The Air Force chief information security officer offered unusual advice to new security professionals: Don’t worry about every patch and vulnerability.
“It’s OK if you can’t get to 800 controls,” said Peter Kim, at FCW’s Cybersecurity Summit on Aug. 9. “It’s OK if you miss a patch.”
Kim said that he is trying to communicate to his team that their most important job is to support the soldiers. He said that he doesn’t want new members of the Federal workforce to get discouraged because they feel that they “can’t possibly follow every rule.” Kim instead tells them to prioritize.
“Which controls are the most effective for the problem we’re trying to solve?” Kim said.
The Federal government has struggled to attract younger technology employees because of the lack of knowledge surrounding outdated systems, and the inability to compete with the salary offering of private technology companies.
“This is not a technical challenge for cybersecurity,” Kim said. “This is a human challenge for us. Usually I get to sit in the ivory tower of the Pentagon. I realize that outside the Pentagon there are literally thousands of people trying to execute the cybersecurity mission.”
Kim said that the best way to train Federal technology employees is to center the education around the mission of the agency so the IT professionals know what capabilities are the most critical to protect.
Kim said that the Department of Defense is focusing on improving situational awareness, ensuring that its systems and devices are defensible, training the workforce around the mission, creating a reliable way to issue directives during an unexpected cyberattack, and appointing the proper authorities to drive changes.
Matt Conner, CISO and director of the Cybersecurity Office at the National Geospatial-Intelligence Agency, said that eventually automation will be able to solve part of the problem of the cybersecurity workforce shortage because the technology will be able to respond to situations effectively without a human behind the controls. However, most agencies are not close to this point in their capabilities.
Kim said that he wants to make Federal cybersecurity jobs more appealing by giving them more independence and a bigger challenge. His vision is to have “cyber defenders” at the edge of the networks to make their own real-time decisions about how to protect the mission systems.
“We want them to love their job,” Kim said.