How government agencies can beat foreign cybersecurity threats

When it comes to cybersecurity, organizations tend to focus their defenses on tools and technology. But the people part of cybersecurity is just as important. 

Aaron Rosenmund, cybersecurity operations expert, and Terin Williams, Chief of Cyber Operations and Senior Cyber Advisor at CISA's Integrated Operations Division, explain why government agencies need a people-first approach to beat foreign cyber threats.

Check out the on-demand webinar to hear their thoughts on the current cybersecurity landscape, security skills gaps, and cyber workforce strategies.

Foreign threat actors hope to get some sort of economic gain, garner public influence, or target critical infrastructure for political means. All of that makes government agencies—or any organization with ties to the public sector—an appealing target.

Foreign threat actors targeting critical infrastructure are looking for any place they can get a foothold. 

“A lot of people will say, ‘A nation state actor isn't going to be interested in me,’” said Terin. “And what we've absolutely seen is that they’re interested in connecting to anybody because you usually have connections to other people. 

“So you are a doorway or a pathway into how America works, or you actually are a pathway into another entity that they are absolutely interested in.”

In other words, every organization, no matter how small or large, is a potential target.

Agencies can fill entry-level security skills gaps through hiring. Finding intermediate and advanced skills in the market is much harder. Agencies need upskilling to close these gaps, but certifications and fundamental training get their teams only so far.

Aaron gives the example of the Certified Information Systems Security Professional (CISSP) certification. This is a semi-advanced certification, but taking it doesn’t necessarily give security professionals the skills they need to defend against a ransomware attack or any other incident.

“There's been a really big focus around policy and governance and risk and compliance and how we approach that,” he said. “But there's not a great conversion from policies and frameworks to technical action to implement controls and assess those controls. . . . That's where the gap is.”

And a lack of institutional knowledge will only compound existing security skills gaps. 

“A lot of the operational technology workforce is nearing retirement age,” explained Terin. “A lot of that institutional knowledge is also about to retire. It’s likely those jobs will not post for replacements until those people retire. 

“So the institutional knowledge of the operations themselves are about to disappear. And then the lack of cyber skills that pair up with that operational or institutional knowledge is also not there. Having that gap looming ahead of us is concerning.”

The key to closing the cybersecurity skills gap? Upskilling. Learn the four key components of successful security upskilling in this guide.

So, how can agencies protect themselves from foreign threat actors? They can start by filling critical cybersecurity skills gaps and reevaluating their learning cultures.

To close intermediate and advanced security skills gaps in your organization, your teams need more than basic cybersecurity training. 

They need learning opportunities that match their existing skills and take them to the next level. That’s going to require an understanding of the skills and investment needed.

“There's a proliferation of basic [security training] content across the industry,” said Aaron. “When we look at the cost of training for the intermediate-advanced level, we [need to] understand that it's more expensive to train people at the intermediate-advanced level. And that’s okay.”

Achieving defense in depth requires people with the skills to identify threats and understand the defenses needed to combat them. Hands-on experience allows cybersecurity professionals to develop their skills in real-world scenarios. 

“It comes down to very quickly going from concept to the technical information you need to know about how to implement a control, how to assess that control, and then how to loop on that action within your organizations and give your team members hands-on experience with that,” said Aaron.

Learn more about Pluralsight’s hands-on learning.

An agency’s learning culture can also hinder skill development. The bottom line? Don’t be afraid to upskill your security professionals.

“We're scared to train our employees because we're scared they're going to leave, right?” said Terin. “I think that's kind of a culture we've got to get away from. We've got to invest and take an individual or a personal approach to this. 

“Treat every person as the individual that they are, figure out what their passion is, and then leverage that by providing them those opportunities to grow but also training them to leave. 

“I know that sounds really optimistic, but as a nation, if we can do that, then the people that are coming to us are going to be better trained and the people that are leaving us are going to be better trained. And we all win.”

Learn three strategies to build a continuous learning culture.

Cybersecurity is ultimately a skills versus skills battle. 

“If we have our most advanced people at the top of the pyramid, and advanced persistent threats from nation states at the top of the adversaries' pyramid, that's where that fight is. If your skill level is under the top of that pyramid, then those nation states win,” said Aaron. 

But to develop those skills, agencies need to focus on their people. “Skills are inherently things that by definition people have. So we have to focus on people to get skills,” he said.

Learn how government agencies can build those advanced cybersecurity skills.

To get all of Aaron and Terin’s security insights, watch the full webinar on demand.