A good cyber defense requires an informed, resilient, diverse and nimble workforce from the marketing and sales teams to IT and information security. Human error impacts our ability to defend ourselves and is a leading threat to organizations of all sizes and our global economy.
The National Cyber Security Alliance (NCSA) and Nasdaq recently partnered to host a data-driven, outside-the-box discussion about Americans’ cybersecurity knowledge base, how to minimize human error in the workplace and solutions for addressing the looming cyber-workforce crisis. The June 14 event was the third in the 2016-17 NCSA and Nasdaq Cybersecurity Summit series, taking place at the Nasdaq MarketSite in Times Square, New York City.
Attended by more than 100 industry, government and nonprofit executives, the event featured welcome remarks by Colleen Valentine, senior manager of information security governance and compliance at Nasdaq, and Bill O’Connell, chief business security officer at ADP and chairman of the NCSA Board of Directors.
Rebecca Cameron, Nasdaq’s vice president of corporate strategy, then conducted a panel discussion featuring Peter Newman, research analyst at BI Intelligence, and Aaron Smith, associate director of research, internet and technology issues at the Pew Research Center. The discussion focused on what the average consumer knows about cybersecurity and the future of the consumer technology market.
Smith discussed Pew’s recent survey (March 2017) measuring the public’s online security knowledge – a 13-question quiz in which only 1 percent of respondents were able to answer all questions correctly. Public knowledge was fairly low on issues like encryption and privacy matters, what it means when location services are turned on or off and whether private browsing protects your browsing history from internet service providers.
“It’s less that they’re misinformed and more that they don’t know what the right answer is,” said Smith, encouraging awareness professionals to find ways to get the security message across to consumers in less challenging ways. Learn more and take the quiz here.
Newman discussed BI Intelligence’s research on smart devices, including the prediction that there will be approximately 22.5 billion connected gadgets by 2021, with the consumer portion making up about a third of that estimate. Newman discussed the trend toward device consolidation, with more interconnectivity, and the increase in popularity of smart home voice-enabled tech helpers like the Amazon Echo and Google Home.
“This is where we think the future is going to be,” said Newman, predicting that – while now we might ask a device to turn on the air conditioning when it’s hot at the moment – in the future, our devices might automate the home’s temperature, lighting and more based on our habits and preferences. He discussed the potential “creepy” side of these devices, with their continuous data collection, and emphasized that the growing number of smart devices in the home means it’s more important than ever to have strong cybersecurity practices.
The second panel – Minimizing Human Error – was moderated by Masha Sedova, a former NCSA board member and the co-founder of Elevate Security, and featured Alex Blau, vice president of ideas42; Edna Conway, chief security officer of the global value chain at Cisco; and Avi Rembaum, vice president of security solutions at Check Point. The panelists discussed how human error – like clicking on malicious links, and having bad password habits – can harm a business and the best strategies for training and encouraging employees to develop positive cybersecurity habits. Sedova argued for positive reinforcement in training, while the panelists discussed the benefits of both rewarding and encouraging positive behaviors and telling people what not to do.
“The problem with security is the human element, but the solution rests in keeping in mind our humanity,” said Conway, who discussed the benefits of both positive reinforcement and a flexible architecture to allow for growth in security innovation. The panelists also emphasized the need to build security in whenever possible in order to not put the entire burden on human users. Blau argued for incentivizing smart security behavior outside the workplace as a way to further protect organizations’ systems.
Priya Mohabir, vice president of youth development at the New York Hall of Science, then gave a TED-style talk on the organization’s efforts to teach young people about STEM and get them excited about cybersecurity and related career fields. She then participated in a panel discussion moderated by NCSA Executive Director Michael Kaiser with Tim Herbert, senior vice president of research and market intelligence at CompTIA, and Amadeus Stevenson, chief technology officer at Decoded North America. The panelists discussed the challenges in filling the cybersecurity workforce gaps, with a growing number of cybersecurity jobs and a shortage of skilled employees in these positions and strategies for addressing this looming workforce crisis.
Kaiser spoke about Raytheon and NCSA’s work over the past several years to survey millennials about cybersecurity careers and measure their awareness of and interest in this field, highlighting the challenges in clarifying what cybersecurity careers entail and the skills needed for these jobs. Mohabir and Stevenson highlighted the importance of making cybersecurity fun so that individuals are drawn to these careers from earlier ages. To fill existing workforce gaps, the panelists recommended being creative and pulling employees from different areas of the organization with applicable skills like problem solving and technology expertise and training them to work in these positions.
Mohabir argued for recruiting “from an expanded pipeline” and exposing students ‒and/or colleagues from different fields ‒ to cybersecurity career possibilities so they can plan to enter into these careers. Stevenson emphasized telling “the human story” of cybersecurity to the public, portraying the skills needed and the challenging, interesting world of the profession, to generate interest in this type of work.
Following the panels, Neil Daswani – chief information security officer of the consumer business unit for Symantec – gave a brief talk entitled “Tell Me Something I Don’t Know.” Daswani spotlighted the safety norm of seatbelts and compared their adoption and importance to those of security best practices like regularly patching software and recognizing the signs of phishing. “Attacks only get better,” he said, and “many seatbelts can be employed,” emphasizing the need for internet users to understand the basics of online scams and threats to protect themselves online.
Eleven reporters attended the event, conducting interviews with speakers and event partners. Here’s a sample of preliminary media coverage stemming from the summit (stay tuned for more stories in the coming days):
- Inside America’s Boardrooms – The Steps Your Board Must Take When Overseeing Cybersecurity Risk
- WSJ Pro – Mindset Shift Could Help Cybersecurity Training, Recruitment (by subscription only)
The event was made possible by our sponsors: Cisco, CompTIA and LifeLock (a Symantec company) are Platinum sponsors, and Fasoo and Logical Operations are Silver sponsors for this inaugural 2017 summit series. The event was also supported by the Business Council for International Understanding (BCIU) and Business Executives for National Security (BENS).
- U.S. Department of Homeland Security (DHS):Our nation needs a strong cyber workforce to defend them from online threats and attacks. DHS is committed to helping government agencies and businesses build the cyber workforce they need with the following resources:
- The National Initiative for Cybersecurity Careers and Studies (NICCS) Cybersecurity Workforce Development Toolkit: This toolkit from DHS offers resources and information for organizations to plan, build and advance their cybersecurity workforce including: cybersecurity career path templates, guidance to recruit and retain top cybersecurity talent and tools to understand and address an organization’s workforce risks.
- National Initiative for Cybersecurity Careers and Studies (NICCS) Training Catalog: Creating a culture of cybersecurity in the workplace means equipping employees with cyber training. The NICCS website provides over 3,000 cybersecurity-related courses for cyber professionals across the country. The courses, which align to specialty areas of the NICE Cybersecurity Workforce Framework, help professionals earn certifications, learn new skills and increase their expertise.
- Cisco: Cisco 2017 Annual Cybersecurity Report provides a complete overview of the latest cyber attacks and defensive measures, as well as the impact on business growth and success. It highlights the challenges and opportunities for security teams against the constant evolution of cybercrime and shifting attack methods.
- CompTIA: The CompTIA Cybersecurity Hub offers a range of cybersecurity workforce development resources and two recent studies from the nonprofit association also address the skills gap issue: “Assessing the IT Skills Gap” and “The Evolution of Security Skills.” Both reports are available for free on the CompTIA website. Finally, CyberSeek.org provides detailed, actionable data about the supply and demand in the cybersecurity job market, as well as an interactive career pathway of key jobs within cybersecurity, and detailed information about the salaries, credentials, and skillsets associated with each role.
- Fasoo: Fasoo partnered with the Ponemon Institute to present “Risky Business: How Company Insiders Put High Value Information at Risk.” The report – a survey of about 640 IT security practitioners familiar with their organizations’ approaches to protecting data, documents and files
- LifeLock, a Symantec Company: To help address the cyber-workforce crisis, Symantec partners with Girls Who Code, a national non-profit organization that seeks to inspire, educate and equip girls with computing skills for the 21st century, and will take part in the organization’s largest-ever expansion of its summer immersion program.
- Logical Operations: Want to know how prepared your organization is to deal with cyber threats? Logical Operations’ CyberSafe Readiness Test is a complimentary tool to determine the extent to which employees can recognize and avoid common threats like phishing, malware and non-secure websites – and measure how well your organization’s data is protected.
Thank you to everyone who participated in this summit and helped make it a resounding success. Check out the #CyberAware hashtag for more social media highlights and privacy tips. And consider signing up for our mailing list to receive cybersecurity and privacy news, resources, upcoming event information and ways to get involved year-round.