There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done.
The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve."
This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity Pros.
My opinion? This is a jobs program for security training and certification companies.
Here's my counter-proposal that will be cheaper, more effective, and still provide a gravy train for the trainers and certifiers:
Train Federal non-IT managers first.
What do I mean? Well, do you really think the problem with digital security involves people on the front lines not knowing what they are supposed to do? In my opinion, the problem is management who remains largely ignorant of the modern security environment. If management truly understood the risks in their environment, they would be reallocating existing budgets to train their workforce to better defend their agencies.
Let's say you still think the problem is that people on the front lines do not know what they are supposed to do. Whose fault is that? Easy: management. A core responsibility of management is to organize, train, and equip their teams to do their jobs. In other words, in agencies where IT workers may not be qualified, I guarantee their management is failing their responsibilities.
So why not still start with training IT workers? Simple: worker gets trained, returns to job, the following conversation occurs:
Worker to boss: "Hey boss, I just learned how terrible our security is. We need to do X, Y, and Z, and stop listening to vendors A, B, and C, and hire people 1, 2, and 3, and..."
Boss to worker: "Go paint a rock."
Instead of spending money first on IT workers, educate their management, throughout the organization, on the security risks in their public and private lives. Unleash competent Blue and Red teams on their agencies, perform some tactical security monitoring, and then bring the results to a class where attendees sign a waiver saying their own activity is subject to monitoring. During the class shock the crowd by showing how insecure their environment is, how the instructors know everyone's Facebook and banking logins, and how they could cause professional and personal devastation for every attendee and their agency.
We need to help managers understand how dangerous the digital world is and let them allocate budgets accordingly.
