Regulating a Nation’s Information Security Workforce
In a previous article, I examined Australia’s proposed Security Legislation Amendment (Critical Infrastructure) Bill 2020. This information security overhaul imposes strict reporting requirements for enterprises as well as affords the Australian government unprecedented and far-reaching powers that enables them to intervene in the operation of an organisztion’s network in the event of a threat to critical infrastructure.
The intention of the bill is to help Australian businesses fend off cyberattacks. It is also an indictment – from the Australian government – of the willingness or ability of private enterprises to appropriately secure their networks as well as the capability of operators tasked with these duties.
It represents a flashpoint in the information security ecosystem, bringing to bear the industry’s absence of workforce intelligence.
What Do You Mean, “Workforce Intelligence?”
The benefits of workforce intelligence for an organization are well-documented. It enables the establishment of succession plans, highlights leadership potential and interest, improves learning and development pathways, and fills vacancies with greater accuracy and speed. Unsurprisingly, workforce intelligence helps an organization to understand its workforce.
This bill introduces another element. It demands that an organization be capable of providing reasonable assurance to the government that their workforce is appropriately staffed and equipped to secure their network.
For several years, the public sector has been experimenting with and implementing assessment standardization practices. These ensure that the entities tasked with evaluating organizations are consistent and meet government thresholds. The purpose of this is to enhance the nation’s network security through a greater understanding of the cyber workforce. The Cybersecurity & Infrastructure Security Agency’s (CISA) Assessment Evaluation and Standardization (AES) program has paved the way for these changes and provides a roadmap that other nations will follow.
CISA’s AES is a federal government initiative that is training “assessors” nationwide to standardize the assessment process and introduce a performance baseline. Regulatory assessors are tasked with evaluation and reporting on the workforce, operational resilience, cybersecurity practices, organizational management of external dependencies, as well as other key elements of a robust and resilient cyber framework for federal organizations.
Regulatory evaluation of this scale in information technology is unprecedented. It will be detrimental to the speed and agility of the information technology sector and will undoubtedly affect each organization’s bottom line. The challenge for policymakers over the coming 24 months will be determining to what extent they will rein in technologists. The challenge for technologists will become ensuring they are involved in these discussions, talks that will ultimately shape their future.
Sciences and the Humanities
Policymakers and technologists operate in two separate worlds. It’s a problem identified by British scientist CP Snow in his 1959 essay, “The Two Cultures.” In this, he separated the two into sciences and humanities and pointed to the split as a significant hindrance to solving problems of the world. At the time, the essay was influential, and 60 years later, nothing has changed.
Technology and policy are deeply intertwined. Software enables and constrains society with an efficiency that laws cannot match.
In an article for the World Economic Forum, Bruce Schneier, a long-time technologist and vociferous policy prognosticator, has opined on the subject of policy and technology. To paraphrase, he asks us to consider that the greatest stepping-off point for fully appreciating this clash is artificial intelligence (AI). Already, the technology is augmenting, and in some cases replacing, notoriously subjective human processes with “fairer, more consistent, faster, and more scalable” decision making. It can also entrench bias, codify inequity, and act in ways that are unexplainable and detrimental for society. A notable example is the use of AI for predictive policing. Predictive policing tries to make the law enforcement process proactive rather than reactive. Through the use of algorithms, police can get information about where future crime is likely to occur and can take steps to prevent it.
This approach to policing is new, but we have no proof it works. A 2014 study by RAND corporation investigated the impacts of predictive policing and found “there is no statistically significant reduction in crime from predictive policing.”
What we do know about predictive policing is that it amplifies racial bias. Analysis of Oakland’s PredPol system has shown that despite a theoretically race-neutral algorithm, black neighborhoods would be targeted at twice the rate of white neighborhoods for drug crimes. This outcome occurred despite estimates from health surveys that show illicit drug use is equal across racial groups.
In 2016, former NYPD commissioner William Bratton stated that “Predictive policing used to be the future, and now it is the present.” Despite the concerns of bias, it is unlikely that any police department will reverse course unless regulated to do so.
The Age of Cyber Regulation
The advancement of technology beyond the bounds of the law as a catalyst for introducing compliance and regulation requirements is evident throughout history.
In an odd circumstance of the nexus of life and art, I first became aware of this relationship in 1996 when I saw the movie “Jurassic Park.” In a climactic moment, Dr. Ian Malcom says, “Your scientists were so preoccupied with whether they could, they didn’t stop to think if they should,” explaining to rich philanthropist John Hammond that bringing dinosaurs back to life to start a theme park was a bad idea.
Technology has grown and sprawled in defiance of Dr. Malcom’s wisdom. It is clear to everyone in the information security industry that change is required. You will often see this represented in calls for increased funding or Board-level accountability. The Security Legislation Amendment (Critical Infrastructure) Bill 2020 is the first step on a long path of industry regulation that will drive this change.
The debate of whether – and how far – software should be considered critical infrastructure is a relevant factor in this regulatory shift. Information technology is the fundamental sector on which all others depend, after all. So should all software require the same security investment as, say, the oil and gas industry?
The challenges the industry faces are similar. Software developers, after all, are consistently tasked with balancing speed (profit) and safety (compliance).
The incredible – and necessary – burdens placed on long-standing critical infrastructure industries that ensure safety and security are well documented. They encompass the likes of:
- Staffing requirements: Mandatory roles, responsibilities, and training or certification obligations for these individuals;
- Processes and procedures: How and when activities can be performed or approved; and
- Reporting obligations: Expectations for internal communication about activities as well as for communication with regulatory bodies.
The Australian Bill – and others across the world – is an acknowledgement that components of Information Technology are critical infrastructure, and as a result, government bodies must intervene to ensure they meet government-mandated safety and security controls.
Looking to the Future of the Infosec Workforce
Right now, most nations are in their information gathering phase, setting up their workforce intelligence practices that will shape the coming years.
There is an increasing amount of research to help policymakers understand the relationship between regulation and industry. For instance, new research analyzing the relationship between national business regulation and entrepreneurship has found the optimal levels of regulation to support market entry while maintaining national interests.
Unfortunately, research analyzing the relationship between national business regulation and information security is not available at this stage. Policymakers in the information security space will have to lean on related research and – hopefully – input from professionals to shape their decisions.
The implementation of the Bill could be an indicator of what technologists can expect in the way of consultation for these decisions. If it is, technologists will not have much influence on the shape of the regulation to come.
About the Author: Jack Lindsay’s primary focus is on management, sales, and technology issues in industry focusing on software and security. Jack brings expertise in learning, coaching, and software options at every level to ensure the company is successful at people, strategy, execution, and finance.
When Jack isn’t working, he is a Board member at the women’s international cycling union (The Cyclists’ Alliance), contributor to various cycling websites, hockey player in the Bundesliga, and involved in various InfoSec and FinTech conferences.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.