The White House this week released a new National Cybersecurity Strategy, intended to “secure the full benefits of a safe and secure digital ecosystem for all Americans.”
The Strategy is centered around five pillars:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals
I applaud this effort, and especially appreciate its focus on the responsibility of technology creators, on the importance of collaboration and data sharing, and on building out a diverse cybersecurity workforce.
The Security Responsibility of Technology Creators
At ThreatX, we partner with organizations of every size in every industry to protect their systems from cyberattackers. We have seen first-hand that the primary burden of defending systems has been on the users of technology, rather than the developers.
Software developers should do everything in their power to create software as securely as possible, however, because technology and attackers are moving and evolving so quickly, 100% vulnerability-free software is not a realistic expectation. Developers and users must each do their part to protect our data and infrastructure, but I am happy to see more emphasis being placed on the technology providers.
The Strategy states that, “In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems.”
Collaboration and Data Sharing
Fighting cyberattackers requires an all-hands-on-deck level of effort. We need all the best minds in every industry in every country to contribute. Cyberattackers are a diverse, world-wide group, and our defense must be as well.
This Strategy emphasizes that global collaboration and cooperation must be a priority. The Strategy notes that “the United States and international counterparts can advance common cybersecurity interests by sharing cyber threat information, exchanging model cybersecurity practices, comparing sector-specific expertise, driving secure-by-design principles, and coordinating policy and incident response activities.”
I also appreciate the Strategy calling out the need for the US to help our allies investigate and respond to cyber incidents. This is another key aspect in establishing a united, global front against cyberattackers and in sharing knowledge and data.
Diverse Cybersecurity Workforce
I personally was especially happy to see the emphasis on building out a robust cyber workforce in this Strategy. We will never keep up with the threat actors without enough people, and the right people, fighting against them.
Helping people find jobs in this industry is a passion of mine, and the driving force behind ThreatX’s eXecutive Security podcast, which I host. I have talked to more than 60 cybersecurity leaders and practitioners on the podcast about the skills gap in cybersecurity, and how to address it. Through those conversations, I’ve come to realize that, in many ways, it’s a skills gap of our own making.
We’ve been hunting “unicorns” for far too long in this industry, and I’m thrilled that the White House is acknowledging that it’s time to stop looking for the perfect candidates with all the perfect skills, and start working to broaden our pool of candidates and focusing on training people with the right attitudes, but not necessarily all the right tech skills.
The Strategy states that “It will tackle head on the lack of diversity in the cyber workforce. Employers are hiring from too small a pool of talent and from professional networks that are not able to draw from the full diversity of the country. Women, people of color, first-generation professionals and immigrants, individuals with disabilities, and LGBTQI+ individuals are among the communities which are underrepresented in the field. Addressing systemic inequities and overcoming barriers that inhibit diversity in the cyber workforce is both a moral necessity and strategic imperative.”
I especially love this quote from the Strategy – “Building and maintain a strong cyber workforce cannot be achieved unless a cybersecurity career is within reach of any capable American who wishes to pursue it.”
I couldn’t agree more; we can do better, and we must.