President Donald Trump’s recent Executive Order on America’s Cybersecurity Workforce has created surprisingly little buzz within the cybersecurity training community. This is likely because, as exciting as it is to have the leader of the free world focused on our slice of the industry, the EO is extremely high-level. Unless the policy has some serious teeth in the form of enforceable sanctions, sufficient funds and manpower, an executive order is little more than a press statement. Still, I’m optimistic about this one.
Given the scope of the cybersecurity talent shortage, I’m confident that the need for well-trained, experienced cybersecurity professionals will drive the market to produce them one way or another. But cybersecurity work is inherently tied into America’s national defense, economic durability and growth. Especially given the talent shortage, it’s highly appropriate for the federal government to give the country’s cybersecurity workforce the boost it needs.
Moving the EO Forward
Industry insiders are wondering out loud just how useful the EO will be. I think there’s a lot to like. However, as many others have noted, it’s light on details. And when it comes to executing an ambitious initiative at federal scale, the devil is most definitely in the details. Still, I believe it can make it off the page, and have a few ideas on how to take it a few steps down the road:
Wide, Enforced Adoption of the NICE Cybersecurity Workforce Framework
NICE a subset of NIST’s cybersecurity standard, stands for National Initiative for Cybersecurity Education. It includes a framework that “establishes a taxonomy and common lexicon that describes cybersecurity work and workers irrespective of where or for whom the work is performed…” and is … “intended to be applied in the public, private, and academic sectors.”
In other words, NICE has already done the heavy lifting of codifying the wide spectrum of cybersecurity roles, tasks, skills, knowledge and abilities into a standard language. Many “Security-first” organizations I work with are already putting NICE into practice. Though many of them will admit it’s not an easy undertaking, NICE has already become the standard for top academic cybersecurity programs and the organizations eager to hire their graduates.
But NICE is a standard, not a regulation. As a cornerstone of the EO, NICE framework adoption needs to be mandated, with clear, standardized enforcement and/or compliance mechanisms across public, private sector and academic institutions. And, to avoid a bureaucratic nightmare, it should be handled by a single government agency. Otherwise, adoption won’t happen fast enough to move the needle.
… Starting with Managed Security Service Providers
Managed security services providers (MSSPs) likely will be the first impacted by the new executive order, which requires any entity interested in pursuing government and public sector cybersecurity contracts to frame their qualifications in terms of NICE. This could translate into a fierce competitive advantage for MSSPs that have already developed an efficient way to verify their staff is up to muster with the NICE skills, knowledge and abilities. With that being the case, it makes sense to use the MSSP community as a test case for how to enforce NICE compliance.
Once the kinks are worked out, the private sector can begin incorporating NICE as a benchmark for their managed security contracts. If the government agencies effectively enforce the NICE requirement with MSSPs, they can continue to scale incrementally.
Higher Education Should Standardize on NICE-Aligned Experiential Learning
The NICE framework advocates real-world, practical skills and abilities—a.k.a. experiential learning—and makes it clear that higher education institutions will need to make hands-on experience an integral focus of their cybersecurity programs.
Many schools have already invested in on-campus cyber training and simulation facilities, called cyber ranges, that align with the guidelines outlined in NICE. The federal government can facilitate the construction of cyber ranges by offering colleges and universities government grants, no-interest loans and other financial assistance and incentives. Student work-study programs that allow students to undergo an initial, intense training phase, then work in cybersecurity roles and gain critical experience as they continue studies, would make the programs even more popular and accessible to a wider potential student population.
Training the Trainers
Setting up high-quality, experiential cybersecurity degree programs and cyber ranges is the easy part. The real challenge will be finding enough qualified instructors to teach cybersecurity coursework and lead simulation training sessions. The one chorus I hear loud and clear from customers across all industries—academia, large enterprises, FBSI and MSSPs—is the need for cybersecurity instructors.
Workforce development programs are only as good as the instructors who teach them, and at the moment they are a painfully scarce resource. There isn’t much point in drumming up interest among students and mid-career pros in retraining if there aren’t enough teachers to lead the courses. Therefore, to support the EO, the government should take action to help establish a NICE instructor certification process for cybersecurity trainers. The NICE instructors’ course could be offered to military personnel who served in cybersecurity roles upon re-entry to civilian life. The government also could offer incentives to businesses and academic institutions that send faculty members to receive certified NICE cybersecurity instructor training.
President’s Cup Cybersecurity Competition
The competition included in the executive order, if it takes off, will introduce a fun, competitive, yet highly practical culture to cybersecurity skills development that is aligned with the kind of cyber range-based training we know is essential for developing skills needed for so many cyber defense roles. Ask any teacher, coach, commanding officer or anyone who has played Capture the Flag at Black Hat; competitions are an extremely effective way to motivate effort and mastery of skills. Public sector organizations can offer cash prizes, paid vacation days or any other legal incentive to employees who successfully exhibit excellent hands-on cyber defense skills.
So, as validating as the EO is for an experiential learning-based approach to cybersecurity skills development and training—an approach that I evangelize on a daily basis—we’ll have to wait another three months (at least) for the secretary of Homeland Security to provide the president with a plan on how to execute the EO.
My fingers are crossed.