Does Dearth of Infosec Pros Pose Risk?

NSA's Information Assurance Director Doesn't Sugarcoat the Truth

By , January 7, 2010.
Does Dearth of Infosec Pros Pose Risk?

D

See Also: Risk Based Approaches to Data Protection

ickie George is an optimist about training the skilled information security professionals to protect American IT in the coming years, but he doesn't sugarcoat the truth when it comes to securing military and federal IT systems now.

George is technical director of the National Security Agency's Information Assurance Directorate, and in the second part of an interview with GovInfoSecurity.com (transcript below), he describes a shortage of skilled infosec pros in government. Does such a shortfall in cybersecurity talent place government systems at risk?

"I wouldn't say that we are insecure because of that, but it makes the challenge harder for us," George says. "Security is not a zero-sum game, either. You are not either secure or insecure, it is how secure are you, what is the threat, how hard is it to take advantage of that threat. It is a complicated issue. It is not to say that if I had three more people I would be secure. What kind of security can we create for the nation?"

In the interview, conducted by GovInfoSecurity.com's Eric Chabrow, George also discusses:

  • Competition among government agencies and the government and business in recruiting far too few cybersecurity professionals.
  • Need to start educating students early about IT security in hopes they'll be attracted to a career in cybersecurity.
  • Lack of cybersecurity awareness among American citizens.

In Part 1 of the interview, George addresses the technical challenges facing the NSA in securing its IT systems, including staging attacks on its IT.

George began at the National Security Agency in August 1970 after graduating from Dartmouth College. He started in the Crypto-Math Intern Program, having tours in Research, the SIGINT Directorate and the Information Assurance Directorate's predecessor organization. Except for a tour in the Signals Intelligence Directorate and one at the Center for Communications Research in Princeton, he has worked in the Information Assurance Directorate's since 1973, and has served as its technical director since 2003.

ERIC CHABROW: Where does the NSA find and how does it develop knowledgeable IT security professionals to meet its cybersecurity challenges?

DICKIE GEORGE: That's a great question. The good news about today's world is a lot of the people that we are recruiting are people that have grown up with today's technology. It comes as really natural to them. Where it doesn't come quite a natural to a lot of our more senior analysts, and that is a great thing.

We also see that we have the Centers of Academic Excellence where we have partnerships with 106 universities around the country and they are teaching the kind of skills that we need. So we are being fairly effective at finding the right people with the right skills to fill those needs; we don't find enough. We have tremendous needs and we have the same needs that private industry has and that competition for theses scarce talents makes it really hard. But the good news is that we are all part of the big team and we don't win unless the private industry wins as well. But the important partnership with us is partnering with the universities to get the kind of education that the kids need to get the hands on training that allows them to understand.

I have a personal belief that it is really hard to build security unless you know how to attack it. It really helps to get in the lab and see how things break, how they can be misused and how these layers of security can be defeated when you are trying to build a solid defense. You have to understand the threat before you can defend against the threat.

CHABROW: For a student, that sounds like that would be an exciting thing to do.

GEORGE: When I talk to the students, they are really excited. When I compare the kind of education you get in college today as to when I was in school, it is so much more hands on, so much more real world that they have a tremendous opportunity to really do things that matter. Things that really are effective in today's world; they solve real-life problems as opposed to theoretical problems. It is an opportunity they have to really make a difference, even as students.

CHABROW: I am listening to you and I am thinking of an article I did a few years ago that addressed the decline in interest in computer science students at universities around the country and at that time people were more interested in going into things like forensics. I am wondering now, with more attention being placed on cybersecurity, do you see a growing interest among young people to get into this field?

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Feds Enhancing Cloud Security Vetting Process

Seeking to boost participation by federal agencies and cloud-service providers in the security...

Latest Tweets and Mentions

ARTICLE Feds Enhancing Cloud Security Vetting Process

Seeking to boost participation by federal agencies and cloud-service providers in the security...

The ISMG Network