When it comes to educating and mentoring the next generation of CSOs and CISOs, the answer is pretty clear – the path is very uncertain.
Not a day goes by without the latest and greatest industry report and news headline on enterprise security leadership – physical, logical and cyber. Google “security” and “leadership,” and you’ll find a ton of research and opinions as to what make a good security leader, and what’s lacking to find the next generation of leaders.
For example, it has been widely reported that there is a shortage of cybersecurity professionals, which are sorely needed to mitigate cybercrime.
One area of shortage is the DHS. In April, the New York Times reported that DHS is having difficulty recruiting much-needed computer security experts because it cannot match the pay of the private sector and does not have the same allure as intelligence agencies.
“We are competing in a tough marketplace against a private sector that is in a position to offer a lot more money,” Jeh Johnson, the Homeland Security secretary, told senators at a hearing. “We need more cyber-talent without a doubt in DHS, in the federal government, and we are not where we should be right now; that is without a doubt.”
The Obama administration and Congress approved the Cybersecurity Enhancement Act of 2014, which among other things emphasized recruitment of a cybersecurity workforce for the government, the Timesreport said. “But DHS, even with a reported 691 people staffing its cybersecurity division, has not been able to recruit a work force to match the threat. The Office of Personnel Management, with the approval of Congress, has given the department the authority to hire up to 1,000 workers by the end of this month,” the Timesreported.
In addition to pressure from the private sector, department officials say they also find themselves competing against government agencies like the National Security Agency and the Department of Defense for top talent, the Timesreport said. “The deck is stacked against us a little bit,” said Phyllis Schneck, deputy undersecretary for cybersecurity and communications at the Department of Homeland Security. “So what we are pitching to people is to explore a hybrid: Do a private sector career and then come and do some time in government. It can be a positive experience in both areas.”
This may sound ironic to many physical security executives; while many security leaders started in public sector security and migrated to private sector enterprises, cybersecurity talent is often drawn straight to the perks, privileges and pay of the private sector, leaving government agencies out of the loop. However, just as security management is seeing more business management talent being drawn in as the new generation of CSOs, so can government hope to foster additional public sector cybersecurity talent, potentially through educational institutions.
However, there’s also a shortage in how future CSOs and CISOs are being educated, as almost all the top American computer science programs fail to prepare their students for a cybersecurity attack, according to a study by Cloud Passage.
The study measured the computer science and engineering programs at 121 American institutions, including all 50 of the top ranked computer science schools in the 2015 edition of The U.S. News and World Report. The results found a lack of student options for training that the authors argue is playing a significant role in the continually increasing cybersecurity risks nationwide.
The analysis found that not a single one of the top 10 schools required any cybersecurity education from their graduates. Not only was cybersecurity training not required, but sometimes it wasn’t even an option, as three of the top 10 programs do not even offer electives in cybersecurity, perhaps creating some doubt about whether those schools truly deserve their prestigious ranking.
The researchers also measured their results against the Business Insider’s list of top 50 U.S. computer science programs, and found that among their top 50 schools, only three required any form of cybersecurity training. Of the three schools on the Business Insiderlist, only the University of Michigan – Ann Arbor, which was ranked 11, was in the top 45. The other two, Brigham Young University and Colorado State University, ranked 48 and 49, respectively.
Of the 121 universities studied, only five – Rochester Institute of Technology (10 security electives), Tuskegee University (10), DePaul University (9), University of Maryland (8) and University of Houston (7) – offer at least seven different cybersecurity elective courses. Of the five listed above, only one – Rochester Institute of Technology – is listed on Business Insider’s top 50 list.
Of all the universities studied, the one that required the most cybersecurity education was the University of Alabama, which wasn’t ranked in either list. Alabama was the only one of the institutions studied to require three or more cybersecurity classes from all graduates, and even required a fourth class from its computer science majors.
Overall, how are we as an industry and a society training, educating and attracting new CSOs and CISOs?
There isn’t one clear path, and that’s part of the difficulty, says John Turey, Senior Director Enterprise Risk Management & Global Security, for TE Connectivity.
“There are many great educational offerings available through outstanding industry organizations and in academia, but there’s no one educational road map to get the precise training based on where you want to go with your career,” Turey says. “There’s no consistent program for you to map your competencies and development opportunities to in managerial areas. It would be beneficial if [all programs] got together to say ‘Here’s the map and the job descriptions and the educational programs that you need.’ That would help to level the playing field and guide our future leaders,” he says.
Turey adds that another challenge in developing future leaders is the gap in teaching a risk-minded business management approach versus a “technical” approach of learning and applying physical security and asset protection, for example. “We need to make a shift to focus more on the business risk and how to apply the skills to mitigate risks. We also need to teach more soft skills, versus an emphasis on technical skills, he says.
Over the past 10 years, this sentiment has been echoed in the annual Security 500 Report. Through the metrics of this report, Securityeditors have seen the evolution of security management as a predominantly “guns, guards and gates” physical security mindset to a risk-centric, business enabling field. However, this has been ultimately a result of trial and error – the hard-learned lessons resulting from terrorist attacks like 9/11, shrinking budgets and resources, changing technology, and enterprises’ overall reliance on security keeping supply chains, employees and facilities safe and active. However the next generation of security leaders won’t have the benefit of a 30-year security or law enforcement career to get acclimated to this new environment. They need to hit the ground running – with understanding of cybersecurity threats, global risk awareness, a strong grasp of business goals and practices and more – and the path to this level of knowledge is often nebulous at best.
One of the challenges to finding a unified path forward for new security leaders is that the job of a CSO or CISO can be radically different from enterprise to enterprise, with different reporting structures, responsibilities and risk appetites.
Chris Rackow, Senior Vice President and Chief Resilience Officer for AECOM, has led the effort in ISMA to develop a new leadership development program targeting future leaders in security. Through his work with ISMA, Rackow says that focusing on corporate security alone is not realistic to meet how the world functions today. “Companies typically have a CSO overseeing corporate security function, but they are also expected to take on a significant amount of grey areas as part of their remit,” he says. “It’s not an effective way for a company to be resilient.” At AECOM, he’s the Chief Resilience Officer, versus CSO, and he pushed for that going in to the role, with direction and support from his CEO, he says “to ensure that we can pursue, protect and sustain business operations anywhere in the world. Security, as a concept, needs to be redefined. If you want to be relevant, you have to understand that there is no longer a difference between the virtual and the physical world. We need to train forward as opposed to training to yesterday. We need leaders that appreciate how radically different the global landscape and the pace of change is.”
Like Turey, Rackow sees the need for security leaders who come from government to receive private sector business training. “There are some amazing minds and talent in the government sector, but when you work within the government space, the thinking tends to be the same; there isn’t a lot of 360-degree diversity of thought. In the private sector you could be in a room with 10 different outlooks stemming from 10 different backgrounds across the world.”
“One area the security field is not doing well with is cultivating leaders with emotional and cultural intelligence; we need people with better soft skills,” Rackow continues. “At ISMA we talk about the leadership skills, and what the key skill sets are that makes a leader successful. Being a good manager is easy because it’s essentially running a process from beginning to end. It’s the leadership part that’s more difficult, as it is all about the interaction between people.”
Tim Murphy is a former government leader, having served as former Deputy Director of the FBI. Now President of Thomson Reuters Special Services, he’s still a strong advocate of leadership development within the FBI and with local law enforcement through the FBI’s National Executive Institute. Murphy was also deputy co-chair of the FBI/DHS Domestic Security Alliance Council.
His take on the challenges with DHS trying to find cybersecurity professionals is clear: “The demand on the private side is so high, and the pay is better,” he says. “There is only so much that you can do in the government space. But I do think that the next generation of security leaders will be brought up to be more cyber-literate. It’s also true that the private sector has a hard time finding new cyber leaders. Cyber requires a different level of talent. On the physical side, we’re still debating where the CSO should sit [within the enterprise.] CISOs and CSOs don’t report to the same people, but they are expected to work together, and that’s a broken system,” he notes.
“There are many top-notch CSOs, like Dave Komendat at Boeing, but it’s not necessarily the rule,” Murphy adds. “Enterprises still see security as a cost center. How do you articulate in the board room that there is ROI in security? As an industry, we have to get over the structure and to teach our CSOs to be better leaders. CSOs have the ability to save companies billions of dollars in losses. The CSO leadership role is maturing, but it’s still not close where it needs to be.”
The Human-Machine Relationship
Steve Grobman doesn’t believe in “throwing bodies” at the cybersecurity talent shortage. Instead, he’s advocating a human-machine relationship.
Grobman is an Intel Fellow and the Chief Technology Officer with the Intel Security Group at Intel Corporation. He’s responsible for setting the technical strategy and direction for the company’s security business across hardware and software platforms, including McAfee and Intel’s other security assets.
“Cybersecurity is like a game of chess,” he explains. “There’s data that you need to look at, but you also need to think about how your opponent thinks in order to succeed.”
“One of the misnomers of cybersecurity is that it’s going to be solely the responsibility of cyber professionals and the industry to deal with it. I think that it’s going to become every product engineer’s responsibility, and I’d like to see greater concentration of cybersecurity as a dedicated degree. Cybersecurity should be a foundational element of every engineering degree,” he explains. “The engineer that will build a device with software should have to understand how data breaches occur. There’s a need to limit the probability of a data breach as much as possible, but also to be realistic that with all of the quality controls and training, regardless of how much investment we make, the complexity of our systems today will still allow for breaches. We need to plan that it’s going to happen and to build technology to detect breaches and also on getting the breach detection time as short as possible.”
Grobman says that his advice to people who want to work in cybersecurity is to appreciate and grasp its rapid pace. “You need to embrace new ways of thinking, as the bad actors will change their playbooks as quickly as they can. We see cyber professionals coming prepared with the right technical base, but not necessarily with the fundamentals to learn rapidly and to be adaptable.”
He cites the old Defense in Depth approach (also known as Castle Approach) in which layers of security controls (defense) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of a system’s life cycle. “Now we look at how can different capabilities work together and provide a stronger defense. If one element of technology becomes a key learning point, can it share that data with everything else on a network? That’s a new way of thinking, and an example of furthering education and training in this industry.”