Flunking Cyber Education

We live in great times for cyber employment and training.  Rapidly developing and expanding STEM programs in schools.  Congressional bills supporting funding of myriad training programs.  

A recent summit held by the White House on July 19th - under the auspices of the new National Cyber Director - to find ways to encourage people to join the cyber work force and develop education programs supporting the effort.  Lots of talk about the 700,000 person job gaps in the cyber field and the need to fill those jobs.

As a cyber expert and college professor who teaches cyber, I applaud these developments.  But, as someone who is in the cyber business and now in the education game, I tell you it’s not going to be easy. Ignoring whether 700,000 people want to join the cyber community of workers - and not everyone does or has the skills to do so - you have to think of what kind of education you need to do the job. One of the big corporate challenges  - private or public - is not people learning code.  It’s middle managers learning the vastness of cyber, its organization costs, and getting those on the cyber coal face to speak understandably/or translate to those that run the places. Currently, despite best efforts, they are talking past each other.

Three Layers of the Cyber Cake

The connection between the decision makers and the cyber people on the coal face has always been problematic. Neither really understands the others’ need. They come from two different worlds. It is, in my experience,  the poor middle managers who are whipsawed between the two – explaining to their bosses why good cyber structure is needed and understanding of the cost of failure.  And, then, explaining to the people on the coal face why cost remains one of the most important factors despite the potentially troublesome challenges of a “lesser” solution.

Starting in reverse order, the Third “Cake” Layer I speak of is the technicians/the guys on the cyber coal face. Bluntly, in the land of the cyber “gun fight,” they are the ballistic experts. They speak a very specific tech language and think the guys above them are ignorant or indifferent because they don't understand their language.  The Third Layer wants more support and rarely understands the cost factor. It is their world. They know what needs to be done to make it work.

The First Layer is composed the Senior Managers whose lives are devoted to cost, profit and explaining to their overlords the levels of success and failure. They are “gun slingers”. They just want their “gun” to work. They can spell IT. They have a vague idea about exactly what cyber does as primarily it costs them money -- off the bottom line, without any real metrics as to return on investment and the potential of losing their jobs if something screws up.  They could use some education too - but they haven't got the time or, in many cases, the inclination.

And, then in non-ordinal order and an unenviable position, is the Second Layer -- the mid-level managers.  Paraphrasing the late American U.N. Ambassador Adlai Stevenson, they are the peaceful makers who catch hell from both sides.  The Second Level need to know enough about what Level Three is doing to explain it to Level One. And they need to know what Level one is facing to guide the efforts in Level Three.  

An Educational Opportunity Missed

Frankly, few schools have dealt with the Second Layer problem.  They favor extensive training for the coal face; engineering schools devoted to systems management and software development, for instance. And they occasionally give seminars for the First Level – usually as corporate retreats with everyone distracted by their I-phones as they try to run their business from afar. They rarely attempt to educate the Second Layer.  I think that is a major mistake.

We need to develop more classes that bridge that Middle Management gap - creating understanding of cyber needs and structure in both a policy way and a tech way.  We don’t need cyber experts, but we do expertise; a basis of understanding that allows for the needed translations.  

In other words, Level Two need to understand the general substance of the tech problems that are brought to them so they can explain it to the Decision Maker – who ultimately risk manage the cost versus potential failure of the organization. And these Middle managers need to explain to the cyber guys on the coal face why Level One are concerned about cost and to better explain what the decision makers risk assessment is – what is possible given cost.

Until that gap is closed, we are going to continue to go around in this endless loop of failure where the managers blame the IT guys and the IT guys think the senior managers are hopelessly out of touch.

Frankly, the American public ultimately pays the price for this gap. They deserve better. And, in my opinion, colleges and universities are missing a whole segment of a very large potential student population.


Ronald A. Marks III is a Visiting Professor of Cyber and Intelligence at George Mason University’s Schar School of Policy and Government.  Marks has also spent two decades managing or owning cyber related enterprises.


You Might Also Read: 

The Limits Of Social Media Soft Power:

 

« Google Chrome Extension Used To Steal Emails
Publicly Reported Ransomware Incidents Are Just The Tip Of An Iceberg »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

RSA Insurance Group

RSA Insurance Group

RSA is one of the world’s leading multinational quoted insurance groups. Commercial services include cyber risk insurance.

DataLocker

DataLocker

DataLocker offers both hardware based external storage and software based cloud storage encryption solutions.

CSIS Security Group

CSIS Security Group

CSIS provide actionable threat intelligence, prevention, incident response and 24/7 managed security services.

Sumo Logic

Sumo Logic

Sumo Logic simplifies how you collect and analyze machine data so that you can gain deep visibility across your full application and infrastructure stack.

Nexis

Nexis

Nexis GmbH is a German IT security company specializing in IAM, access control, and risk management.

CyberGhost

CyberGhost

CyberGhost is a Virtual Private Network services provider offering secure encrypted access to the internet.

Infosec (T)

Infosec (T)

Infosec (T) Limited is an independent Tanzania based consultancy specializing in IT governance, information security and IT audit.

Advens

Advens

Advens is a company specializing in information security management. We provide Consultancy, Security Audits and Technology Solutions.

Police Digital Security Centre (PDSC)

Police Digital Security Centre (PDSC)

PDSC is a not-for-profit organisation, owned by the police, that works across the UK in partnership with industry, government, academia and law enforcement.

NeuVector

NeuVector

NeuVector, the leader in Full Lifecycle Container Security, delivers uncompromising end-to-end security from DevOps vulnerability protection to complete protection in production.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

Deeper Network

Deeper Network

Deeper Network represents the world's first decentralized blockchain network for building a truly private, secure and fair Internet.

Theta432

Theta432

THETA432 is a cybersecurity firm that provides 24/7/365 managed prevention, detection, response, Hybrid SOC, cyber defense monitoring services with dynamically defined defense (3D™).

Tracebit

Tracebit

Tracebit uses decoys to detect and respond to cloud intrusions in minutes.

Kahootz

Kahootz

Kahootz is a highly secure cloud collaboration platform helping teams to work together across organisations.

Syteca

Syteca

Syteca is specifically designed to secure organizations against threats caused by insiders. It provides full visibility and control over internal risks.