Creating a “Culture” of Cybersecurity

Robin “Montana” Williams

Director, National Cybersecurity Education Office

National Cyber Security DivisionJune 26, 2012

1

2

“My greatest fear is that, rather than having a cyber-Pearl Harbor event, we will

instead have this death of a thousand cuts. Where we lose our competitiveness by

having all of our research and development stolen…”—Richard Clarke, former White House Cyber Czar

THE WORLD WE LIVE IN!!

3

• Cybercrime is a global epidemic—now exceed narco-drug trafficking

• 2/3 US businesses are Internet dependent

• 8 out of 10 think they are safe from cyber threats, yet 80% do not have formal security policies in place

• Average cost of a cyber attack on a small business is $188K

• 60% of small business close within 6 months of an attack

• 55% of the nation’s workforce is employed by small business

Sources: SBA, Symantec, National Cyber Security Alliance & Zogby Int”l

A “CULTURE” OF CYBERSECURITY…

4

1. Awareness

2. Cultural Analysis

3. Responsibility

4. Education & Training

Every man's ability may be strengthened or increased by culture—John Abbott—Prime Minister of Canada

AWARENESS IN CYBERSPACE

5

Know the Threat

Criminal

Competitor

Country

Know your SWAG (valuables)

Technology

Research

Resources

Know their Tactics

Phishing—Social Engineering

Exploiting vulnerabilities

ORGANIZATION CULTURAL ANALYSIS (CA)

6

1. Values—Espoused vs. Actual

2. CA—the difference between values

a. Integration

b. Differentiation

c. Fragmentation

"Company cultures are like country cultures. Never try to change one. Try, instead, to work with what you've got.“ —Peter Drucker—Management Consultant

RESPONSIBILITY IN CYBERSPACE

7

STOP—THINK—CONNECT Establish and ensure compliance with a company internet policy

Force employees to change passwords < 90days DO NOT allow personal software or hardware on organizational networks

Password protect computers, communications and critical data—use complex passphrases (F00tJan01ba!!#1)

DO NOT open emails or attachment from strangers

Encourage the Reporting of suspicious activity

EDUCATION & TRAINING

8

COMPONENT 1: NATIONAL

CYBERSECURITY AWARENESS

DHS

COMPONENT 2:

FORMAL CYBERSECURITY EDUCATION

NSFDOED

COMPONENT 3:

CYBERSECURITY

WORKFORCE STRUCTURE

DHS

COMPONENT 4: CYBERSECURITY

WORKFORCE TRAINING AND

PROFESSIONAL DEVELOPMENT

DHSODNIDOD

NICS Portal

NATIONAL CYBERSECURITY FRAMEWORK

9

The Framework, released in 2011, outlines 31 functional work specialties within the cybersecurity field and is the foundation of the effort.

The Framework was developed in collaboration with subject matter experts from government, non-profits, academia, and the private sector.

The Framework organizes cybersecurity into seven high-level categories, each comprised of several specialty areas.

The Framework has been broadly accepted as a best practice to define the cybersecurity field.

NATIONAL INSTITUTE FOR CYBERSECURITY STUDIES (NICS) PORTAL

10

Serve as the Nation’s online resource to learn about cybersecurity awareness, education, careers, and workforce development opportunities.

The portal’s vision is to elevate cybersecurity awareness and affect a change in the American public to adopt a culture of cyberspace security.

NICS will be an online community for cybersecurity professionals and others to gain knowledge related to their field.

The Portal will be steered by an Advisory Board to provide guidance on cybersecurity awareness, education, careers, and training.

Summary

11

1. The World We Live In

2. A Culture of Cybersecurity

a. Awareness

b. Responsibility

c. Education & Training

3. Resources

a. National Cybersecurity Workforce Framework

b. National Institute for Cybersecurity Studies Portal

DHS Cybersecurity EducationContact Information

12

For more information, please contact:

Robin “Montana” WilliamsDirectorNational Cybersecurity Education & Workforce DevelopmentNational Cyber Security Division703-235-3945 (Office)571-512-1095 (BlackBerry)robin.williams@hq.dhs.gov