The two versions are fully compatible. The additions, including new categories and subcategories, do not invalidate uses or work products in the first version of the Framework. “We didn’t want to change the framework substantially so the two frameworks could work with each other,” NIST Cybersecurity Framework Program Manager Matt Barrett said during an April 27 webinar on the Framework update.

The changes to the framework are based on feedback collected through public calls for comments, questions received by team members and workshops held in 2016 and 2017.

Changes include adding a new category for managing supply chain risk, that includes an assessment process for commercial off-the-shelf IT products and services.

Eight subcategories were added, and language was refined in several places, such as clarifying what “compliance” means for various stakeholders. A new section on self-assessment for cybersecurity risk was added, and the access control category has also been changed to better account for authentication, authorization and identity proofing.

In addition, information has been added to implementation tiers and profiles to reflect considerations within an organization’s risk management program. Another subcategory has also been added to address coordinated vulnerability disclosure.

Read Version 1.1 of the Framework here.

We know this because in 2016, in partnership with the International City/County Management Association, we conducted the first-ever nationwide survey of local government cybersecurity. Among other things, the survey data showed just how poorly local governments practice cybersecurity.

Under near-constant attack, but not fully aware

Nearly half – 44 percent – of all the respondents told us they experience cyberattacks at least daily. Based on prior research, we are confident that rate is actually much higher.

Localcrisis1

The volume of attacks isn’t dropping – and in some cases it’s increasing.

Localcrisis2

But even so, many communities didn’t know how frequently they are attacked, and most didn’t count or catalog initial attacks — though more than half did track more serious incidents and breaches.

Localcrisis3

More than half weren’t able to determine who was attacking their systems.

Localcrisis4

Unprepared to respond, and with not enough support

Certainly, there are local governments that do a commendable job with cybersecurity. If previous research into government information technology systems and electronic government can be a guide, they are most likely larger, more well-funded and more well-managed governments. However, the data from our more recent survey strongly suggest that at least some, and perhaps even a large fraction of, local governments may be unable to respond to electronic intrusions.

Localcrisis5

In part this is because few local officials are aware of the need for cybersecurity. Nearly two-thirds of the respondents to the survey, who were nearly all information technology or cybersecurity officials, said that top managers understood the need. However, among other groups in local governments, awareness dropped considerably. Perhaps as a result, support for cybersecurity efforts was also not as strong as Atlanta’s and Baltimore’s experiences suggest it should be.

Localcrisis6

 

Localcrisis7

With most local government officials and staff unaware and unsupportive, it is not surprising that cybersecurity is so poor among American local governments. Atlanta Mayor Keisha Lance Bottoms admitted that cybersecurity was not a high priority, although “it certainly has gone to the front of the line.”

And yet, crucial barriers remain, largely to do with how much money is allocated to cybersecurity efforts.

Localcrisis8Localcrisis8 1

Getting more people in the know

If local officials are going to do a better job protecting their information assets, they’ll first need to know a lot more about what’s actually happening. The numbers of survey respondents who answered “Don’t know” to our questions was surprisingly high. No top local officials, whether elected or appointed, should be unaware of basic cybersecurity information, like whether their systems have been attacked or breached, or who’s attacking their systems and why.

Knowing these answers will only become more critical as computing becomes more deeply embedded in systems running “smart” cities. If computers control traffic lights, sewage plants and electrical grids, then the consequence of attacks is more severe than just loss of information or computer services.

At the other end of the scale, over 20% did not determine steganography to be important, while small percentages did not see malware analysis, digital forensics and incident response, IoT vectors or penetration testing to be important for recent graduates to have immediate skills in.

The full results are available via Shawn’s original blog. In that, he said that “professionals have spoken as to what they want in a recent graduate and are willing to train you,” suggesting what is most important for students to learn based on the survey findings.

He also said that if a candidate does not have the requisite skills but are passionate about working in cybersecurity, “then don’t be afraid to build a foundation in another entry level role and gradually transition into a security position.”

Speaking to Infosecurity, Davis said that “mentoring passionate current employees and transitioning them into a security role is a win for everyone.”

He claimed that an employer should quickly recognize that a help desk technician, who excels in their current role and is constantly asking for more opportunities to learn new skills, and can communicate with all levels of staff effectively, should be recognized.

“The same goes for the developer that is interested in reviewing code for vulnerabilities, wants to understand how underlying infrastructure works and has excellent documentation skills.”

In particular, Davis’ research found that 27% of respondents would require any graduating student to work in the help desk prior to placing them in an entry-level security position. Asked if this demonstrates the need for inexperienced people to gain some experience before they can expect to be hired, Davis said: “I imagine many of the 27% have been burned in the past by hiring a recent graduate that interviewed well, had a security certification, but ended up not knowing how to format a hard drive or set up a static IP, let alone how to configure a firewall or harden an OS. In that instance, I definitely agree that person should have to get some experience in a non-security role first.

“However, the majority of respondents mentioned that they would be willing to hire individuals that know the basics and have a good grasp on the most important information security concepts and needed skills.”

Davis said that having taught at undergraduate and graduate levels, he can generally tell within the first couple of weeks of a class which students have the potential to get hired directly into a security position: these are the students that speak up in class, are teaching themselves scripting, have a virtual lab at home to learn more about servers and networking, follow Twitter feeds of industry professionals and attend local tech meetups.

“They also ask questions and use their lessons and homework as a tool to ensure they really comprehend the material in preparation of their career as opposed to simply wanting to pass a class,” he said. “These students have a great shot of being successful in a junior security role and it was refreshing to see that 73% of respondents to the survey would mentor and bring in such students.”

On another research point, 58 of those surveyed suggested that an entry level security certification affects the hiring decision, while 42 said it didn’t make a difference. Is this very positive for those second job types who don’t have the time to take a new certification? Davis said that security certifications generally show that the recipient has at least basic foundational knowledge in the area, but a person that doesn’t work towards a certification will still most likely have to spend extra time learning the basics or new skills.

Finally, 62 respondents said that an internship is the best way for a student to gain entry to a junior role. However, how easy are these positions to find?

Davis said: “internships are predominantly available in larger cities and even then are not particularly prevalent. Indeed.com currently lists around 3000 security internships available in the US and only around 150 in the UK. I believe a lot more businesses and government agencies should offer security internships.”

So was he calling for more businesses – particularly more ‘desirable’ tech companies where young people want to get work experience – to offer opportunities? He said that at present, many organizations practice poaching experienced security professionals from each other as opposed to offering needed internships or adding new entry level security positions.

He said that organizations need to realize that:

  1. There is already a shortage of security professionals which will only get worse
  2. They are missing out on great talent. Organizations that work directly with academia could create programs to bring in the best students for summer internships in addition to hiring recent graduates.

What else can aspiring cybersecurity professionals do to get a first opportunity? Davis recommended that attending local security meetups is a great way for recent grads to meet people in the industry and learn about new potential positions. The survey also showed a few respondents recommended job fairs as another way to enter the industry.

It is positive to see what the hiring companies want, but it seems that the challenge for new professionals is proving themselves and finding the opportunities in the first place.

If the creators of the girls-only online cybersecurity competition Girls Go CyberStart are successful, some of these high schoolers will get hooked on the quickly expanding and well-paying field of cybersecurity and, in the process, help offset one of technology’s deepest gender gaps: Just 11 percent of cybersecurity professionals today are women.

Employers in the United States, and countries worldwide, face a critical shortage of professionals trained in protecting corporate and government computer networks and systems from cyberattack. As these attacks grow more frequent and sophisticated, jobs in information security are expected to skyrocket. The Bureau of Labor Statistics predicts that jobs for cybersecurity analysts in the U.S. will grow 28 percent by 2026. Currently, there are 285,681 unfilled jobs available in cybersecurity, according to CyberSeek, a website that tracks the cybersecurity job market. Globally, research indicates there will be a shortage of 1.8 million cybersecurity professionals by 2022.

Attracting and retaining qualified workers to the field — especially women — has become a critical issue across sectors, from banking to health care, aviation and government. “Can we staff up fast enough to be able to protect the power systems of the United States, the weapons systems, the financial systems? Because, right now, we do not have anywhere near enough people to do any of that,” said Alan Paller, director of research for the SANS Institute, a cybersecurity training company that created the Girls Go Cyberstart challenge. And yet, said Paller, the on-ramp for women into cybersecurity remains obstructed. “If we block entry for women, we’re blocking 50 to 70 percent of the talent,” he said. “When I walk into a high school Cisco Networking class, I’ll see 30 boys and one girl. Girls are being told loudly: ‘You are not invited.’”\

With a median wage of $92,600, cybersecurity jobs pay enough to vault workers into the upper-middle class and beyond. Cybersecurity work typically requires a bachelor’s degree in computer science or programming, a few years of experience in a related field such as networking, software development or systems engineering, and in some cases, an information security certification.

At Red Bank Regional, 40 girls, divided into 14 teams, signed up to play Girls Go CyberStart. The push to get girls into computer science is newly backed by a statewide mandate that requires all New Jersey high schools to offer computer science by next school year, and that makes the course mandatory for graduation beginning in 2022.

During the 2015-16 school year, just 39 percent of New Jersey high schools with Advanced Placement programs offered an AP computer science class, mirroring the limited availability of such classes in high schools nationwide. Of New Jersey’s 1,111 computer science graduates in 2016, only 15 percent were women.

Tech Earners

“We’ve made tremendous inroads in just the last few years,” said Mandy Galante, a technology teacher at Red Bank Regional High School whose classes focus on systems, networking, cybersecurity and forensics. The lead organizer of the school’s Girls Go challenge, she credits nonprofit organizations like Girls Who Code and code.org for impressing upon schools the importance of teaching digital skills and competence.
“In my experience at the high school level, it’s not that girls are being shut out of technology exactly, a bigger issue is that they’re not self-identifying,” Galante said. “I’m seeing boys realize in high school, ‘I can do this,’ so they’re getting to the right college so they can take courses in this field. They’re just way ahead of the game.”

In an effort to reach more girls for the Girls Go game at Red Bank, for example, Galante recruited girls from non-tech classes, including a dozen from a creative writing class. “We want to get the girls who never even thought of doing this,” she said.

For women, barriers to entry into cybersecurity, and the tech field in general, begin long before high school, said Nicole Smith, a research professor and chief economist at the Georgetown University Center on Education and the Workforce. “Our parents make decisions early on about what boys and girls should be doing,” she said. “The social conditioning starts really early.”

Especially once girls reach middle and high school.

“The elephant in the room is that girls ‘can’t do math good’,” said Smith. “But when you look at standardized tests and SAT scores, girls are scoring just as well as boys in math and science. In some cases, they are actually doing better. The question isn’t about competence, it’s an issue of decision-making about what to pursue. When a preponderance of women are making decisions that will affect their lifelong earnings potential, we need to ask why, and what is it about our culture that is telling women: ‘This is where you belong’?”

In a report she recently co-wrote on the gender wage gap, Smith found that although women are now graduating from college in greater numbers than men, and are pursuing STEM degrees more than ever before, they still earn 81 cents for every dollar earned by men when wages are averaged across job sectors. She also found that when women choose majors in well-paying sectors, they tend to then select the least lucrative sub-majors. For example, 54 percent of women majoring in STEM fields concentrate in biological and life sciences, which are among the majors with the lowest-paying career prospects, but only 17 percent select majors in the more lucrative field of engineering.

The Girls Go challenge is an effort to equalize the cybersecurity playing field, or at least to plant a seed of interest in cybersecurity at the high school level. This past winter, in its first year, 6,654 girls across 16 states and the territory of American Samoa participated in the game. In order for schools to access the game, the SANS Institute asked governors’ offices nationwide to partner in its promotion. Winners each receive a $100 gift certificate and an all-expense-paid trip to a conference in Chicago for women in cybersecurity. The winning team’s host school receives a $1,000 award.

Melissa Vuong, 15, is a sophomore at Red Bank and a member of team Throckmorton. With zero coding experience, she was primarily drawn to the opportunity to collaborate with her team. “It’s super fun working together,” she said. “And it’s my first time playing a game like this, so it’s a challenge, but I like it.”

Girls Go is not the first online challenge designed to attract young people to cybersecurity, though it is the only game specifically for girls. The Air Force Association’s CyberPatriot online competition and GenCyber camp, funded by the National Security Agency and the National Science Foundation, are aimed at attracting high schoolers to the cybersecurity field, though they do tend to appeal primarily to boys. While some girls do participate, Galante noted, they rarely make it to the leaderboards and thus fail to garner attention and awards, which among competitors creates a deeper interest and connection to the field.

“We’ve learned over the years that winning shiny stuff, and having people make a big deal out of you, helps young people believe in themselves and be attracted to something,” said Galante. “But even though girls were participating — in small numbers — in challenges like CyberPatriot, this recognition wasn’t happening for them. The boys, who have so much more experience in gaming, were the ones being recognized.”

In spite of increasing numbers of women pursuing STEM degrees, only 26 percent of computing jobs in the U.S. are filled by women. Like cybersecurity, the broader field of jobs related to computing faces a labor shortage with 1.1 million job openings projected by 2024.

When women do opt to major in STEM fields such as cybersecurity, they frequently leave the field after a brief tenure, according to a 2011 report by the Georgetown University Center on Education and the Workforce. “Even when women do well and excel in college in technology, they divert into teaching math or science, or into fields like biology or pharmaceuticals — fields that are predominantly female and pay lower wages,” said Smith, the Georgetown economist. This may be due in part to priorities. When considering a new job, men value salary above other factors, the Georgetown report found. Women, on the other hand, prioritized proximity to home; working environment and workplace communication; and prospects for upward mobility.

Workplace environment is clearly a factor, especially in cybersecurity where teams tend to be small and therefore perhaps more intense. Marian Merritt, the industry engagement lead for the National Initiative for Cybersecurity Education, points to the hyper-competitive, noncollaborative, war-terminology-oriented nature of cybersecurity as a major concern for women. The initiative, a unit within the U.S. Department of Commerce, aims to alleviate the cybersecurity workforce shortage.

“Anecdotally, we know that there’s an emphasis in cybersecurity on being self-taught, self-driven and adversarial,” said Merritt. “I think it’s time to figure out if this is just growing pains within a relatively new field — cybersecurity is maybe 10 years old as a subspecialty — because there are a lot of things happening in cybersecurity that are of big concern.”

When the Girl Scouts Research Institute, a unit connected to the Girls Scouts, surveyed its membership for its own STEM study, it found that 74 percent of the girls expressed interest in science, technology, engineering and math — yet only 13 percent said those fields would be their first choice for a career. Fifty-seven percent said that if they did enter a STEM field, they would have to work harder than a man just to be taken seriously.

At Red Bank Regional, after the weeklong Girls Go challenge, neither Team Throckmorton nor The Team That Must Not Be Named scored sufficient points to win at the national or state level. On the final scoreboard for New Jersey, Team Throckmorton placed 73rd out of 168 teams in the state, while The Team That Must Not Be Named placed 97th. Still, after playing Girls Go this winter, 70 percent of the players nationwide said they are now interested in a cybersecurity career, compared with 36 percent prior to playing the game, according to a survey by the SANS Institute.

One of those newly cyber-enthused students was Brigid Clanton-Calnan, a junior at Red Bank. “Right now, I’d say I’ve gone from pretty much zero interest in cyber security to really being pulled in that direction,” she says. “And I’d love to play the game again, if it happens again next year.”

This story was produced by The Hechinger Report, a nonprofit, independent news organization focused on inequality and innovation in education.

The Securing Our eCity Foundation began in 2008 as an initiative of ESET North America. Over the past several years, the organization has been laser-focused on its youth programs, including the SoCal Cyber Cup Challenge. Liz Fraumann, the foundation’s executive director, said the program has grown tremendously over the past nine years, but there’s still room for improvement and additional partnerships from across industry and education.

During her time organizing the SoCal Cyber Cup Challenge, Fraumann said she’s frequently encountered potential partners who are interested in helping address the issue of filling the cybersecurity workforce but often lack the follow through to support initiatives to make that goal happen.

“Everyone acknowledges the problem, and often begins addressing it by creating focus groups and task force teams,” Fraumann said. “However, now is the time to dig-in and follow-up, as good intentions are not enough. The landscape is changing, and the competitions and education are the launching pad to help ensure California is proactive instead of reactive to the cyber demands.”

The California Cyberhub partners with Securing Our eCity and many other organizations to facilitate those partnerships and collaborations — with the goal of making it as easy as possible for anyone who wants to jump in an participate, no matter what their background.

“We’ve made great strides, but we are still missing key students who need to and want to participate,” said Cyberhub Community Manager Donna Woods. “We need to reach all the students who have a desire to gain knowledge and participate and we need to reach the organizations who want to be involved.”

“Supporting cybersecurity competitions and events provides organizations of all types with the opportunity to see tangible benefits in the form of engaged students who are making an impact in their communities,” Fraumann said.

“We have worked with and watched students from middle school progress to high school, and now return to assist in the Challenge while they establish careers in the cyber industry, or enrolled in college pursuing their respective degrees in cybersecurity,” Fraumann said. Now is the time for everyone, students and coaches especially, to put together their teams, and get ready for fun and learning. It is about one of the most exciting careers of the future, cyber security!”

In the recent days since the SoCal Cyber Cup Challenge Finals, we have had organizations ask what made our Challenge so different and why were the participants so excited. The answer is easy and one word “Gamification, and this is thanks to Circadence, our platform provider.

Cyber Cup Challenge Addendum

“In an effort to make our Challenge different than many other experiences the students are exposed to today the platform we used from Circadence, Project Ares,® is unique,” said Liz Fraumann, executive director, Securing Our eCity Foundation. “In fact, all of us organizers, coaches, and mentors alike, felt it was one of the best experiences the kids have ever had.”

The Project Ares platform begins in a Media Center where the students learn about definitions, real news articles and more, they then move to a Game Room. Here they are able to actually play computer games like “Cylitaire” and “PortFlow.” These kinds of games teach basic cyber security understanding and skill-sets. Once the students master this, they move to the next level which is the “Battle Rooms.” Here the students begin to engage with cyber security tools and tasks relevant for tactical practice and to master hands-on-keyboard techniques. And, finally they are ready for “Missions.” This final level, provides the students a mission-specific virtual environment where they are provided with real-world tools, network activity and a large library of authentic threat scenarios.

“The SoCal Cyber Cup Challenge students that participated were transported into an immersive, realistic, and very exciting virtual world. It was incredible and the kids loved it,” said Ms. Fraumann. “This tool is great for the students but, should also be considered by the business community for more “real-world” threat assessment and protection by their IT teams, instead of waiting for the “real-thing” to happen.” “We see the local universities helping to build scenarios. In fact, National University and their cyber security lead, Professor Chris Simpson, are already engaged. He is a testament of what can be done when academia and business work hand-in-hand.”

For the foreseeable future, the organizers of the SoCal Cyber Cup Challenge, National Defense Industry Association, National University and Securing Our eCity will count on Circadence and their Project Ares to provide their “secret sauce” for the Challenge as it can grow and change as they do. -world

For more information on the SoCal Cyber Cup Challenge and this year’s winning teams, visit https://timesofsandiego.com/education/2018/04/05/del-norte-high-school-the-cambridge-school-take-top-honors-during-socal-cyper-cup-challenge/

“We held almost a dozen workshops with half of the departments in the state sending representatives,” California Chief Information Security Officer Peter Liebert told GCN.

The maturity metrics will be gathered from sources agencies already use, such as those collected during audits by the CDT’s Office of Information Security or through independent security assessments, according to the Statewide Information Management Manual.

The metrics address policy, system categorization and governance and measure security maturity in five categories and across 34 controls:

  • Identify: Governance, data and system categorization and vulnerability scanning.
  • Protect: Account management, encryption and system configurations.
  • Detect: Network and end-point monitoring.
  • Respond: Incident response plans and testing.
  • Recover: Technology recovery plans and testing.

“We decided to use the five categories in NIST’s [Cybersecurity Framework] so this framework makes sense for leaders who are not very savvy in the cybersecurity space to be able to compare their agencies to others,” Liebert said.

The scores are weighted, with a “0” indicating low program maturity and a “4” representing high program maturity scale, according to a CDT technology letter.

The maturity metrics focus on measures that will provide the highest return on investment — i.e., those leveraging existing assets and those that help agencies balance cybersecurity visibility, decision-making and efficiency in resource allocation and overall security spending, according to CDT’s 2017 Annual Report. They will also help CDT track gaps and statewide trends so it can identify where additional guidance, training and remediation support can help improve cybersecurity.

Tracking the maturity metrics will run on a four-year cycle. In the first year, environments are examined for policy requirements. The second year examines compliance with the metrics set out by the Cybersecurity Framework, and the final two years examine the results from the independent security assessments to determine changes from the initial baseline measurements.

The metrics are also meant to complement the assessments that the California Military Department already conducts for many agencies through its cybercrime division. CDT’s Office of Information Security also performs policy-based audits for high-risk entities.

The metrics can help empower smaller state agencies to make a case for improving their cybersecurity posture despite having a smaller workforce, Leibert said.

According to NIST, more than 20 states are using its Cybersecurity Framework to improve their cybersecurity posture.

“Independent verification through the security metrics … is extremely valuable from an oversight perspective,” Liebert said. “As these metrics become part of the normal process, we will be collecting data and providing results to the corresponding departments and leadership.”

cybersecurity