Senior Cyber Leadership: Why a Technically Competent Cyber Workforce Is Not Enough

There is no shortage of articles, news reports, white papers, policy reviews, congressional testimonies, and other sources describing cyber threats and their potential consequences to U.S. and international security. James Clapper, Director of National Intelligence, testified before the U.S. Congress early in 2013 that the cyber threat had surpassed terrorism as the highest threat to U.S. national security. U.S. Army General Keith Alexander, dual-hatted as the director of the National Security Agency and Commander of the U.S. Cyber Command, described the loss of industrial information and intellectual property via cyber espionage and cybercrime as the “greatest transfer of wealth in the history of mankind.” Former U.S. Secretary of Defense Leon Panetta warned of a potential “Cyber Pearl Harbor” that may result due to the insecurity of our national critical infrastructures. These calls, in part, led U.S. President Barack Obama to issue Presidential Policy Directive-21, “Critical Infrastructure Security and Resilience,” and Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” in February of 2013 to drive cyber policy at the national level.

“Cyber defense requires not only IT experts with computer science, electrical engineering, and software security skills, but also professionals with an understanding of political theory, institutional theory, behavioral psychology, ethics, international law, international relations, and additional social sciences… the pillars of our society… are often led by individuals with extremely limited exposure to cyber issues and the existential threats they pose…”

Ms. Francesca Spidalieri
Fellow at the Pell Center for International Relations and Public Policy

Cyber threats are not simply a problem for the United States, but for the international community as well. For example, Estonian President Toomas Hendrik Ilves noted at the 2012 International Conference on Cyber Conflict that “the physical and the cyber worlds are quickly converging and boundaries between the “cyber” and the “real” world have begun to disappear. This, in turn, implies a convergence between cybersecurity and overall global security.” President Ilves perhaps is uniquely qualified to discuss cybersecurity since his country is well known for mitigating a 2007 cyber attack which was the first cyber incident recognized as impacting an entire nation-state.

Given the international threat posed by activities such as cyber espionage, cybercrime and the potential for cyber attacks and cyber warfare, a generally accepted assessment exists that there is a critical shortage of skilled cybersecurity experts to mitigate and manage the cyber threat. The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency report, “A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters,” stated that there is a “desperate shortage of people who can design [adequately] secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”

The technical skills called out by CSIS are echoed by the educational standards the National Security Agency (NSA) has established for an educational institution to earn the NSA Center of Academic Excellence in Information Assurance Education (CAE/IAE) designation. As a result of the emphasis placed on highly specialized, technical skills, cybersecurity-related curricula are predominantly taught in the computer science and engineering schools at most universities. Similar efforts exist internationally, including Great Britain’s “Academic Centres of Excellence in Cybersecurity” program and the work of international cybersecurity firms like Kaspersky labs sponsoring yearly international cybersecurity student competitions.

This report suggests that while significant and necessary emphasis has been placed on technical skills needed within the cyber workforce, little attention has been given to the people that will lead the future workforce. There are those that view cyber threat through the lens of national security risk and the potential for a “Cyber Pearl Harbor”, or business risk and the potential loss of intellectual property and competitive advantage. Regardless of one’s view, it is leadership that must develop sound strategy and manage adequately skilled resources to mitigate the cyber threat. As Jason Healey, Director of Cyber Statecraft of the Atlantic Council, notes in his book A Fierce Domain: Conflict in Cyberspace from 1986 to 2012, a number of cyber events serve as “wake up calls” to expose potential cyberspace threats, yet similar occurrences repeat. This is a failure of leadership.

As academia, organizations, and nations seek to develop a future generation of technically proficient cybersecurity specialists, a number of questions readily come to mind:

• Who will lead this future cyber workforce in the furtherance of the organization’s mission and business strategies?
• What knowledge, skills, and abilities (KSAs) are essential for these cyber leaders?
• Are these KSAs currently being taught in colleges and universities? In the private and public sectors? Are they required by commercial certifying organizations?

Regarding U.S. colleges and universities, a report by the Pell Center’s Francesca Spidalieri assessed the top graduate schools in a number of interdisciplinary areas, including business administration, public policy, health care management, and other non-technical fields to determine if any of these programs offer electives, concentrations or other opportunities for their students to learn about cyber threats, vulnerabilities, and consequences. Her research concluded that cyberspace and cybersecurity education remains lacking and underdeveloped in most of the top-rated schools in the U.S. A handful of schools such as George Washington University, George Mason University, Washington University of St. Louis, and the University of Washington, however, have recently developed “Cyber Leader” graduate programs that are mash-ups of their Engineering and Business Schools. On the public sector side, the U.S. Department of Defense’s National Defense University Information Resources Management College also offers a “Cyber Leader” graduate concentration under their Government Information Leadership graduate program. The key is whether or not these programs are teaching the appropriate KSAs in light of current and future cyber threats, a point this report addresses later.

The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) is representative of the public sector’s attempt to address cyber related educational requirements. The NICE framework identifies seven categories of which six are specific cyber specialties. The seventh category, “Oversight and Development,” does address some of the KSAs expected by such organizational positions as the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). This report investigates whether or not these KSAs are sufficient in light of the growing cyber threat.

In addition to formal education, commercial certifications are very often key discriminators by which many private and public sector organizations have assessed applicants and employees for advancement. For example, the private sector has adopted the International Information Systems Security Certification Consortium’s (ISC)2 Certified Information Systems Security Professional (CISSP) as the de facto standard for cybersecurity managers. In fact, one senior executive interviewed for this report said that if an applicant seeking employment with her company has a bachelor’s or a master’s degree, but does not have a CISSP, the human resources department will not forward his/her resume for consideration. There are other examples of organizations where a Master’s of Science in IT Security may supersede the requirement of holding a CISSP. This reliance on commercial certifications begs yet another question: “Does a CISSP-like certification provide the sufficient KSAs for someone in a cyber leadership role or should there is something beyond a CISSP?” The CSIS report previously referenced addresses this question by stating that the “current certification regime is not merely inadequate, it creates a dangerously false sense of security…” The National Academy of Sciences recent report, “Professionalizing the Nation’s Cybersecurity Workforce?: Criteria for Decision Making,” concludes that the cybersecurity field is still young and the “technologies, threats, and actions taken to counter the threats that characterize the endeavor are changing too rapidly to risk imposing the rigidities that typically attend professional status.” Whether one agrees or disagrees with these assertions, it is clear that an organization’s Senior Cyber Leadership is essential in navigating these critical workforce issues.