Diversity Is Key to Training and Education in Cybersecurity
The changing nature of threats and countermeasures cries out for new perspectives in cybersecurity, commercial experts say. Training and education must assume greater variety, but trainees also must be chosen from diverse backgrounds to provide new perspectives on threats and potential solutions.
This effort to instill diversity in cybersecurity also must begin at early education levels. Generating a maintainable level of interest in younger students may require new techniques such as gamification, which introduces young people to cybersecurity concepts through familiar game scenarios. But even lacking early introduction into the world of cybersecurity, potential experts can be sourced among college students with unrelated majors who bring their own diverse outlooks to the arena.
“There needs to be greater diversity,” states Jim Richberg, Fortinet Public Sector Field chief information security officer (CISO) and vice president of information security. Richberg’s background appropriately is diverse, with his having served as a former national intelligence manager for cyber in the Office of the Director of National Intelligence.
“Not all jobs require hard technical skills,” he continues. “There is a role for people who are liberal arts majors. There are a lot of jobs in cybersecurity that actually require good communications skills, even on the help desk,” he adds.
Renee Tarun, Fortinet’s deputy CISO/vice president of information security, emphasizes the importance of diversity. “You want people from all different backgrounds because everybody brings their unique expertise and experiences, so when you try to tackle a problem, you want those different opinions and perspectives to lead you to a greater and faster resolution,” she warrants. She adds that statistical studies show that more diverse workforces can solve challenges faster, are more productive and have increased revenue.
“Not everybody comes from the same walk of life, and we’re not all cookie cutters,” Tarun says. “A lot of us came from different backgrounds. Some came from biology, some came from accounting and finance. They’ve all found their way into the cyber field one way or another.”
Diversity also spawns higher employee retention rates, which addresses another cybersecurity challenge, she offers. A large percentage of employees want to work in an environment where they feel valued and inclusive, she points out. The only way for an organization to achieve this is to commit to a diverse workforce, which in turn requires changing hiring practices.
Tarun is a former special assistant to the director, National Security Agency, Cyber. She relates that when she worked in government, she performed blind resume reviews in which she did not view any identifiable factor and only considered professional criteria. The result was a more diverse group of people singled out for hiring as opposed to the type of person who might benefit from unconscious bias. Even job descriptions must be gender-neutral to avoid that unconscious bias, she notes.
Richberg suggests that diversity in cybersecurity also will help avoid burnout, which is a problem in government. “You need to make them feel they are effective agents of public service and also not giving them a mission-impossible task to do,” he states. In the same vein, they should feel that they are doing more than simple security maintenance.
But Richberg says that while the cybersecurity pipeline is bringing in needed expertise, it remains a challenge to get people into the pipeline. People coming out of high school are not necessarily looking to go into “vacant programs” in a community college or a four-year university. “We’re not doing a good job of catching high-school kids and sensitizing them, not only to smart online behavior but also to the breadth and the attraction of a field like cybersecurity,” he declares. “We’re building this pipeline, and then we’re having trouble filling it.”
Part of the problem, he continues, is that guidance counselors do not always recognize what cybersecurity is so they don’t often direct students to it. These young people need not major in computer science or computer engineering to contribute to this field, and that is not always clear.
Another part is to define the problem of cybersecurity. The workforce gap largely is predicated on describing the situation as it currently exists, Richberg offers. In this field, people tend to focus on solving a problem, and the solution then is adopted widely for a long time. But, over time, security tools accumulate, and a security operations center may have more than 70 such tools focusing on different problems for humans to integrate these efforts. “We’re literally drowning the security operations center analysts in data,” he says.
One key to solving the drowning-in-data problem may be artificial intelligence (AI), Richberg offers. By saving people onerous tasks and targeting problems it cannot solve, AI will help imbue security experts with greater satisfaction in their problem solving while reducing boredom. Government, for example, has so many legacy systems that AI is needed to change the way the issue is addressed.
Tarun notes that many young people want to work on cutting-edge technology, but when they arrive in government, they find “yesterday’s technology today.” Modernization will help eliminate that negative factor and increase the likelihood of retention, she suggests.
She notes that her company is certifying veterans in cybersecurity—more than 2,000 along with their spouses—in training programs that emphasize both diversity and experience. “We take people that came out of this valuable resource, that have done their service in the military, and some of them were on the front lines in high-stress environments,” she explains. “If I’m hiring for a security operations center, I want people that are not only trained but can handle pressure.” She continues that operational technology is melding with information technology, so operational technology is part of the training program.
She continues that women are underrepresented in cybersecurity, and their viewpoints are not as prevalent as they should be. With roughly half the population of the United States being women, only about 20 percent of the cyber field consists of women. “There are some untapped resources we need to be leveraging,” she declares.
Tapping those resources should start early, both experts say. Tarun offers that cybersecurity should be part of the curriculum starting in elementary or middle school. The pandemic increased the use of virtual learning among these students, so they are ready for this approach. Middle school enables a greater STEM focus, and cyber awareness tends to grow among students in the areas that entail security. Students need to be taught more about the roles of security operations people and network engineers, for example, and this will require building curriculum into awareness.
Many experts see the diverse people needed, particularly women, losing interest after middle school. More research is required into why that is taking place before corrective action, Tarun says. At the very least, this calls for more mentoring, internship programs and scholarships for services.
Richberg calls for an intensified effort. “We need to do a better job of getting people coming out of high school who are either looking at the vocational track or saying, ‘You know, I’m going to be a liberal arts major, but it still sounds like I could do cybersecurity even though I’m not going to be a computer science major.’ At this point, neither the educational system nor the guidance counselor are set up to understand that is the art of the possible, nor do the students really see how to even connect to that part of the existing pipeline,” he declares.
“We need to be teaching the kids, but we also need to be teaching the parents,” Tarun offers. “Parents often comment that their kids know more about technology than they do, and in a lot of cases, that may be very true. But that doesn’t mean the kids know how to use it securely, so we need to be educating the parents.”
Cybersecurity knowledge may become part of credentialization, Richberg says. People may take cyber electives in their field of study, and this might lead them fully into the field.
Cybersecurity increasingly will become vital as engineers build more smart systems such as cars and sensor-equipped highways. “There can be other on-ramps into the profession that can get people into this career,” he points out.
A lack of understanding by the general public also is driving the need for more cybersecurity professionals. “People don’t update their security,” Richberg observes. This became apparent when government employees turned to telework during the pandemic. Even with two-factor identification, the government tended to treat people as if they were still connected from their cubicles, he relates. Once their initial access was validated, workers essentially were put back into a coarsely segmented network. “We watched malicious activity spike 700 percent in the second half of 2020, much of it riding in through these nonsecure endpoints,” he said.
Nowhere is this more apparent than in ransomware. At the beginning of 2021, it tended to consist of malware that would enter a computer or network to encrypt data and extort its owner to pay for the decryption key, Richberg reports. Now, most ransomware also steals data for espionage or embarrassing publicity. Accordingly, the classic response to mitigating ransomware—timely offline data backups—will not work on that part of the problem. “If you missed the memo on the evolution of the threat, you’re preparing yourself for only part of the problem. That’s something where there are lessons learned, where the private sector saw this trend happening and communicated it to the government.
“The bad guys compare notes,” he continues. Government and industry do collaborate internally, but the joint private-public partnership is not as effective or successful as it needs to be.
Also, government tends to have annual training with check-box testing, while the private sector trains on a constant, ongoing basis, Tarun says. “The adversary is going to come calling,” she says. “It’s not a matter of if; it’s going to be a matter of when.”
Richberg notes that his company had a pre-pandemic cyber training and awareness program that began with general cyber hygiene and progressed through more advanced levels ending with specific company technology that is in wide use. Since the pandemic hit, the company has had more than a million training hours in its course, with nearly 700,000 certifications at different levels.
One training approach that Tarun describes involves gamification. A simple game called “Spot the Fish” provides a way of quantifying cybersecurity training while also involving people in interactive methods, which tend to be more effective than standard rote-based learning.
Gamification also can help generate interest among students, Richberg offers. It can illustrate life in cybersecurity, which could lead young people to pursue it in secondary school and eventually into the field.
It takes a combination of people, processes and technology to build a good cybersecurity workforce Tarun allows. “There’s not a silver bullet out there,” she says. “There’s no single solution out there that can solve all your cybersecurity challenges. So, it takes the right trained people in place, the right processes in place and the right technology in place.”
Teamwork is one attribute that Richberg emphasizes. “We’re past the days where one brilliant analyst could look at something and make sense of it,” he states. Instead, it requires a team across disciplines for effective cybersecurity. “It is very much a group activity for defending your network.”
And this knowledge must be dispersed among the people who run organizational units and business units, people in charge of the mission and operations, Tarun adds. “Everyone has a role to play.”