The recently formed task force convened members of the private sector, academia and public sector for a four-hour session Aug. 19 that aimed to identify the state’s pressing cybersecurity needs, current resources and helpful next steps. The group plans to develop a list of recommendations by early 2022 that will advise the governor on what the government can do.
To kick off its efforts, the task force aims to establish several subcommittees that will each dig deep into a core cybersecurity topic. Meeting-goers developed a tentative list of focuses, including critical infrastructure protections, election security, education and workforce development and improving the general public’s cyber hygiene and awareness.
Further proposed subcommittees would examine unlocking federal and state funding, economic opportunities and risks and the general types of products and services that would best defend organizations from external cyber threats.
KEEPING TALENT
The number of open cybersecurity positions in Idaho rose 28 percent in 2020, as demand grew across sectors, said Tom Kealey, co-chair and director of the state Department of Commerce.
But Idaho isn’t the only state — or nation — hungry for cyber talent and the shift to remote work means geography no longer limits who can poach your staff. Idaho Information Technology Services Director Jeff Weak said he’s seen technology security staff depart to far-flung companies offering better pay and remote work convenience.
“I’ve lost five guys in the last three months to other companies that are in California, and lost one to a multinational company in Sweden. All over the place,” Weak said. “They can double their salary… and they can stay at home.”
TRAINING THE NEXT EMPLOYEES
Even organizations that are eager to hire to fill — or refill — their cyber ranks can find it difficult to make use of the talent entering the workforce, however. Any new hire takes time to get up to speed, and this goes doubly for fresh graduates who may have stellar academic credentials but little real-world experience.
Vasko previously ran several startups and said that he and other CEOs typically encounter a so-called “activation gap” of six to nine months before new university graduates turn profit for the company. During that time, the new hires are still learning core skills and company-specific information.
Organizations with stretched-thin IT teams cannot spare senior staff to mentor junior employees, which prevents the organizations from hiring anyone they have to train at that level, said Domini Clark, CEO of Blackmere Consulting, a recruitment firm focused on mid- and executive-level cybersecurity and technology roles.
Apprenticeships, internships and adjustments to higher education curricula to incorporate more in-the-field experience could reduce the amount of on-the-job training needed, attendees said. Vasko added that students given a taste of different cybersecurity careers could better determine which ones suit them.
Co-chair and Idaho National Laboratory (INL) Associate Laboratory Director Zach Tudor cautioned, however, that school-to-career pipelines shouldn’t narrowly focus on preparing pupils for specific companies. Instead, higher education should teach students to think in ways that will be applicable to many roles throughout the industry.
“Industry wants to be able to put that [real-world experience] learning curve back onto the universities, but they can’t make every student ready for every employer,” Tudor said. “So what can we do to prepare them [students] better to learn?”
Several initiatives look for talent beyond the university campus, too. Weak said his agency just started participating in a program that sees army veterans intern for government as part of their transition into civilian life, for example. Tudor also said the INL intends to create a cyber range, which would let cyber professionals practice reacting to mock cyber attacks.
Screenshot
INFORMING THE PRIVATE SECTOR
The task force examined government options for better supporting private-sector digital defenses.
Tudor suggested the state can help companies — especially those too small to afford their own designated cyber experts — by taking federal cyber information and translating it into actionable, easily digestible advice that the state would also tailor to suit different kinds of companies.
“Actionable” may be a key word when working with private firms. Lisa Grow, CEO of electric utility Idaho Power and its parent company IDACORP, said that the threat intelligence from government agencies is often too vague to be useful.
“They’ll say… ‘There’s something bad about to happen here in industry, we see it coming and we just can’t tell you,’ and that’s just so unhelpful,” she said.
Grow recommended officials at least tell firms the security clearances they would need to obtain to be able to learn more detailed information.
CYBERSECURITY LENS
Attendees spoke to the need to better ingrain cybersecurity awareness in the thinking of both government officials and the general public.
No industry or project is immune from digital attack and so the state must budget cybersecurity funding into every initiative, said Idaho Office of Emergency Management Director Brad Richy.
Many attacks also could be headed off by ensuring residents have the know-how to recognize phishing or other ploys and avoid risky online behavior.
But attendees said that cyber warnings and advice often simply don’t reach intended audiences.
The public largely continues to perceive of hackers as lone actors operating out of their parents’ basements — rather than the sophisticated, organized criminal operations they are today, Clark said. She recommended launching public messaging campaigns aimed at conveying the full gravity of the threat.
Toni Broyles, University of Idaho special assistant to the president, said as well that there are plenty of existing cyber awareness resources aimed at kids, but these simply aren’t being presented through the right social media channels to reach that audience. She spoke of ongoing efforts to assess gaps in reaching seniors, veterans and other populations as well.
TAPPING RESOURCES
The task force isn’t the only one taking a crack at cybersecurity, and Bank of Idaho CEO Jeff Newgard recommended the group prioritize getting a full understanding of existing efforts before launching their own. Weak said, for example, that a public-private cybersecurity consortium helmed by the state CISO has also been addressing workforce development.
Money may also be coming down the pipeline that could bolster many cyber efforts. The task force counts state Sen. Jim Risch’s chief of staff among its members and Kealy said this inclusion of a federal government perspective will give the state insights that can help it be more competitive in grant applications.
The task force will hold its second meeting on Oct. 5.
