This is part two of a two-part series. Part one examined the cybersecurity struggles facing organizations in economically challenged, underserved communities.
“Cybersecurity needs to be a basic human right,” insists Phil Reitinger, president and CEO of the Global Cyber Alliance.
And yet, many small businesses and government institutions – especially those in underserved, economically struggling communities – lack these fundamental protections, thereby putting their customers’ and constituents’ data at risk in the process. Unable to afford cyber solutions or lure experienced IT professionals away from big cities and wealthy corporations, these organizations are left to make the most with what little they have.
But according to industry experts, there are ways to level the playing field between the haves and have-nots. And there are no shortage of ideas for how to do it.
Free programs and services
Among the various institutions that provides free cyber assistance to organizations in need is the Global Cyber Alliance, which offers small business owners toolkits and workshops, as well as Quad9, a DNS service that blocks consumers and companies from accessing known malicious websites based on current threat intelligence. GCA claims the toolkit helps cut cyber risk by as much as 80 percent.
“Part of the problem for small businesses is money… but a chunk is really just time and expertise. They don’t even have the time to look out and see what might be free,” said Reitinger. “They need a curated approach, and they need help. Our goal with the cybersecurity toolkit for small business was not just to give small businesses guidance – there’s a lot of guidance out there already – but give them everything they need to do cybersecurity in a ‘just-add-water’ environment.”
The Cyber Readiness Institute similarly distributes free resources that small businesses can employ to reduce risk, including a step-by-step guide for achieving proper cyber hygiene. According to the CRI, 73 percent of participating small businesses said the program had a high impact on their cyber readiness.
“We have an opportunity through education and training to have human beings be a force multiplier for cybersecurity,” said Kiersten Todt, managing director of the CRI. “Having that first ability to train your employees – regardless of the size, but particularly with small businesses that don’t have the ability to invest a lot – can be an equalizer.”
States and local municipalities can also take advantage of free services offered by the Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC), a Department of Homeland Security-funded effort to help governments with cyber threat prevention, protection, response and recovery.
Federal assistance is available too, if you know where to look for it.
Jerry Huff, CISO of the 11-member Kansas Independent College Association and a member of the CyberRisk Alliance’s Cybersecurity Collaborative advisory council, leverages several free services provided by the Department of Homeland Security.
“One of the things we started doing with them is an assessment of the core network for each one the schools” within KICA, said Huff. Moreover, the DHS provides a tool to see how your own network resiliency compares to peer organizations with similar IT requirements. If you find you’re falling short in a particular area, like incident response, then you can apply more budget toward those needs, he explained.
They’ll even perform free pen testing.
“It’s very basic,” Huff said. “But go and hire somebody to do pen testing? You’re talking about some dollars.”
What do you do when large corporations in the big city lure away all of your local cyber talent? Create a community cyber hub of your own through the development of nearby academic and economic programs.
Sarah Tennant is sector development director and strategy advisor for cyber initiatives at the Michigan Economic Development Corporation (MEDC), an organization dedicated to promoting the growth of the state’s cyber community. A key element of this program is the Michigan Cyber Range in Ann Arbor – the nation’s largest unclassified cyber range – and its use of hubs in other cities that serve as an extension of the main facility. Tennant said these hubs host more than 40 certification, exercises and workshop offerings designed to develop local talent.
“These efforts build into the overall strategic plan of the Michigan Economic Development Corporation to ensure economic opportunity is realized across the state – making it a priority to focus on disadvantaged areas and traditionally underserved businesses including women-owned and minority-owned businesses,” said Tennant. Hub examples include the Pinckney Cyber Training Institute (PCTI) in the small rural community of Pinckney and the Upper Peninsula Cybersecurity Institute in Northern Michigan University.
Tennant said PCTI has recently added a Security Operations Center where students “play active roles in round-the-clock monitoring and management of the SOC and providing live SIEM monitoring in a public school setting, offering network monitoring for multiple entities including municipalities, townships and small businesses.”
Another recent endeavor to create a cyber hub and boost the local economy and workforce was the 2018 opening of the Georgia Cyber Center in Augusta. The cyber range and training facility combines expertise in academic, private industry and government to deliver affordable cyber training and education to locals. Also in the South, the Tulsa Innovation Labs in Oklahoma adopted a mission to position the city as an influential, diverse and inclusive tech hub, with cyber as one of five key areas of focus.
Redistribution of the workforce
One of the long-term impacts of the coronavirus pandemic is that many companies have come to realize that a distributed workforce model can actually work. That means future security professionals who don’t want to move to the “big city” can now stay closer to home and work remotely. While that doesn’t necessarily solve the problem of large corporations hiring up all the best people, a more distributed workforce could still over time help the development of homegrown talent, some experts say.
It’s a matter of local communities creating a strong value proposition said Mike Hamilton, CISO at CI Security and former CISO of Seattle. “The creation of a value proposition can be, ‘hey, if you agree to work here, you’re not going to get paid as much as you would if you go live in New York, but you will have a great quality of life.’
“If Amazon, Facebook, Google will continue to pay people to work remotely, then go live someplace that’s awesome and start dumping your money there. This is going to bring up the local talent… and incentivize people to get into technology more.”
With that in mind, Hamilton founded PISCES, or the Public Infrastructure Security Cyber Education System, a program that offers security monitoring to the public sector at no cost and then uses the collected data to train local university students to be cyber analysts. Four schools are already participating and the historically black university Alabama A&M University will be next to join, meeting demand of the workforce to live in places where they can get necessary training.
“Every university wants their students to graduate and work locally, and students, when they do graduate, really don’t want to go anywhere,” Hamilton added. The PISCES program essentially brings the training to the more rural community, eliminating the need for individuals to leave the community to receive training.
Huff agreed that if more of the cyber workforce is to be redistributed to rural areas, that talent is probably going to come from locals who receive a local education.
“It’s tough to get somebody who grew up in Kansas City to move to rural Kansas,” he said. But hat individual that grew up in rural Kansas could welcome a means to stay.
“I think that’s where your small schools, be it a university, a community college or tech school, can be a big asset,” he said.
Shared services, MSSPs and the cloud
To stretch your capabilities further and compensate for smaller cyber workforces, companies need to get creative or go out of house for help.
“Try to stop running your own servers, have thin clients if you can, put everything in the cloud and in the hands of a service provider who really can handle cybersecurity if you can’t,” Reitinger said. “It’s not going to solve every problem – if you go to the cloud and you don’t do it right, it’s not going to help you – but the cloud is the greatest opportunity we’ve really got to make cybersecurity equitable. You can build a lot of security into the service.”
“It’s the only solution for the people problem,” he added.
Beyond recruitment, small and medium businesses have the secondary challenge of workforce retention, both of which can cost quite a bit of money over time.
Darren Van Booven, lead principal consultant at MSSP company Trustwave, said the cost of security software licensing, 24×7 security monitoring, and cyber analysts are typically far higher when performing everything in-house, versus a model with partial in-house cyber capabilities, combined with outsourcing of certain aspects – such as 24×7 monitoring capability.
“Outsourcing some security functions to MSSPs allow for access to high-end talent at a fraction of the cost of hiring and maintaining your own,” Van Booven explained.
Another solution is for multiple institutions to pool their IT resources. That’s what the 11 members of the Kansas Independent College Association have done since KICA hired Huff as its CISO in July 2019 to provide cyber support to the various schools’ IT directors.
“The president of KICA saw this as a need – that these smaller schools, these independent schools, didn’t have the resources to fund a full-time position at their school,” he said. “And there’s also the other issue of… their location, getting someone to come to those rural areas. I have to say it’s gone over very well.”
Laws and regulations
Experts also say the federal government could take further action to help organizations meet their cyber needs.
Drex DeFord, health care executive strategist for CI Security, said one recent governmental policy change that may prove beneficial is the Department of Health and Human Services’ proposed reforms to the federal Physician Self-Referral Law and Anti-Kickback Statute. The Stark Law, as its known, would provide safe harbor rules to larger health care organizations, allowing them to share cybersecurity services with smaller physician’s offices who provide referrals without it being considered an illegal kickback.
Meanwhile, the Cyber Readiness Institute has also been collaborating with two other non-profits on a policy proposal for Congress designed to incentivize cybersecurity investments. The concept is this: Those small that receive funds through the Economic Industry Disaster Loan can have any portion used for cybersecurity forgiven.
“I absolutely believe that it is an opportunity for the federal government to step, looking at cybersecurity as a policy priority… and create policies that start to level the playing field,” Todt said. Such policies, she added, could perhaps establish guidelines for reaching “baseline levels of cyber infrastructure and cyber investment that we now have to see as not an option, not a nice-to-have, but a need.”