The CISO as Role ModelDefending Networks is a Job Worth Emulating
But, in an interview with GovInfoSecurity.com (transcript below), Kaiser said chief information security officers can serve as real-life role models. CISOs, Kaiser said, "are interested in defending the networks and protecting the networks that they work on. These people are engaged in really important work and take a lot of satisfaction in the work they do. ... I think young people can connect with all kinds of adults in this field to get a vision about what they might do in the future."
In the interview with Information Security Media Group's Eric Chabrow, Kaiser addresses the:
- Challenges governments and businesses face in recruiting IT security professionals.
- Barriers Americans need to clear to practice safe Internet use.
- Idea that Congress should require the public to follow safe Internet practices.
ERIC CHABROW: Please assess the cybersecurity hygienic practices of the American Internet user?
MICHAEL KAISER: I would say that we have some work to do. That it seems that Americans, I can speak generally here about Americans in all walks of life in small, medium size businesses, are starting to get some of the messages about what they are suppose to be doing such as updated their security software on a regular basis, updating the web browser and their operating systems, changing their passwords. We know that they are hearing those messages, but I'm stressing that we are finding out that in a lot of cases they are not necessarily acting on that advice to keep themselves more safe and secure. We see, for an example, in the area of passwords that people are still using things like "1, 2, 3, 4" and "password" as a password or never even changing the default password that they get when they log into a new system.
CHABROW: Why do you suspect that they are aware of a better IT security practices, but don't follow through?
KAISER:: We're not 100 percent sure about that yet, and we're starting to do some research to look into what could motivate people. We think in the way our culture has evolved and we think about things like seatbelts. We knew for a long time that it was right to where our seatbelts. The evidence is out there that people who were in accidents got more severely injured than those, when they weren't their seatbelts and those who did, but it takes a while for things to become normative behavior in our culture. Most of us who have young kids know that they have no idea that seatbelts are against the law, but it is certainly against the law in my car. If I started to drive away without my seatbelt on, my young child is going to demand that I put my seatbelt on before we leave. We have a timeframe that we have to go through till people start to adopt these behaviors as being something that is required as say a person living in the digital world.
CHABROW: Is this something that should be legislative? Seatbelt laws are legislative and are there ways to compel people to practice cybersecurity hygiene?
KAISER:: At this point I would say that legislation is probably not the way to go in this regards. With seatbelts, it is a very simple procedure. You are either wearing it or you are not and the people set to enforce that are already the people who are enforcing other traffic safety on the road so you had a built in mechanism to do that. I think we still have to give people a chance to do better. We have to encourage them to do better. We have to educate them about why it is important to do better, and also help them I think in part understand, and I think is one of the things that we emphasize a lot at the National Cybersecurity Alliance, that their behavior has an impact on other people. If your system is not secure in your home, your business, you run the risk of infecting other computers around you and making the Internet less safe for everybody else. We can start to tap into that a little bit better and let people know that they're not just acting alone. I have hope and I don't think that we require at this point, a whole infrastructure to legislate it and make it happen. I do think we see a merging in some areas. We've had for a while around things like credit cards, there are compliance issues and there are some data protection issues, and I think those things should always be explored because they are in everybody's best interest.
CHABROW: Do you see any kind of usefulness in a law to get Internet service providers or other businesses that work with users to get them to practice [Net hygiene] and require them to? For example, today my bank when I went online, I had to change my user identification or else I couldn't use the system. Having that kind of regulation or law to compel those kinds of practices?
KAISER:: What you are touching on is actually a really important topic. Three are more things that everybody could be doing to make us safe and secure and that people should be open to those. I think we'll know when we are making better progress when people say, "Oh, my bank asked me to change my password today and I did it, and I didn't think of it as in inconvenience or a problem if they asked me to change it. I thought of it as thank you bank, because I know that by changing my password, which is probably something I wouldn't do on my own unless I was prompted to do it, is something that makes me more safe and secure."
I think those are the kinds of things we'll see and I think we will see more of. I don't think they'll necessarily be legislated; they'll be taking advantage of the tools that are out there. As these tools become better and Internet service providers or banking sites, or other e-commerce sites get better tools to make you use their site more safe and securely, I hope that that they will start to implement them, whether it's multiple levels of authentication, some requiring additional information beyond a log in and a password to prove who you are. We'll also maybe start to see some standardization of some of these things as time goes on as well. That will probably grow up from industry and government working together to solve some of these problems, which is what we prefer.
CHABROW: The National Cybersecurity Alliance is also about encouraging people to enter the IT security field. In your blog, you write the need to spark and inspire young people to think about careers in cybersecurity and you site cyber challenges and competitions as a way to engage that. A few questions on this: First, are the math skills of America students sufficient enough to produce the need and number of people to become cybersecurity specialists, let alone in other fields that require math knowledge?
KAISER:: The answer to that, unfortunately, is no. We know that in the science technology, engineering and math, or what they call STEM education, we are falling far behind and there is great concern that young people are not getting the basic skills they need. At the high school level, for sure, but even starting a little bit earlier. The foundational knowledge they need in these curriculums on order to be ready actually when they get to college to take on more advanced math work and science work that they need to take on, not only careers in cybersecurity but other technical careers as well. It is very critical for us to have educated young people coming into the work force, and in cybersecurity more specifically we need more young people to take on the challenges of the next generation of defending our cyber assets and our cyber infrastructure and they will need that basic education. It gets more technical as time goes on.
CHABROW: Let say there are sufficient number of people out there who can head toward careers in cybersecurity, but we are still talking about a half generation away before these people can work in government and business to help defend IT systems but the problem is immediate. Is there a way to address that?
KAISER:: The problem is immediate. A half a generation, I'm not sure if I would agree it's quite that long because there are certainly probably people entering college today who could come out in four years and could play a role in being you know cyber defenders. There are people in other disciplines like in the armed service who get regularly trained on things like information assurance, which could be a great backbone and a grounding foundation in some of these topics. But I do think that the immediate need is very pressing and that young people should see, those in college now who are studying things like computer science and other things, that there may be opportunities for them as cyber defenders that they haven't considered before. I think that one of the issues that we focus as an education awareness organization is that there are not enough role models for young people to see the careers that are out there, so it is hard for them to perceive themselves as being in these careers. If we cap some light on some of our best cyber defenders and the work they are doing and the kind of education they got to get their jobs, and why they like their jobs, and why their jobs are interesting, I think we'll see more people come into this field. I think that companies and government will, part of the immediate response is by doing additional training now to get people up to speed.
CHABROW: Do you see other fields as the big competition and I'll give you an example. A few years ago I wrote a story about the decline in computer science majors and at that time you had these TV shows that dealt with forensics. They were loosing students that used to go into computer science to the areas of forensics. Are you seeing that today, something like that happening?
KAISER:: I don't know exactly what the trend would be in regards to that but I think what you've raised is a real interesting point is that the popular culture does play a role in how people vision what they are going to do in the future. So I think you are right. When people see these shows that show these exciting careers in forensics, and I'm not sure that the careers have actually ended up on are as exiting as the things on the television shows. Some things don't often get wrapped up in an hour like they do on TV, but that they gravitate toward those and so that is the kind of example that I'm talking about in terms of more role models out there for young people to see that there are exiting opportunities in the cyber world.
I mean we do have some shows like "24," for example, that where cyber plays a huge role and some other ones and I think as soon as people see that they may get excited about those as possible careers. But that is the societal ship that we all have to buy into and it's something that we have to help young people, not only see it on TV as an opportunity but also back it up in the classroom, the kind of education that supports them actually achieving that.
CHABROW: Can you site some role models?
KAISER:: Well I can. The problem is that they are not always out in the public. I mean I talk to chief information security officers at you know major corporations all around the country all the time, and these are tomorrow activated people who are interested in defending the networks and protecting the networks that they work on. I mean these people are engaged in really important work and I think take a lot of satisfaction in the work they do. You know I have young children and by the time they get into second or third grade, they've seen the fire engine, they've been to the fire house, they've seen the police man, they've talked to a policeman and they have in their mind when I grow up I want to be a fireman, and not that they all grow up to be a fireman but they can envision that is something that they could do, and we need to similar role models. It doesn't have to be celebrity status. One of the programs we operate is cybersecurity awareness long-term education program where we encourage IT professionals to go into the schools and teach kids cybersecurity safety and ethics and there is an opportunity there to talk about their job and what they do. I think young people can connect with all kinds of adults in this field to get a vision about what they might do in the future.