Last week I wrote two blogs about cybersecurity, critical infrastructure organizations, and the US government.
In the first blog, I mentioned some ESG research stating that 76% of cybersecurity professionals working at critical infrastructure organizations were somewhat or very unclear about the US government’s cybersecurity strategy (note: I am an ESG employee). In spite of this confusion, 83% of these same cybersecurity pros want to see the feds become more active with cybersecurity programs and defenses.
In my subsequent blog, I went a step further by providing additional ESG research that asked these same cybersecurity professionals working at critical infrastructure organizations to identify the specific federal cybersecurity actions they’d like to see from Washington. As part of the list of suggestions, 37% said that the federal government should provide funding for cybersecurity professional training and education.
Now I’ve been somewhat critical of federal cybersecurity education programs in the past for a number of reasons. While Washington has come up with a few good ideas such as the National Initiative for Cybersecurity Education (NICE) and the NSA’s information assurance program for academia, I’ve seen a lot more talk than action from DC. When the feds have been willing to spend, they typically treat cybersecurity education as a Pork Barrel initiative, spreading meager funds across a multitude of education programs.
In my humble opinion, the US is lacking a cybersecurity education strategy which nurtures and funds national centers of cybersecurity excellence. Undeterred, the State of MD has done a great job building a standout cybersecurity education program on its own and I hope my own State of Massachusetts can replicated this model, lead by higher educational institutions, private companies, State funding, and the Advanced Cybersecurity Center.
Yes, there is a lot of work ahead, but there are some existing cybersecurity training programs that are worthy of a lot more promotion as many of these are already extremely effective and valuable. One such program is offered by US-CERT and is geared specifically for cybersecurity professionals working at critical infrastructure organizations. In fact, the training is actually offered as Level 1, 2, and 3 training by ICS-CERT for FREE. This particular training curriculum is focused on cybersecurity for controls systems but it starts at a fundamental level that should help infosec professionals improve their overall skills.
Incidentally, ICS-CERT also offers a free cybersecurity assessment for organizations that need this type of help. This assessment can certainly help critical infrastructure organizations identify vulnerabilities and prioritize remediation activities.
It is worth noting, that a cybersecurity professional who alerted me to these programs absolutely raved about them. In fact, he mentioned that the level 3 course was so valuable that he planned to proceed to the level 2 and 1 courses soon.
In my overall work with federal cybersecurity programs aimed at the private sector, I’ve found a common situation. A small percentage of very large private sector organizations know about these programs and use them extensively but the majority of private sector organizations are completely in the dark -- they don't even know that these programs exist.
In my humble opinion, this situation is a crying shame. Washington needs to do a better job of cybersecurity cheerleading, trumpeting programs like those from ICS-CERT that are already funded and have proven value. All US Citizens could certainly benefit if Washington spent more time talking about what it is already doing well and less time on pie-in-the-sky ideas and political rhetoric.
If you’d like to read more, the ESG research brief is available for download here.