U.S. Expands Cyber Training Effort
In order to secure enterprise networks and their far-flung components, everyone needs to be on the same page.
That's at least part of the thinking behind a renewed U.S. cyber initiative designed to bring embattled security teams up to speed as threats continue to evolve. The National Institute of Standards and Technology (NIST), which helps develop a range of computer and network security specifications, is in the process of upgrading a federal initiative on cyber-security education along with a work force training program.
The National Initiative for Cybersecurity Education (NICE) is described as a government-industry partnership designed to "promote a robust network and an ecosystem of cyber-security education, training, and workforce development." The goal is to match training and skills with the security requirements of companies that otherwise tend to rely mostly on tools rather than flesh-and blood cyber defenders.
Given the ham-handed responses to recent malware and ransomware attacks, NICE and similar cyber-security efforts are welcome as enterprises struggle to develop integrated teams capable of playing offense as well as defense—in other words, developing the skills needs to stay at least one step ahead of evolving threats.
The original idea behind NICE was "the recognition that the cyber-security workforce [has] not been defined and assessed." Hence, cyber-security is now seen as central to enterprise IT operations.
The NIST framework addresses seemingly obvious but frequently overlooked steps in the process of assembling security teams. These include assessing work force skills and identifying training and certification requirements along with specifying tasks used in job descriptions. Ultimately, the framework seeks to match tasks with the NIST refers to as the catch-all phrase "knowledge, skills and abilities."
"Cyber-security is a rapidly changing and expanding field," noted a NIST update on the cyber training program released earlier this month. "This expansion requires a cadre of skilled workers to help organizations perform cyber-security functions. As organizations identify what is needed to adequately manage current and future cyber-security risk, leaders need to consider the cyber-security workforce capabilities and capacity needed."
NIST's efforts augment a growing list of cyber certifications, including the Certified Information Systems Security Professionals program.
Among the goals of the NIST effort is raising awareness of the growing need for a ground-up security strategy as malware and other threats evolve and victims struggle to keep up with emerging real-time threat detectors. Along with a steady stream of high-profile cyber attacks, analysts note that most U.S. companies are simply not prepared to cope with sophisticated attacks despite a growing list of best practices.
For example, market watcher IDC released a report late last year concluding that only a handful of large enterprises have assembled top-flight cyber teams that reflect industry best practices. Efforts such as NICE are intended to expand and institutionalize integrated, certified security teams.
"The best practitioners view cyber security as a human-versus-human challenge, where having the best people is more important for combating 'bad guys' than having the right technology," IDC concluded.
Industry executives called the draft framework a good first step. NICE "will help critical infrastructure companies like oil and gas, power and water [and] manufacturing...to accelerate its hiring practices to close the skills gap in cybersecurity," noted Edgard Capdevielle, CEO of Nozomi Networks. "They will now be able to articulate cybersecurity roles, area of specialty, category of work and describe the knowledge, skills, and abilities of cybersecurity professionals that are needed."
Added Capdevielle, "In areas of cybersecurity specialization such as industrial control systems where a cyberattack could have catastrophic effects, the [combination] of training and automation are speeding efforts to combat and remediate cyberattacks."
As a follow-up to the latest iteration of the NIST cyber effort, a NICE conference is scheduled for November in Dayton, Ohio.
--Editor's note: This story has been updated.