At the end of July, Certification Magazine was in Chicago attending the CompTIA Academy Educator and Learning Partner Conference. It was definitely "two-and-a-half days of power-packed programming," with lots of cutting-edge ideas and Industry experts discussing the challenges and opportunities of tech training and employment. One of the more interesting exhibitors was Excelsior College and their National Cybersecurity Institute (NCI). NCI is doing some important things in the field of cybersecurity training. Unfortunately, due to an already full dance-card, we didn't get to spend much time visiting.
To better understand NCI and its mission, CertMag exchanged emails with Jane LeClair, NCI's Chief of Operations. Here's what we found out:
Q: Tell us about NCI. What does the organization do, how did it come about, and who is in charge?
Jane LeClair: National Cybersecurity Institute is an academic and research center and our mission is to assist government, industry, military and academic sectors to meet their cybersecurity challenges.
NCI came about when I was dean of the School of Business and Technology at Excelsior College, a nonprofit, Middle States accredited online institution in Albany, N.Y. Noting the growing importance of cybersecurity, we developed six cybersecurity programs to help meet the country's need to educate the cyber workforce. NCI at Excelsior College was designed to help meet those needs. I was subsequently named Founder and Chief Operating Officer of the NCI at Excelsior College here in Washington, DC.
NCI also offers the latest vendor-neutral IT security training from CompTIA, EC-Council, and (ISC)2, as well as specialized and customized courses - all based on competencies that align to industry-issued standards and guidelines.
Q: NCI's Vision statement is to "influence an informed leadership base that implements cutting-edge cybersecurity policy." How are you accomplishing that?
LeClair: We are doing that in a number of ways. We have established the National Cybersecurity Institute Journal that provides readers with scholarly articles on a variety of cybersecurity issues. NCI also offers an ongoing series of cybersecurity blogs and webinars in areas of relevance to workforce needs.
In addition to the college's cybersecurity degree programs, NCI offers training to prepare for various certifications, as well as training for specific groups with a focus on small businesses. We have written a number of books on cybersecurity. Presentations are also part of NCI's goals to help educate others on cybersecurity.
We are often called upon by the media, in the United States and internationally, to provide timely information as it arises. This spring I was asked to testify before a Congressional Committee on the need for cybersecurity in small businesses. So we are doing a good deal to promote cybersecurity.
Q: Excelsior College is designated as a "National Center of Academic Excellence in Cyber Defense Education." What did that entail?
LeClair: Application for the CAE is essentially a self-study process where colleges look at the cybersecurity programs and cybersecurity at the college as a whole. While not an accreditation, this highly regarded designation required us to identify all the cybersecurity measures in place at the college and NCI and identify all the resources, opportunities, and activities we offer to students and alumni. We also gauge our commitment to furthering cybersecurity and continually improving our offerings.
Q: Since it seems as if no organization is 100 percent secure from hacking, what should an organization's goal be when preparing their IT security?
LeClair: If there were a magic "cyber-bullet" that we could use to defeat hackers, we would long ago have utilized it. In truth it is very difficult to keep "bad actors" out of digital systems - even the White House was hacked! The best you can do is make it very difficult for hackers to intrude. So it's a People, Process, Technology combination that works best:
Educate your people from top to bottom, have sound cybersecurity policies and procedures, and utilize the best technology available - and keep it up to date. Ideally, comply with the National Institute of Standards and Technology (NIST) Framework and work to develop a cybersecurity culture within your organization.
Q: What sorts of professionals does NCI recruit?
LeClair: NCI is always looking for people who are interested in cybersecurity from the vantage point of assisting the workforce. NCI fellows and board members are supporters of continuing education for the community as well as the workforce, and volunteer countless hours to help raise awareness in the field. Special focus is given to practitioner research and increasing numbers in the field, especially to assist in raising the numbers of women and minorities in cybersecurity.
Q: The "social engineering" aspect of cybersecurity is a wide-open area. Could you elaborate more on that?
LeClair: Over three-fourths of all cyber breaches first experience a non-technical reconnaissance - from a dropped flash drive that is infected, to a phishing email, to a fake fire inspector, to a socially engineered phone call. Social engineers are old-fashioned con artists dressed in the cloak of technology. They are clever, experienced and good at getting people to break regulations and policies and provide them with information or access. Once they get that tiny bit of information they leverage it upward.
Cyber-criminals are clever. I know of several different groups that have had someone come into an office after hours, when the cleaning crew is there, carrying computer boxes and dressed up nicely as a technician or something. They say that they are doing work for the organization and need to drop the boxes into someone's office. They convince the cleaning crew to let them into an office and they can then access the computer system.
Another tactic is to nicely ask the front-desk people for something. They say, "I'm here to see So-and-So. Do you know their title?" and so forth. Or, "I have an interview and forgot to print out my resume, can you print it from my flash-drive?" Additionally, if the back of a person's computer is easily accessible, a cybercriminal can slip a key-logger into a port and gain access to the system. People don't realize they have allowed a breach. Most aren't even aware that these tactics exist.
Q: Cybersecurity is a huge issue for health care insurers. Why, and what is NCI doing to help out?
LeClair: It is a HUGE issue, especially with regard to HIPPA regulations. Also, more and more records are electronic and being compiled and shared � and the more things are shared, the more vulnerabilities get introduced. National Cybersecurity Institute has devoted chapters in our books to cybersecurity in health care, and we have addressed it in our journal and in webinars. In addition, we have written about all 16 Homeland Security Critical Infrastructures in our Protecting Our Future: Educating a Cybersecurity Workforce series (V1 and V2).
Q: Criminals can sell a person's health record for about $50. Why are the health records so valuable?
LeClair: They contain all sorts of Personally Identifiable Information (PII): names, DOB, e-mail and home addresses, next of kin and contact information, SS numbers, credit card number, driver license info, insurance information, prescriptions, and other health information. All of that could be used for any number of nefarious purposes, from insurance fraud to social engineering and blackmail.
Q: Hackers are increasingly sophisticated and creative. What issues does NCI see arising in the next five to 10 years?
LeClair: With the way technology is evolving, and the increased sophistication of cyberattacks, we are going to see increased numbers and levels of attack due to the increased connectivity of the Internet of Things (IoT) and use of mobile devices. Attacks are also going to become more sophisticated as hackers evolve to combat the barriers we are throwing up.
Q: What tools, resources, and strategies do you think will be necessary for companies to employ to stay ahead of the ever-increasing sophistication of hackers?
LeClair: They are going to have to increase their IT budgets substantially to counter the threats; the C-Suite must see it as a higher priority, both from a technical standpoint to ensure software and maintenance is top notch, as well as ensuring that firms have clear policies and that those policies are constantly followed with ongoing employee training. Cyber-insurance will become a focus. Tools: the latest and greatest hardware and software, well configured firewalls, strong cyber adherence to cyber policies and creation of a cybersecurity culture that builds a strong workforce with a questioning attitude.
Q: You're a well-known advocate of more women in IT. How is the effort going?
LeClair: Women who have succeeded in IT are acting as role models, and there is a growing cadre of support from women to other women. While numbers in IT are still quite low, somewhere between 11 and 15 percent, grassroots efforts are still a large portion of the ongoing efforts to build the workforce.
We need to take advantage of the opportunity to recruit women into IT. Women have always come to the aid of our country in the past when needed, like "Rosie the Riveter" during World War II. There are large numbers of women who can move into the cyber workforce to meet the needs of our organizations today and in the future. Organizations are realizing there is a huge shortage of cyber professionals and they need to recruit and hold on to the women they have.
I have advocated for the establishment of funds to support women who have a financial need and offer a Scholarship for Women in Technology with a focus on Cybersecurity. We need to push that effort forward to get women in the tech pipeline. I always encourage that in my presentations.
Q: You mention that women have the right stuff, "an intuition or sixth sense" that may enable them to anticipate vulnerabilities and be more creative with solutions. Why is that?
LeClair: To be a really effective cyber person, I believe you need to be both left and right brained. You need to be left-brained with a good grasp of technology. You also need to be right brained: You have to be creative, to think outside the box on how hackers will strike next, and then outwit them.
Women are often more attuned to body language, emotions, and differences that stand out. While the importance of education and training cannot be diminished, bringing a variety of individuals into the cyber workforce who look at situations from a different vantage point will increase our ability to defeat bad actors.