Supporting Critical Infrastructure Resilience with Skill-Based Labor
By Randall Sandone, Executive Director, Critical Infrastructure Resilience Institute at The Grainger College of Engineering at the University of Illinois Urbana-Champaign
“With almost 700,000 cybersecurity job openings, the United States doesn’t have enough cybersecurity experts to protect the nation’s critical infrastructure…” That is the lead sentence from an article published in National Defense magazine[1] less than five months ago. It is a stark reminder of the daunting challenges we face at the Critical Infrastructure Resilience Institute (CIRI) as we pursue our mission objectives. CIRI is a Department of Homeland Security (DHS) Science & Technology Directorate Center of Excellence, housed at the Grainger College of Engineering at the University of Illinois Urbana-Champaign focused on enhancing the security and resilience of our nation’s critical infrastructure.
Filling that gap with a diverse and qualified pipeline is a major challenge for our nation and the private sector companies and government agencies experiencing the impacts of that shortage. But adding people to the pipeline alone is not the full story. At CIRI we are also addressing the challenge of improving the efficiency and productivity of the existing cybersecurity workforce – today and into the future.
Through DHS sponsorship and funding, CIRI has developed software applications that we believe can (1) improve the operational efficiency; and (2) improve recruitment, retention, and management of a cybersecurity workforce. In pursuing these operational objectives, we leverage national standards developed and published by the National Institute for Standards and Technology (NIST) and the Department of Defense (DoD).
Enhancing Workforce Efficiency
All too frequently, bespoke organizational cyber risk management practices suffer from a variety of deficiencies. They tend to be reactive, poorly documented, and inadequately reinforced by organizational policy. The requirements and objectives being pursued are imprecisely defined and poorly articulated, leading to confusion within the workforce. They often lack mechanisms to define, monitor, and report a detailed plan of action and the mechanisms to track and report progress against that plan.
As a consequence, such practices tend to deliver results that are opaque to key internal and external stakeholders. This results in reduced efficiency and increased costs; makes it difficult for cybersecurity managers to secure and sustain adequate cybersecurity budgets; increases the stress level of the cybersecurity workforce – leading to staff burnout and turnover; and risks creating gaps in cybersecurity coverage for the organization.
We believe that organizations can address these common deficiencies by adopting widely-recognized national cybersecurity standards and best practices. To assist organizations in adopting these standards, CIRI – in partnership with Heartland Science and Technology (a 501(c)(3) technology development company) – has developed the Cyber Secure Dashboard (CSD). The CSD is a cyber risk management application that helps organizations establish clear objectives and develop a detailed plan of action to implement and manage sound, standardized, repeatable and consistent processes and best practices to achieve those objectives; harmonize internal activities with those executed by external partners and/or contractors; and communicate and share information within and amongst the internal and external workforce. This leads to enhanced efficiency of the organization, greater transparency amongst all stakeholders, and reduced stress on the cybersecurity workforce.
The CSD does this by operationalizing multiple cybersecurity standards including the NIST 800-171 standard for handling Controlled Unclassified Information (CUI), the NIST Cyber Security Framework (CSF), and the DoD Cybersecurity Maturity Model Certification (CMMC) standard. All of these standards are supported in one application allowing organizations that need to meet multiple standards to easily manage, track, and report their status and progress in addressing the requirements of those different standards.
Using the CSD, organizations can improve the efficiency of their cybersecurity workforce by providing clarity of the requirements for the target standard. The CSD will guide the organization through an assessment against those requirements using NIST assessment criteria and establish and maintain a Plan of Action & Milestones (POA&M) which will allow harmonization of internal and external tasks. In addition, by maintaining a centralized repository of compliance artifacts tagged to specific cybersecurity controls that ease third-party compliance validation, the dashboard will improve collaboration, communication, and information sharing while also producing and delivering detailed automated reports of status and progress to both internal and external stakeholders. The CSD can be used to manage a single organization, multiple units within an organization, or an entire supply chain.
Toward Skill-Based Cybersecurity Workforce Management
Historically, cybersecurity job requirements and subsequent recruitment and selection of cybersecurity personnel has focused on the education/academic credentials of the candidates – with a four-year degree in computer science (or similar) being an almost universal default requirement. In limiting the applicant pool to a population that has historically and continues to experience a lack of diversity through underrepresentation, these requirements have also perpetuated a lack of diversity of cybersecurity staff.
This education-based approach to hiring does not take advantage of the many cybersecurity re-skilling and up-skilling programs that have greatly proliferated over the years to increase the applicant pool. With this model, the candidate that earned an Associate’s Degree in history who then spent five years in the Air Force being trained and employed in a cybersecurity role might not qualify for an interview based on his/her lack of a four-year degree.
Ongoing management of a cybersecurity workforce is currently hampered by an inability to clearly identify and match skill sets to tasks and a failure to identify skills and training gaps needing remediation.
With the right tools, organizations can adopt a skills-based cybersecurity recruitment and management model where the organization has a clear understanding of the specific skills needed to accomplish its cyber risk management goals and objectives. Furthermore, these tools provide organizations with the ability to identify and recruit candidates possessing those skills and to remediate skills gaps of its workforce going forward. Such a model will allow the organization to reach a larger pool of applicants, enhance the diversity of its cybersecurity staff, and better manage the professional development of its cybersecurity workforce.
With the CyberTalent Bridge (CTB), CIRI has developed such a tool in partnership with 2wav, Inc. – a software development company with unique expertise in ontology-based information systems. CTB is a software application that operationalizes the NIST National Initiative for Cybersecurity Education (NICE) cybersecurity workforce management standard. The software is first in its class to help organizations translate worker experience and education into a useful expression of the NICE Framework and bridge those capabilities to standards such as the NIST Cyber Security Framework (NIST CSF) or the Department of Defense Cybersecurity Maturity Model Certification (CMMC).
Organizations can use the CTB to easily collect and inventory the knowledge, skills & abilities (KSAs), education, and credentials of its internal cybersecurity staff as well as contracted staff. Individual staff members can access the CTB Passport to assert their KSAs, education, and other credentials which are then inserted into a centralized inventory. An individual’s CyberTalent Passport can be exported and shared as a self-contained visual and machine-readable document that is accessible by anyone with a web browser and interoperable with external systems through CTB’s openly shared data formats. CyberTalent Passports thus help workers and learners to share and communicate capabilities across the cybersecurity enterprise.
The CTB provides the capability to independently validate the various KSA, education, and credential assertions of the individual to assign a “confidence” score that refines the assertion based on validated prior work experience or by a review of education/training credentials. By accessing this centralized skills inventory organizations can efficiently identify the most qualified staff member to assign to specific cybersecurity tasks and to identify knowledge, skills, and training gaps for remediation through training, education, or other professional development activities.
In so doing, the CTB can help organizations migrate from an “education/credentials-based” recruiting model to a “skills-based” model. Such a migration can help organizations improve recruiting by expanding the applicant pool and by enhancing the diversity of its cybersecurity workforce.
Process to the Power of People
The integration of these two products into a unified framework is underway at CIRI which will allow organizations to execute standardized, repeatable cyber risk management processes and best practices more effectively and efficiently and to recruit and manage the workforce tasked with that execution.
Using tools provided in the CSD, an organization completes a cybersecurity assessment of their organization and network(s) against a target standard and – based on that assessment – develops a Plan of Action & Milestones (POA&M) to achieve its target cybersecurity standard (such as NIST 800-171, the NIST CSF, or the DoD CMMC). The CTB accesses this POA&M to analyze the KSAs required to execute cybersecurity tasks (i.e., cybersecurity controls to be implemented). The CTB conducts an automated analysis of the task requirements to identify the KSAs and then delivers a rank-ordered list of staff members qualified to execute the task – from most qualified to least – based on a mapping of the task requirements to the staff member skills inventory. Managers can use this list to assign the most qualified staff member to the task while also identifying training and skills gaps needing remediation.
Meaningful Impact
We believe that delivery of this integrated solution fit for small, medium, and large organizations in both the private and public sectors can facilitate broad-scale adoption and employment of national cybersecurity standards and best practices and can enhance the diversity and efficiency of our nation’s cybersecurity workforce. This in turn can enhance the security and resilience of our nation’s critical infrastructure – the goal and mission of the Critical Infrastructure Resilience Institute.
About the Author
Randall Sandone is the Executive Director of the Critical Infrastructure Resilience Institute (CIRI) at The Grainger College of Engineering at the University of Illinois Urbana-Champaign. In this role, Randall has been instrumental in helping to guide a research, technology transition, and education and workforce development portfolio that is delivering impactful cybersecurity solutions to both the public and private sector. He has over thirty years of experience in cyber security leadership and has managed the development, testing, and certification of a variety of cyber security products used by customers ranging from Federal agencies to private sector companies large and small around the world. Randall is also a principal in Rangerfish, LLC, the licensing agent for the Cyber Secure Dashboard. Additional information on Randall and CIRI’s work can be found on their website https://ciri.illinois.edu/.
[1] https://www.nationaldefensemagazine.org/articles/2023/6/26/us-desperately-needs-cyber-talent-congress-says
Source: www.cyberdefensemagazine.com