Government // Cybersecurity
12:15 PM
W. Hord Tipton
W. Hord Tipton
Connect Directly

Cyber Security Education: Remove The Limits

Highly technical and high-level strategic education must come together to achieve cyber security goals.

As we approach (ISC)2's 2014 Security Congress -- the organization's largest global event of the year -- I am very focused on what we can do to continually educate information security professionals and how we can broaden our educational offerings to produce a well-rounded cyber workforce.

While the White House Cybersecurity Coordinator was criticized last week in an article for suggesting that the lack of technical know-how can be an asset to those in cyber-security positions, he makes a strong point: "The real issue is to look at the broad, strategic picture and the impact that technology will have." To me, it is clear that ongoing and expanding education is vital for the cyber workforce, especially as we observe increasingly sophisticated attacks and more complex systems.

August was indeed a month rich in deep "techie" conferences with the trifecta of Black Hat, Def Con, and BSides. While experiencing first-hand the mastery displayed by the "in the weeds" techies at Black Hat, I am happy to report that we are indeed making progress toward growing a mature and balanced cyber workforce.

Historically, there have been two perceived approaches to cyber security -- the vertical, technical approach and the more horizontal, strategic approach. While at Black Hat, I experienced a parting from that perception, in that the traditional "techies" who attended to sharpen their technical skills/techniques were mindful of the goal of contributing such techniques toward their organizations' horizontal strategies. This would seem to indicate that individuals are recognizing the impact they have on the success of their companies' overall cyber-security strategies, and that those organizations that take the limits off the educational experience of their cyber workers are ending up with stronger and more mature cyber professionals.

[Homeland Security wants fresh tools. See Wanted By DHS: Breakout Ideas On Domestic Cybersecurity.]

I would encourage IT and information security managers to approach the fall season of conferences with an open mind and to make sure to nurture all areas of cyber security educational pursuits. So, should you expect your employees to come back from these conferences with all the answers -- both technical and strategic? No. You will inevitably be disappointed if you expect those attending a "techie" conference such as Black Hat to come back with solutions for debates such as:

  • Conventional warfare vs. cyberwar policy
  • Cyber offense vs. cyber defense policy
  • Balancing privacy vs. security

However, any education that moves your workforce a step closer to understanding the complexities (technical or strategic) of the many controversial issues will ultimately close the gap on the lack of consensus and contribute toward the progress of industry security programs and policy. Even the government is recognizing that a better understanding of cyber security is critical at even the basic level, recently announcing its Federal Executive Cybersecurity Seminar (FECS) that aims to educate executives on the basics of cyber security challenges, operations, and policies.

Cyber security is growing in complexity every day and requires continual refinement of the workforce's capacity for both skill and strategy. While Black Hat, Def Con, and BSides may not be the forum for tackling the controversial issues that face us domestically or abroad, the ultimate solutions will be achieved only when educated people bring both depth and breadth of knowledge to the discussion table.

Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 9, 2015.

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/10/2014 | 3:37:43 PM
Re: aws0513: Re: An idea to consider
The lack of funding support for training of US government personnel is part of a much bigger issue that needs to be addressed: What are the government's plans to attract and retain the qualified personnel that it so desperately needs? Training and education is just one area that government MUST address if it wants to compete with private industry for security personnel and fill the widening skills gap. In response to aws0513, we are doing everything possible to make it easier for US government employees to attend our professional development events and conferences. We will continue to do our part to offer events at no-cost or greatly discounted cost to US government employees and to advocate for government participation. We also aim to stage events in areas convenient for security professionals.
User Rank: Apprentice
9/10/2014 | 3:35:50 PM
Re: aws0513: Re: An idea to consider
I could not agree more with GonzSTL that information security professionals need better communications skills. The importance of training security professionals in the area of "soft skills" that facilitate better collaboration and understanding between technical people and executives is something that we at (ISC)2 have been emphasizing for the past decade. In fact, our 2013 Global Workforce Study reported that "communications skills" was the 2nd top skill that employers are seeking when hiring an information security professional. It is imperative that effective communication skills — including writing, presenting, and speaking — should be on the forefront of this community's professional development platform.
User Rank: Strategist
9/5/2014 | 9:28:25 AM
Re: aws0513: Re: An idea to consider
I agree with all that regarding technical training, but I think there isn't very much emphasis in business communication training. If we as security professionals had better communication skills, especially with evecutive management, we could be better poised to push the security agenda forward. Remember when the hot topic was to align IT with the goals of the organization? Well we have to effectively communicate to executives that security goals align with IT goals, which in turn align with the organization's goals. Until we succeed in this, our message will either fall on deaf ears, or will lose its impact. There is still the stigma that the security group is the department of "NO", and we have to overcome that by communicating the importance and relevance of security both at the organizational level and in the users' personal lives.
User Rank: Apprentice
9/4/2014 | 7:14:13 PM
Re: aws0513: Re: An idea to consider
Actually, most of my work has been in the government sector.  Over 20 years of IT and security experience working with government systems and architectures either as a government employee or as a contractor for government entities.  

In all my experiences, funding availability was the most common reason for preventing these organizations to send people to independent security conferences/events.  I would commonly get funding support for government sponsord events which were often pretty good, but not once have I been able to convince my supervisors or customers to flip for independently sponsored conferences.
BTW, since the budget for most government entities is virtually frozen in regard to conferences these days, I am amazed that any government employees get to attend any conferences at all these days.  I know that a handful from some of the larger government agencies and entities get to attend, but the numbers are far less lately.

Trust me when I say that there is a veritable army of IT pros out there that are working for entities that do not or cannot consider independent conferences as an option for professional development for their IT staff.  

True story -  I worked in one IT shop of 15 people where 6 of them paid for their own trip to Black Hat a few years back.  They were all professionals in their field, but the management just could not fund even one of them to attend.  So they all turned it into a professional escape junket out of their own pocket.  I would have joined them except that at the time my own budget was not in line to support it.  

Some responses when requesting conference attendance funding have been:
  • Can you get the same information on YouTube or through some web conference for free?
  • We did not provide for conference attendances within your contract, but we did provide for specific technology training where we get vouchers due to enterprise level contract with vendors.  Would you like to learn about product X from vendor Y?
  • I feel that nothing on this conference itinerary is necessary for our operations at this time.
  • Maybe next year.  We just do not have any funds remaining for this year.
  • You can go for one day, but only to see the exhibit hall.  I need you to look for vendors that provide X service or product.
  • You already have your CISSP.  You should already know this stuff.  (I know... this one is arguable, but it did come up in a serious discussion - no lie).

Am I frustrated.  Yes.  But I also know that funding is a real issue for the government these days.  The same goes for small and medium businesses in the private sector.

I have also conducted independent consulting side work for many smaller business owners that absolutely laughed when I asked if they would pay for such a conference for their employees (not even for me).  Again, the price tag for these events was beyond any budget they currently operated with.

Do I know that great educational opportunities exist at independent conferences?  Darn tootin' I do.  I have been blessed to learn some excellent information from the conferences I was able to afford and attend.  
But this fact just washed against the rocks of management-think when dollar signs regarding the cost float across their table.

I get that people should be paid for the training and information they share at these conferences.  But I also know that the ticket cost is a real barrier for many other people to attend.  If that barrier can be lowered in some way, maybe more people can take the leap into the security field on behalf of their employers.

Again...  just a suggestion.  I would be interested to see what would happen if the idea was tested.
User Rank: Apprentice
9/4/2014 | 4:58:02 PM
aws0513: Re: An idea to consider
With your very thoughtful comment, I am surprised you stay with the companies you mention.  EVERY company I have worked for has invested in their employees and their education, which included conferences, and tuition reimbursement.

You must have some strong personal reasons for staying with these companies, and shelling out $$ from your own pocket.  I applaud your efforts, but if you're only getting vendor passes, you're missing a great deal of the education that is taking place.
User Rank: Apprentice
9/4/2014 | 3:30:29 PM
An idea to consider
As a IT security professional, I try to attend conferences that will help me provide the best services to my employer.  In almost all cases, I attend conferences while paying out of my own pocket in both conference fees AND on my own vacation time.

In most cases, my employers have been unable or unwilling, or both, to flip the bill for conference attendance.  In a few cases, I did have the opportunity to go to conferences on official capacity with pay, but usually only for one day because they were unwilling to pay me for a multi-day conference.  And in all cases, I only attended when the conference was within a commuting distance and only with an exhibit hall pass.  Passes that included conference presentations and/or courses were out of the question due to cost.

I see this as another barrier to expanding the security workforce.

My suggestion: Offer the opportunity for ANY organization to apply to to get at least one (1) full pass to a conference for any employee of their choosing at no cost.  Recommend the organization allow the employee to attend the conference with pay and travel/per diem costs (no promises there, but a message in this respect can go a long way toward the effort).

Reasoning: I know that some organizations understand the need for their professionals to attend such conferences and thus coordinate resources and timing accordingly. 
But I also know that there are a large number of organizations that do NOT subscribe to that view for many different reasons. 
If the IT security workforce movement is going to make any tracks in smaller, yet just as vulnerable industries and markets, there needs to be an effort to find ways to entice organizations to send talented people to collect and hopefully share the information and the message.

To me, the model of "We'll come half way if you come half way" is a great opportunity to expand the security field in new directions and into industries that historically have not engaged security conference attendance in the past.

Just a suggestion, but I think it may go a long way toward expanding the security workforce.

NOTE: If such opportunities already exist, these should be marketed very broadly and emphatically.  And discounts do NOT work.  I have seen management balk at 70% off the gate price on conference.  Make it real by making it free for just one employee and I am almost certain that attendance, and the security workforce, will grow in time.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.