The CSIS (Center for Strategic and International Studies) Commission on Cybersecurity for the 44th President has released a whitepaper, A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters, which quotes an authority as saying that we have an immediate need to train 10,000 to 30,000 cybersec ninjas. Wow.
The subtitle suggests that the need for technical prowess is not fully appreciated in our context. I’m not sure who doesn’t believe that. I do admit that I personally was not thinking we needed heroic action to expand the number of highly-skilled practitioners by a factor of 10 to 30 is. Making such a contention is a lot like debating climate change–once you finally learn whether or not the worst case scenario comes about, it is too late to do anything about it.
I won’t argue against the report’s discussion on the degree to which NIPRNET has been compromised by the Chinese, or whether it would have been worth the money to have trained up another 10,000 or so security rangers to have prevented it. Whatever the actual levels of loss today, and whatever the military expectations, the commercial market is just not feeling enough pain to justify this sort of herioc level of professional training.
It is the case that we have an unfortunate shortage of people who can write hack-resistant code, but the USA and Europe can’t grow enough coders of any kind because fewer university students are interested in computer science careers. The US federal government did encourage growth in the math and engineering fields during the 50s and 60s, but it seems more than difficult to apply that model to this highly-specialized context, especially during a cultural period in which kids no longer play with erector sets or build Heathkit radios.
The suggestion to draw on academia, the central government, and industry to create a governance body that would develop an infosec career path and a more rigorous certification program is a good one. An initiative to encourage a mentored form of infosec On The Job Training has been in existence since 2006, and I’m disappointed that the authors of this report didn’t mention it. The Institute of Information Security Professionals is a UK based organization with international aspirations. While it continues to grow, and I believe it to be a noble effort, the lack of attention from America is just one sign that it hasn’t grown as fast as could be hoped. The IISP, the directors of which apparently were not questioned by the authors of the CSIS report, have close to 5 years of experience in attempting to solve the same problem, and in comparision to that, much of the CSIS report seems needlessly speculative.
Although it mostly ignores a decade’s worth of discussion on whether or not the CISSP and CISA are any good or not, this report contains a great of useful analysis. Then the authors make the classic ‘I can’t get my security budget approved’ mistake. Any Marketing 101 student can tell you that filling up the pipeline with product will not automatically result in a corresponding level of demand. Making the business case is one of those ‘soft skills’ that the report suggests has been overemphasised until now.
The report identifies the CISO as being the role having the highest priority, describing it as one of leadership, program management, demonstrating an understanding of how infosec risks affect the business. These are ‘soft skills’ that are usually not the strengths of technologists.
It is a waste of time to debate the relative superiority of soft vs hard skills–a properly functioning organization needs both. If we do need a significant upgrade in technical knowledge and skills, getting there will require people who are highly skilled at dealing with people.