Cybersecurity Workforce Management: Engage, Empower, Elevate
Explore the intricacies of Cybersecurity Workforce Management through engaging, empowering, and elevating your team. Discover the goals, challenges, and executive orders driving the cybersecurity workforce landscape, along with strategies to enhance workforce capabilities. Unveil the essence of personnel securing and defending data, networks, and systems, and delve into the critical aspects of training, funding, and clarity in managing cybersecurity teams.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
ITEN WIRED 2019 Cybersecurity Workforce Management ENGAGE EMPOWER ELEVATE
Deidre Melton, CFE, CIA, CISA, CISM, CRISC Cybersecurity, Risk, and Controls Advocate 16+ Years in Government & Education Industries Auditor & Investigator Florida A&M University ISACA Tallahassee President SheLeadsTech Ambassador Mommy of two ENGAGE EMPOWER ELEVATE
Agenda What is Cybersecurity Workforce Management? Goals Challenges Executive Order on America s Cybersecurity Workforce NIST SP 800-181 Training Plans Budgets ENGAGE EMPOWER ELEVATE
What is Cybersecurity Workforce Management? Cybersecurity Workforce: Personnel who secure, defend, and preserve data, networks, net-centric capabilities, and other designated systems by ensuring appropriate security controls and measures are in place, and taking internal defense actions. -Department of Defense ENGAGE EMPOWER ELEVATE
Goals of Cybersecurity Workforce Management ENGAGE: Engage your workforce in career planning and training plan processes. EMPOWER: Empower your workforce with the knowledge, skills, and abilities to confidently do their job and network with their peers internally and externally to the company. ELEVATE: Elevate your organization s reputation within the cybersecurity community. ENGAGE EMPOWER ELEVATE
Challenges of Cybersecurity Workforce Management Clarity & Consistency: job role definitions, to competency models, to training, education, and certification standards, to the ability to assess those skills necessary for effective job performance. Funding: Lack of optimal resource allocation, cybersecurity manager inability to articulate needs effectively to non-technical managers, understaffed and underprepared security departments Training: Lack of comprehensive training plans aligned to manage risk and achieve organization strategic objectives ENGAGE EMPOWER ELEVATE
Executive Order May 2, 2019 Encourages widespread adoption of NICE Framework (NIST SP 800-181) Innovative Training Accountability for Managing Cybersecurity Risk Contract Reporting Requirements Competition and Awards ENGAGE EMPOWER ELEVATE
Questions How do you assess your workforce capability and capacity needs related to cybersecurity? How do you organize and manage your cybersecurity workforce to establish roles and responsibilities? How do you prepare your workforce for changing cybersecurity capability and capacity needs? ENGAGE EMPOWER ELEVATE
NIST SP 800-181 (NICE Framework) Resource for describing and sharing information about cybersecurity work and the KSAs needed to complete tasks that can strengthen the cybersecurity posture of an organization. Common, consistent lexicon that categorizes and describes cybersecurity work https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf ENGAGE EMPOWER ELEVATE
Cybersecurity Workforce Building Blocks https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf ENGAGE EMPOWER ELEVATE
NIST 800-181 Image result for NIST 800-181 The NICE Framework is comprised of the following components: Categories (7) A high-level grouping of common cybersecurity functions. Specialty Areas (33) Distinct areas of cybersecurity work. Work Roles (52) The most detailed groupings of cybersecurity work comprised of specific knowledge, skills, and abilities required to perform tasks in a work role. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf ENGAGE EMPOWER ELEVATE
NICE Framework Workforce Categories https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf ENGAGE EMPOWER ELEVATE
Work Role Detail https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf ENGAGE EMPOWER ELEVATE
Questions Does your organization have a department training plan for your IT and cyber professionals? How are training plan goals established? Is training monitored to ensure all staff are keeping up with the latest knowledge, tools, and techniques? ENGAGE EMPOWER ELEVATE
6 Steps to Building an Effective Training Plan 1. Do your homework! a) Mission b) Organization Strategic Plan c) Department Strategic Plan d) Performance Goals 2. Develop a Training Strategy 1. Needs 2. Goals ENGAGE EMPOWER ELEVATE
6 Steps to Building an Effective Training Plan 3. Perform a competency assessment a) NICE Framework b) Certification 4. Set Training Targets (High Level) a) Department b) Employee ENGAGE EMPOWER ELEVATE
6 Steps to Building an Effective Training Plan 5. Leadership Support a) Alignment with Organization Objectives b) Impact to Organization 6. Promotion and Individual Plan Development a) Promotion: Non-Financial Benefits, Professional Development, Career Growth b) Individual Plans: Career Pathways ENGAGE EMPOWER ELEVATE
Training Plan Pitfalls to Avoid Not communicating the benefits of training to staff and leadership Not including soft skill training into the training plan Not monitoring the plan for impact to department and organization objectives Allowing staff to take whatever type of training they want without benefit to the organization Focusing training round certifications and not overall skills and knowledge gain ENGAGE EMPOWER ELEVATE
Training Plan Pitfalls to Avoid Not engaging employees into the development of their plans Not looking ahead to the future Not tying plans to career pathways Not looking at the various methods for obtaining training when building plans Not planning training schedules to avoid high performance times of the year Not communicating with the audit, risk, and compliance departments when building training plans ENGAGE EMPOWER ELEVATE
Questions What things do you take into consideration when building your training budget? Is your training budget sufficient for the size of your department? What techniques do you use to maximize your training budget? ENGAGE EMPOWER ELEVATE
Building a Budget for Your Training Plan Cost to Meet Training Plan Goals a) Group Training b) Membership into Organizations c) Training Software d) Conferences e) Train the Trainer 2. Cost to Organization of Not Meeting Training Plan Goals a) Contracts ENGAGE EMPOWER ELEVATE
Cost Benefit Analysis of Training Plan Cost to Organization of Not Meeting Training Plan Goals a) Organizational Performance & Goals b) Contracts c) Consultants d) Security Gaps & Risk e) Compliance ENGAGE EMPOWER ELEVATE
Questions What challenges do you have when communicating your budget needs to those with decision making authority? Do you feel as if your IT training needs are being prioritized by leadership? ENGAGE EMPOWER ELEVATE
Communication Exercise Communicating to Senior Leadership Team and/or Budget Decision Maker(s) Background Tech Division Retail Industry 30 Employees $150,000 Budget Request Limit 3 Minute Pitch ENGAGE EMPOWER ELEVATE
Communicating Training Budget Needs 1. Recon 2. Strategy 3. Cost vs Outcomes a) Security Posture b) Reputation c) Employee Satisfaction & Career Development d) Organizational Performance 4. Impacts of Not Approving Budget 5. Alternatives ENGAGE EMPOWER ELEVATE
Questions Open Discussion ENGAGE EMPOWER ELEVATE
Contact Information Deidre Melton Phone: 850-599-3131 Email: deidre.melton@famu.edu LinkedIn: https://www.linkedin.com/in/deidremeltoncisa ENGAGE EMPOWER ELEVATE