U.S. President Barack Obama introduced a non-partisan commission this month that is a component of the Cyber Security National Action Plan (CNAP). The commission primarily consists of private sector CEOs who will provide “bold, actionable steps that the government, private sector, and the nation as a whole can take to bolster cyber security in today’s digital world, and reporting back by the beginning of December.”
While I’m always happy to see the subject of cyber security being discussed at the government level, I’ve grown weary of their announcements and cyber security initiatives, which always seem to be bark and no bite.
Comprised of notable leaders from recognizable organizations, this 12-person commission appears to be merely an appeasement. There are already numerous government-appointed and assembled groups — like the IEEE, CSFI or the actual National Cybersecurity Working Group — tasked to address the very same challenge and yet we haven’t seen a single, hard-hitting result that would actually generate security for any sector.
The credentials of this latest group are impressive. However, it’s the equivalent to putting a general in trench warfare. You can throw however many people at the problem, but it’s still not addressing the core challenges.
The issue truly lies with the alarming gap of cyber security experts in the work force. Do you know how many cyber security degrees were issued in 2014? Roughly 84,000. Compare that to the number of hospitality management graduates (about 270,000), and you can clearly see where the issue lies. We, as a nation, are not turning out the skilled talent needed to get us out of the predicament we face.
Adding to the problem are the new types of certifications that the industry keeps developing in a misguided effort to increase the skills and numbers of IT security workers. There is no program that a person can take in a week that could possibly arm them with the knowledge and tools needed to effectively defend against today’s increasingly sophisticated threats. Again, we cannot “cert” or “boot camp” ourselves out of the current quagmire.
Cyber security can’t be learned in a one-off crash course. It starts with lessons learned within the trenches and digging your way out, experienced gained by being on-position working as an operator or real-world security engineer.
If our government really wants to look at getting in front of the problem, we need to make a concerted effort to educate, train and incentivize the masses to take up arms in this cyber defense battle, not form more commissions, think-tanks, working groups or bi-partisan whatevers.