New technologies enable federal agencies to expand capabilities, but it’s the people behind the scenes who ensure these solutions are performant and effective. With increased discussion around modernizing IT, automation and pressure to secure government networks, recognizing the critical role of people is more important than ever.
Calls for investing in modern security solutions have been made, but little attention is given to the analysts using the technology, maintaining the technology and ensuring that the technologies are contributing to the agency’s mission. This is somewhat ironic because if you asked any agency leader, IT manager or chief information security officer (CISO) they would credit success and excellence to specific people in their organizations.
Government is making technology investment a priority to address today’s cyber threats. But it is essential to expand the investment in people as well. With a rapidly evolving threat landscape, it is crucial for both technology and analysts to be integrated, enabled and equipped to protect federal systems against cyber adversaries.
One of the biggest misconceptions about modern security is that automated solutions will replace the need for analysts. It is true that the current security job market has a large fulfillment gap, but automated systems rely on human analysts to develop the automation process and to make decisions. These decisions include intervention or reversion of machine automation tasks. Without the trained, conscientious analysts, an organization cannot protect itself — with or without automation.
The reality is qualified analysts and engineers are the first resource needed to correctly deploy security automation. Federal organizations need analysts to recognize problems and use human intuition and judgement to solve them.
Automating security processes will undoubtedly help agencies evaluate and manage emerging threats, but analysts will continue to play a critical role to monitor, tune and act on the machine analysis. In other words, it is unnecessary to burden human analysts with checklist-type processes that can easily be automated with computers. However, rather than eliminate a job, this frees the analyst to put his or her focus on more complex tasks. Humans are incredible at tasks that require higher-level intuition, context and judgement.
Humans are inherently social. We communicate, collaborate, share, learn and act on knowledge and ideas. A major obstacle for many organizations is that analysts get isolated from the rest of their organization based on job functions or team groupings. Silos reduce the depth of context necessary for good judgment, technical enablement and action. When there is reduced cross communication, the entire agencies’ capability to understand the broader threat landscape is reduced.
The continuously changing cyber threat environment requires more information sharing than ever before. Cross-function collaboration is essential to bolster transparency and enable security analysts to share intelligence and context across different departments.
Preparing Our Cyber Workforce
By focusing on skills maintenance, skills acquisition and situational awareness, security analysts will be better prepared to protect our networks and respond to future cyber threats.
Skills maintenance refers to the importance of analysts continuously practicing and modernizing the technical skills and abilities they already possess. With new security technologies and detection methods emerging, organizations need to invest in employees for training and education programs to keep their skills up to date.
Skills acquisition focuses on learning new ways of solving problems, or improving communication. These could include acquiring software development skills learning about new technologies and processes or learning non-technical skills to improve written communication or running more efficient meetings. By creating regular training and exercise opportunities for analysts to experiment with new techniques, organizations will help develop a healthy culture of innovative thinking.
The importance of situational awareness is twofold. First, analysts need situational awareness of the threat landscape, its evolution and adversary tactics against different agencies. Government agencies are in every major industry vertical, including defense, healthcare, high tech, finance. Being familiar with an array of cyber attacks, the analyst — and therefore the organization — will be better prepared for future intrusions.
For example, ransomware is on the rise in the healthcare industry, reuse and exploitation of legacy vulnerabilities continues to be a problem across agencies, and phishing with web links and attachments continues to be a primary attack vector through the government. Agencies are attractive targets for cyber intrusions so it is imperative that federal security analysts are educated on a broad scope of attacks and potential threats.
Secondly, there needs to be increased business situational awareness. Agency leaders need to ensure analysts are familiar with the business and mission of the agency. This enables the analysts to understand the challenges and computing habits of the workforce. With more knowledge of the behaviors, analysts can develop better detection, analysis and response practices.
Situational awareness also improves business continuity during an incident. When analysts are familiar with the mission objectives, they will naturally work to resolve incidents with a mission-centric focus. However, creating an environment for this type of collaboration must come from executive level. This approach will help agencies address the challenge of breaking down the silos that prevent information from being shared. Security analysts will be better equipped to do their jobs if they understand what other departments are doing and see the big picture objectives for the agency’s security.
Attracting and Keeping Talent
Analysts possess qualities that technologies do not have and never will — intuition, intelligence and the ability to contextualize issues. This is precisely why it is so important to invest in government initiatives that not only help recruit the nation’s best cyber talent, but also retain and expand our existing federal workforce. While the government sometimes struggles to keep pace with Silicon Valley’s recruitment efforts, the Obama administration’s first-ever Federal Cybersecurity Workforce Strategy is a huge step in the right direction. This recently unveiled strategy aims to help government agencies develop a stronger pipeline of top cybersecurity talent and improve employee retention by implementing incentive payments, developing career paths and expanding federal training, credentialing and education programs.
CIOs and CISOs often talk about improving cyber processes, but enhancing the work culture for security personnel should also be a priority. Right now, analysts are primarily scored on a negative scale. If they are doing their job properly, minimal security incidents occur and nothing is said. But if a breach occurs, analysts are often set up to take the blame for everything, even if the incident wasn’t caused by an analyst’s mistake.
What we should be doing is rewarding our security analysts for the important, remarkable work they complete on a daily basis. Every day, security analysts are collaborating with and managing technology to create innovative solutions to our nation’s greatest security problems. By implementing reward and incentive systems such as those outlined in the Federal Cybersecurity Workforce Strategy, government will be able to better develop and strengthen cybersecurity talent, which in turn will help us better protect our nation’s networks.
Security operations teams don’t protect bits and bytes or silicon and metal. They help sustain the agency’s mission and serve the national interest with passion and tireless commitment. As the fight for security talent becomes even more competitive and cyber threats grow increasingly complex, government agencies need to recognize, reward and respect the indispensable talent of their analysts.
Monzy Merza is the director of cyber research and chief security evangelist for Splunk.