person who uses a computer, laptop or smartphone and make sure they’re aware of the risks,” Uthoff said. “Then modify behavior accordingly so everyone can better understand cyberrisks and do what they can to make themselves safer.” Ultimately, building a better, more well-rounded cyber workforce for government will depend largely on the training and education programs that government taps into. It’s up to government to ensure that agencies appropriately define their cyber needs and look for professionals who don’t just fall under IT.
17
Persona 3
Acquisition Specialist Acquisition specialists in government oversee agency efforts to acquire products, property, services and employees. They are primarily in charge of developing and reviewing acquisition strategies and have strong analytical, research and problem-solving skills. They develop requests for proposals and statements of work. They also support analysis and evaluation of proposals. A large part of an acquisition specialist’s job also involves administrative tasks such as managing vendor databases, creating and processing purchase orders, drafting acquisition-related documents and creating a company’s acquisition guidelines and tactics.
18
What’s their connection to cyber? An acquisition specialist needs to make sure that, no matter what he’s procuring for the agency, cybersecurity is included in the provisions. Additionally, an acquisition specialist can support cybersecurity efforts by: • Acquiring protections for products that may create new vulnerabilities • Keeping up with the latest in technology to ensure products are up to date in security standards • Ensuring that acquisitions are quick and agile since threats evolve rapidly • Assessing and providing strategies to mitigate cyberrisk in acquisition programs The main role of the acquisition specialist is to provide specialized expertise, methods and models to support an agency’s procurement, contracting, program management and systems engineering activities.
Top Challenges
Tools to Help
During procurement, an acquisition specialist always has to make sure that cybersecurity is a top priority and that any vulnerabilities in the products or services are addressed when going through the contract process. This creates a number of challenges, including:
When managing the procurement of anything from talent to products to IT services, these tools can help acquisition professionals:
1. Fragmented goals: The involvement of a number of specialists with particular expertise and independent goals often results in differing views of the agreement in question. This can make it more difficult for acquisition professionals to integrate relevant perspectives and ensure that cybersecurity is kept top of mind. 2. Increasing momentum: Pressure to close a deal quickly can prevent acquisition professionals from fully considering cyber, strategic and organization fit issues. For each acquisition, managers should consider what’s accelerating the process and distinguish whether they have to do with the agency’s mission or with individual career and ego issues. 3. Unresolved expectations: To reduce the potential for disagreement during the acquisition negotiating process, the acquisition professionals and vendors often agree to disagree for the moment and postpone resolution of difficult issues. This, however, can lead to ambiguity, with issues like cybersecurity being left on the backburner.
• Performance-based acquisition strategies: The Department of Interior (DOI) lays out seven steps to performance- based acquisition starting from managing a team to managing the performance of that team. However, this can be applied to any acquisition area. Because of the comprehensive nature of these steps, it can be easier for acquisition professionals to set standards and prioritize cybersecurity from the beginning of the process. • CALC: A powerful new labor category and pricing research tool called the Contract Awarded Labor Category (CALC) tool. Built by the Professional Services Category and 18F, this tool allows contracting officers and specialists to conduct research and price analyses for professional labor categories across a database of contract-awarded prices. These include 48,000 labor categories from more than 5,000 recent GSA contacts. Acquisition professionals can be sure they’re working with trusted government partners and enhance their cyber goals. • Program Protection Plan (PPP): An outline provided by the Department of Defense that provides guidance for integrating the acquisition process with managing risks and advanced technology as well as missioncritical functionality. The document also provides guidance to acquisition professionals to create their own PPPs to help them more consciously think of threats and vulnerabilities, security measures and what programs would ensure they can adequately protect their programs and information.
19
TRACK, PURSUE, AND NEUTRALIZE THREATS.
The longer threats remain undetected, the more damaging they become. Take control of your information and fight threats on your terms. It’s time to start advancing security. Take the next step at symantec.com
© 2016 Symantec Corporation. All rights reserved.
Leveraging Integration and Security An Interview with Rob Potter, Vice President of the Public Sector, Symantec IT professionals in government face challenges every day creating systems, platforms and protocols that protect agencies from dynamic cyberattacks like malware and ransomware. They must strike a balance between having information accessible to users and protecting the information from hackers. This task is even more difficult in the public sector because IT professionals must also navigate political mandates, policy changes and tight budgets. GovLoop recently sat down with Rob Potter, Vice President of the Public Sector for Symantec, a leader in cybersecurity, to discuss how agencies can leverage integrated platforms to increase their capabilities while ensuring their information is secure. Being able to balance integration and security is crucial for agencies because it will allow decision makers to trust the integrity of the information for policy decisions, while simultaneously ensuring that internal users can access information appropriately. The most challenging aspect of securing government information is that they live in an environment where the attack surfaces at agencies are changing with the incorporation of each new contractor or platform. Recent breaches have proved that, “agencies have to focus on the infrastructure and the perimeter, as well as protecting content,” said Potter. Although breaches may be difficult to stop, agencies can mitigate the damage of breaches by making sure that for each critical function or asset, there’s a control commensurate with that asset. Agencies can then protect specific content and restrict which roles can access sensitive information. This involves assessing what content an agency has, how it should be protected and who should have access to which pieces of information so that the information can be used across to deliver on the agency’s mission. By managing identities and using content specific solutions to communicate and protect information, employees can be shielded from serious cybersecurity threats. They can trust that they are making decisions that will advance the agency mission based on uncorrupted information. Solutions like Symantec’s integrated cyber defense platform ensure that IT leaders can manage cybersecurity and information access from a single platform. The platform integrates information, user profiles, web security and email messaging security. This allows users to operate efficiently and communicate within an environment, while helping agencies prevent security gaps across systems. Potter specified why integrated platforms must secure these four aspects of digital content:
• Information: Agencies need to be able to trust that their data and information is accurate and reliable because they will be making important decisions based on it. That means agencies must be able to control who is modifying the content. • User Profiles: Users and partners need remote access for collaboration, which involves authenticating both the user and the environment to which they have access. The users need to comply with the standards and policies of the environment as they interact with the data and the infrastructure. • Web Security: Securing interactions with the web doesn’t just mean protecting the platform from the internet, but also determining how employees interact with cloud based applications and other resources connected to the web. Agencies should also put controls around how content is moving in and out of the perimeter for daily operations or storage. • Email Messaging: Email communications internally and externally must be encrypted and protected from phishing scams and ransomware, and the best way to protect technologies from these threats is through user education. “If you have a platform that allows you to communicate with your web provider, identify content, define policy around that content and control how people are coming in and out of your environment in terms of the way that they collect information,” said Potter, “it’s going to create a greater level of intelligence and visibility inside your environment.” Internal integration is achieved by ensuring that different technologies are using the same communication and development protocols and processes, and the more agencies can leverage integrated capabilities, the smaller the gaps are in the platform. The integrated cyberdefense platform is also an open platform so it can integrate with platforms and products from multiple vendors and contractors. That way, agencies can build upon investments they have already made in technology while integrating new technologies into the overarching infrastructure and strategy. Although keeping dynamic government IT systems secure and user friendly may seem like a daunting task, leveraging integrated platforms will reduce gaps in cybersecurity perimeters and make agencies more efficient. If agencies concentrate on increasing control over information content, user profiles, web interactions and messaging through an integrated security platform, then IT and non-IT employees can leverage organizational capabilities to gain better insight into operations and missions.
21
Persona 4
Agency Leader An agency leader is someone who holds a high management position in an agency. Their job titles can vary from Senior Executive, to Secretary, to Chief Information Officer (CIO) or Chief Information Security Officer (CISO). While some of these roles, like a CISO, are directly tied to cyber in their day-to-day tasks, others indirectly drive cyber priorities through their position at the top of an agency. Regardless of how deeply they are immersed in the realm of cyber, agency leaders’ main cyber goal is to make sure their organizations have robust practices in place so that they will not be infiltrated.
22
What’s their connection to cyber? While their jobs may not be explicitly cyber-oriented, cyber issues permeate many aspects of agency leaders’ jobs. In relation to cyber, agency leaders are responsible for: • Developing and maintaining an action plan for any breaches that occur • Integrating cybersecurity into the agency’s mission and communicating this to other leaders and agency employees • Setting cyber priorities for the agency as a whole and hiring employees who can make sure these priorities are met
Top Challenges
Tools to Help
Agency leaders face a number of cybersecurity challenges, including:
Agency leaders can feel the most pressure in overcoming the cyber challenges they face, as they are the faces of their agencies. In order to maintain secure networks and processes at their agency, organizational leadership should focus on tools like:
1. Lack of cyber experience: While CISOs may be extremely knowledgeable about cybersecurity issues and best practices, other members of the C-suite and executive leadership may face a learning curve in understanding how to implement a cyber strategy. In order to counter this, agency leaders can leverage their workforce and advisors to gain a more robust understanding of cybersecurity and what it means for their agency. 2. Competing priorities: For most agency leaders, cyber is just one thing on a list of many items that need funding and resources. It can be difficult to prioritize cybersecurity with competing agency goals and shrinking budgets. 3. Legacy IT: Most agencies have legacy IT systems and processes that are difficult to modernize. The modernization process can be cumbersome and slow and many burgeoning cyber solutions are unable to work effectively on legacy systems. Agency leaders must work to place a higher priority on modernization projects that allow robust cyber practices to flourish. 4. Complex strategies: While maintaining secure networks is critical to driving mission success, often agency leaders must get creative in implementing strategies that do so. Good leadership can overcome implementation challenges by relying on their workforce and engaging them in the cyber strategy implementation, clearly communicating how decisions were made and what the strategy will look like moving forward and conducting informational sessions to foster buy-in from all key stakeholders and employees.
• Other agency’s frameworks: There is no need to reinvent the wheel when other agencies have robust practices that have helped them avoid breaches. Agency leaders should look at the cyber frameworks that other agencies are implementing and adopt the pieces that fit their organization. It can be overwhelming, however, to examine every agency’s different cyber strategies. In order to save time and money, NIST’s Cybersecurity Framework can be a helpful tool to guide an agencywide cyber strategy. • New technologies: Staying on top of technology trends in government like IoT applications and collaborating with civic tech movements can help leaders stay ahead of the cyber threat landscape. Whether it is a complete IT overhaul, security automation or developing analytics tools, innovative technologies have the potential to help agency leaders meet their cyber goals. • Partnerships and networks: Whether at the federal, state or local levels, agency leaders should foster collaborative partnerships with other agency leaders to share ideas, talent and best practices. For example networks like the National Association of State CIOs (NASCIO), for can help agency leaders share knowledge and insights with others in order to enhance technological innovation and cyber posture.
23
The People Behind State and Local Cybersecurity An interview with Barry Condrey, Chief Information Officer of Chesterfield County, VA The massive amount of valuable data housed by state and local agencies – like Social Security and driver’s license numbers, credit card information and health-care records – is an attractive target for cybercriminals. That makes it imperative for local governments to invest in their cybersecurity efforts, especially the cyber workforce. But the typical state or local government agency spends less than 5 percent of its IT budget on cybersecurity. These agencies also often face budget constraints and competing priorities as well as staffing shortages. How can these agencies better invest in people to enhance cyber posture while navigating such constraints? The government of Chesterfield County, Va., offers a few answers. Often cited as a leader in the state and local realm for its performance on cybersecurity, Chesterfield County was a finalist in 2013 for the Center for Internet Security’s (CIS) Best of the Web contest, which recognizes state and local governments and their websites that promote cybersecurity.
24
In an interview with GovLoop, Barry Condrey, CIO of Chesterfield County, discussed how his team has advanced cybersecurity with tactics like gamification in training, hiring for a well-rounded cyber workforce and enforcement of good hygiene practices. Virginia’s local government structure is unique because cities do not reside within counties and are considered independent. This means that counties need to maintain a full set of provisions and services to their citizens. But Condrey said that the county’s position in the state has actually been advantageous in allowing his team more opportunities to provide better services while maintaining good cyber practices. This is because counties don’t have to compete with internal cities for resources and have their own internal IT structures. The 100 staff members in the department provide services to meet the needs of 340,000 citizens and an additional 4,200 county employees. “What helps is that we’re a consolidated operation, so we have very little IT outside of my department,” Condrey said. To maintain a strong cybersecurity posture, Condrey said his department is moving toward a focus on better training methods, specifically incorporating individualized simulation-testing and gamification. “Training should be based on your role in the organization and more individualized that way,” Condrey said. “So now, we plan to incorporate more real-world testing with random samples of employees, such as spam and phish testing.”
Human errors are one of the leading causes of data breaches in organizations. Breaches can result from employees unwittingly opening a malware-infected email attachment, clicking on a link to a malicious site or carelessly attaching a virus-infected thumb drive to the agency’s main computer system. But even when instructed through organized training, many employees continue to ignore security rules and principles, especially when faced with fast-approaching deadlines and overdue tasks. This problem is exacerbated when security rules are often perceived as mundane and cumbersome. Gamification can help with training measures by taking out the mundane and making training more realistic and practical, engaging and even fun for employees. While incorporating more engaging tactics for training can help improve the cyber workforce, there’s also the challenge of assembling the workforce itself. When it comes to hiring cyber personnel, Condrey said his team focuses on finding people who think outside the box. “We need people who are always trying to improve and figure out why things are the way they are,” Condrey said. “This is because cybercriminals are constantly evolving and doing new things.” Condrey also stressed the importance of hiring people who have more than basic technology skills. Cybersecurity personnel should also have strong customer service and communication skills, as well as the ability to organize processes and manage people. “We’re not just interested in people who are technologists,” he said. “Cyber is much more about the habits, practices and patterns of management in the environment you’re trying to protect. It’s not about the bits and bytes anymore; it’s really more about the people in cyber.”
As for the employees who can play the biggest role in cybersecurity in Chesterfield County, Condrey said that they don’t just belong to the IT world. “Our purchasing department is very important,” he said. “So is our leadership team. Leaders need to know who to have at the discussion table in terms of prioritizing for cybersecurity.” Condrey also emphasized the importance of accounting and public safety for cybersecurity. Accounting departments have many FOIA requests to process (with massive amounts of personal information being handled). Police departments have a lot of data to analyze, like information processed from body cameras or crime demographics in various neighborhoods. To get on Chesterfield County’s level, Condrey advised two tactics that agencies should encourage all employees to practice. First, employees should be on the lookout for cyberthreats. “Be careful with all your external communications and never make assumptions about emails or messages from outside organizations,” Condrey said. “Look for inconsistencies.” Second, employees need to be aware of the type of data they use. Whether it’s PII or other sensitive information, make sure every employee is educated about good hygiene habits and practices. “Ask them to be aware about the type of data they’re sharing and processing,” Condrey said. “Whether it’s low-risk, medium or high, sensitive information is stuff you never want to leak outside your agency.” Chesterfield may have a unique advantage being a county within Virginia, but that doesn’t mean that other state and local agencies can’t strengthen their cyber posture. With Condrey’s advice and tactics like gamification in training, looking out for the right people to hire in the workforce and knowing the people you need, your agency can dramatically improve cybersecurity practices and be ready for any cyberthreat.
25
Persona 5
Cyber Intelligence Analyst A cyber intelligence analyst is an information security professional who uses her skills to help counter the activities of cyber criminals and malicious actors. In order to effectively do this, cyber intelligence analysts must possess technical skills, including network and operating system security, computer network intrusion detection systems, firewalls, IT network-based attack methodologies and incidentresponse technologies.
26
What’s their connection to cyber? A cyber intelligence analyst collects intelligence on the threat environment and actors. She also distills and translates that data into a threat assessment that drives an organization’s cyber priorities. A cyber intelligence analyst will support cybersecurity by: • Conducting technical research on cyberthreats, criminal activities on the internet and the people who are perpetrating these crimes • Analyzing large quantities of data in order to draw conclusions about the threat environment • Projecting trends on cyber criminals through intelligence analysis Essentially, the job of a cyber intelligence analyst is to comprehensively understand cyber threat actors, their motivations and the tools and tactics they employ. The information they gather allows agencies to stay ahead of current threats and better inform their cybersecurity decisions.
Top Challenges
Tools to Help
Cyber intelligence analysts face these challenges unique to their role:
As the role of cyber intelligence analyst continues to evolve, so do the tools that can help these analysts perform more effectively. Cyber intelligence analysts need clearer objectives and better training. Agencies can take advantage of these tools to achieve more effective analyst practices:
1. Underdeveloped role: One of the biggest challenges for cyber intelligence analysts is that their role in the IT world is relatively new and inherently underdeveloped. This can make it difficult for organizations to find and train cyber intelligence analysts effectively. 2. Threat assessment: While it is integral to a cyber intelligence analyst’s job to detect and counter evolving cyberthreats, nefarious actors are getting more and more savvy with their methods of perpetrating digital crime and infiltration. This can make it difficult to prioritize threats, as every new attack or methodology seems to be worse than the last. It is critical that cyber intelligence analysts are cognizant of this and use their technical skills to identify the biggest threats to government’s networks, instead of focusing solely on the newest and flashiest attacks. 3. Big data: Cyber intelligence analysts have to sift through and analyze massive amounts of data. It can be challenging to identify what pieces of data are important in developing a threat assessment and what data are just noise. Analysts will need to stay on top of their training and effectively leverage their technical skills in order to process all the data into helpful intelligence products.
• Dual-track development training model: Conceptualized in the Cyber Intelligence: Preparing Today’s Talent for Tomorrow’s Threats white paper, a dual-track development training model emphasizes the training of technical and analytical competencies differently. The track model can be adjusted for each individual, depending on the analyst’s background and experience, the proficiency level required to meet their responsibilities and whether they are operating at a strategic, operational or tactical level. This competency-based framework prescribes training catered to professional tracks an analyst might follow and works to effectively develop and employ the right person for the right role. • Targeted training and education programs: Employing a competency-based framework allows agencies to develop training and education programs that target each track a cyber intelligence analyst can take. Programs should be tailored to entrylevel analysts, cyber intelligence professionals or senior executive levels, acknowledging the set of competencies and proficiencies that are unique to each level. Individualized training programs meet the cyber professionals where they are in their careers, allowing them to develop more robust skillsets and tackle some of the challenges that cyber intelligence analysts face. • Professional certifications: While most cyber intelligence analyst positions require a bachelor’s degree, certifications are another way to ensure analysts have the most robust skillset to do their job. Some of these certifications include the Certified Information Systems Security Professional, Security+, Information Systems Security Engineering Professional and Global Information Assurance Certification.
27
How Open Source is Driving Innovation in Cybersecurity An interview with Shawn Wells, Chief Security Strategist, Public Sector, Red Hat Protecting against today’s relentless and adaptive cyberthreats requires continuous monitoring and ensuring that rigorous security protocols are built into agency solutions and systems. But providing the investment and support needed for sophisticated security technologies can strain government budgets already stretched thin. Additionally, it can often seem like cybersecurity and technological innovation contradict each other. That’s why government should look to open source strategies and solutions for their cyber needs. In fact, secure, open source solutions are being used throughout the federal government already, from processing Medicare claims at the Centers for Medicare and Medicaid Services (CMS), to handling airplane traffic at the Federal Aviation Administration (FAA). To learn more about how open source solutions can achieve the security and innovation government needs, GovLoop sat down with Shawn Wells, Chief Security Strategist for North America Public Sector at Red Hat. Red Hat is a company dedicated to delivering the latest software technologies that are secure while allowing access to a community of experts, making software the open source way. “Open source is a method to bring organizations together with common problems,” Wells said. “For example, everybody has insider threats and everybody needs a web server. So why not identify areas of commonality where different mission elements are really doing the same thing? Why not work together on creating secure web servers?” Open source helps agencies identify common solutions by bringing together communities of developers, practitioners and even those who simply want to learn about how the latest innovations can combat the latest cyberthreats. By adopting an open source strategy, agencies are also changing the ways they innovate and partner with external stakeholders. Traditionally, when a new benchmark or requirement was issued, agencies found new needs to address, so they would request that private sector companies develop solutions. Wells explained though, that the open source process is allowing agencies to directly contribute to innovations and emerging security solutions by enabling individuals to develop strategies and tools that improve an agency’s security posture. “When government agencies start participating in the development of the technology, prior to the production and manufacturing, they get an intrinsic voice in how the technology innovates,” he said. For example, a U.S. intelligence community element needed to develop a capability to process large amounts of signal and satellite data. The data feeds came from multiple defense, intelligence, and civilian agencies -- meaning different classifications, such as Secret and Top Secret. However,
mission success was dependent on merging the data together during analysis. The solution was to build one of the first cross-domain supercomputers in the U.S. Department of Defense (DoD). Lockheed Martin, as the prime contractor, began working on an open source solution. By working with a community of developers to share ideas and potential code, the U.S. intelligence element was able to create a secure and innovative platform that fulfilled mission need and complied with the security protocols of over 12 different agencies. The DoD found that other coders in the intelligence community were also having trouble creating secure supercomputing platforms that could simultaneously process multiple classifications of data. By open sourcing the core baseline, the DoD and intelligence community were able to spread this solution and help other agencies. The community of practice continues to institutionalize an open culture to find solutions to other common issues. Agencies may need cloud computing, virtualization, big data or other innovative technologies to improve mission capabilities. Regardless of which technology innovation your agency may need, open source strategies and solutions can help you achieve your agency’s goals while strengthening cyber posture. Red Hat solutions offer these features: • Security is written into the software. When your vendor co-develops with you, your agency can build in the security capabilities needed, rather than trying to add them after the software’s release. • Compliance is made easy. Pre-configured baselines are delivered that have already been tested and accredited with government’s most rigorous security requirements, including FISMA and DoD’s Security Technical Implementation Guides (STIGs). • Security exceeds traditional standards. Red Hat’s Enterprise Linux 6 and 7 platforms, for example, offer NISTcertified encryption that protect your agency’s data at rest and during transport across networks. More importantly, with Common Criteria certification for both hypervisors and containers, Red Hat allows you to create and secure virtualized IT environments in the cloud. • Vulnerability updates are delivered automatically. With Red Hat, 98 percent of critical vulnerabilities have had updates available the same day or next calendar day. As agencies plan their technology investments, they must carefully balance their innovation needs for improved efficiency and performance with an equally strong need for security. Secure, open source solutions and strategies can help your agency achieve these goals, even despite constrained resources. With Red Hat, you get open source’s agility and the ability to quickly innovate while also satisfying uncompromising requirements for security.
29
Persona 6
Communications Specialist
What’s their connection to cyber?
A communications specialist must create and maintain positive relationships between their agency and any external partners, as well as the public using media outlets. He produces press releases and manages public events, while helping to maintain an agency’s public image. A communications specialist is also in charge of internal and external announcements and oversees programs that describes the agency as well as its services. A manager in this field would supervise the public relations staff, create communication strategies and may even serve as the key spokesperson and media contact for the agency.
30
While a communications specialist may seem like the most far-removed position from cybersecurity, it’s extremely important that this person understand how cybersecurity relates to the agency’s mission and goals to effectively communicate with stakeholders, especially the public. In relation to cyber, a communications specialist can help by: • Providing internal and external IT communications support • Relating with the public in times of crisis, such as data breaches, to address questions and represent the agency • Developing and implementing agency communications strategies to ensure consistent, relevant and timely messaging • Researching and staying on top of the latest cyber trends to be better informed when interacting with media and the public It’s the job of a communications specialist to know what the agency’s priorities are in relation to cybersecurity and effectively relay any relevant information to the public or any stakeholders.
Top Challenges
Tools to Help
Staying on top of an ever-evolving cyberthreat landscape while ensuring swift and effective communications can be a lot to juggle. In relation to cybersecurity, the top challenges are:
Communications specialists can be better equipped to prioritize cybersecurity in their roles with these tools:
1. Cascading system: Communications specialists often rely on managers to pass information down to their direct reports, but this is often an ineffective system. Cascade communications can be like the game of telephone, often leading to messages getting lost in translation, which can be risky when trying to mitigate cyberthreats. Any miscommunication could confuse agency staff and lead to cyber vulnerabilities opening up in the agency. 2. PR Crises: With government constantly under public scrutiny, the likelihood of communications professionals having to deal with PR disasters, be it via social media or other outlets, has increased astronomically. Data breaches or cyberattacks are even more scandalous and chaotic for communications staff to handle. The way such staff manage these crises can make or break an agency’s image. Communications specialists have to balance the interests of their agency while being accountable to the public, which can become difficult to balance. 3. Converged media: Writing a press release no longer consists of physically writing and mailing the content to national publications. The lines between PR, marketing and social media have blurred dramatically, making the communications process even more complicated. This is compounded when considering information security as well. It’s important that communications professionals stay on top of the latest technology to better communicate while being aware of the cyberthreat landscape.
• Multichannel communication: Email, written correspondence, phone calls, social media and other outreach mediums that are managed in a more personal manner. Email systems that import contacts from LinkedIn and other social media sites allow for messages to automatically be directed through text, as well as email. This can ease a communications professional’s job of managing relationships and maintaining a good image for the agency while ensuring information security. • Media management platforms: Automated media management systems that allow for communications professionals to swiftly schedule posts and correspondences and track engagement from one platform. These platforms tend to have databases that can help communications professionals plan and evaluate individual campaigns for agencies, as well as identify important contacts. More importantly, these tools help ensure that important information is not being accidentally leaked from the agency and that PII is stored securely in automated systems that reduce human error. • Internal messaging applications: Team-based messaging tools that help communications within an agency be more integrated, seamless and easy to access. Ideally, conversations are divided into channels that anyone can quickly jump in and out of to get the information they need. For communications professionals, this addresses problems with cascading communications and allows sensitive information to be kept within the agency. Comms professionals can use such applications to quickly get the information they need with regard to cybersecurity or any other press matter and deliver it swiftly and accurately to necessary audiences.
31
Conclusion While IT professionals continue to play leading roles in securing government information, cybersecurity is the job of every agency employee today. In order to combat the everevolving threat landscape, government needs to focus on training and equipping a well-rounded workforce. That means that all types of employees – whether in IT, HR, communications or agency leadership – need to be knowledgeable on cybersecurity and the tools that can help them perform better while staying on top of threats.
32
Developing personas can help an agency understand individual personnel’s unique relationships and challenges with cybersecurity, thereby helping an agency understand where the gaps are in strengthening its cyber workforce. The following personas can help get a better, holistic picture of who should be considered when strengthening the workforce and defending against evolving cyberthreats: • IT Professional: Serves as the frontline cyber personnel and defends networks, technology equipment and software. • HR Manager: Acts as gatekeeper of cyber training and is responsible for recruiting and hiring the right talent for cybersecurity. • Acquisition Specialist: Ensures any products or vendors acquired in an agency comply with cybersecurity regulations. • Agency Leader: Leads in the development and planning of cyber strategies and communicates them throughout the agency. • Cyber Intelligence Analyst: Gathers and analyzes data in relation to cyber trends, threats and potential strategies. • Communications Specialist: Creates and maintains positive relationships between agencies and external partners as well as public media, while communicating strategies and priorities in relation to cybersecurity. With these six personas, agencies can have a better understanding of who they need to have on their team and the variety of skills they bring to the table. What is abundantly clear is that training, education and hiring initiatives should not have any blanket approaches but should look at individuals and their unique skillsets. That way, government can better empower the people behind cybersecurity and maintain a stronger cyber posture.
Thank you to BeyondTrust, HP, Symantec and Red Hat for their support of this valuable resource for public-sector professionals. About GovLoop
Authors
GovLoop’s mission is to “connect government to improve government.” We aim to inspire publicsector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
Francesca El-Attrash, Staff Writer Michael Steinberg, Editorial Fellow Courtney Belme, Editorial Fellow
Designers Kaitlyn Baker, Lead Graphic Designer Marçal Prats, Design Fellow
For more information about this report, please reach out to info@govloop.com. www.govloop.com | @GovLoop
33
1152 15th Street NW, Suite 800 Washington, DC 20005 Phone: (202) 407-7421 | Fax: (202) 407-7501 www.govloop.com @GovLoop