NICE Working Group
The Workforce Management Sub-Group has prepared a draft of "The Resilient
Workforce: Cybersecurity is Everyone's Job," and we are requesting your
feedback.
This guidebook provides things to know, and things to do, for everyone in an
organization, regardless of type or size (publicly-traded corporation,
government agency, non-profit, small business, etc.), with guidelines
organized by essential business function, in order to engage the entire
workforce in securing the enterprise. It is intended for the general
audience, which may not otherwise be knowledgeable about, or interested in,
cybersecurity, but may be receptive to tips on what they can and should do.
It is therefore designed as an entry-point into the topic, and can be read
as a complete guide, or by each business function as standalone guides.
As you read this, the Co-Chairs and Co-Editors ask that you consider the
following questions:
* Does this guidebook effectively address the objectives outlined in
the Introduction?
* What would make it more impactful and useful?
* Have we achieved the right balance between breadth (broad enough to
be easily accessible and applicable) and depth (specific enough to be
useful)?
* In the first section of each business function, does the paragraph
"You likely spend more of your time"... add value, or should it be
eliminated?
* What additional job titles/roles are needed for each business
function?
* Should common tasks identified in the "What you need to do" section
of each business function be consolidated into Appendix 3: What Everyone
Should Do, or kept in each business function in order to provide a
stand-alone "tear sheet" for each function?
* Is there a better description for the business function "Facilities
and Operations" so that internal operations, customer-facing product/service
delivery, and physical systems are all included?
* Should additional content be added to address supply
chain/third-party risk? If so, how?
* Should additional content be added to address knowledge management
and data governance? If so, how?
* What other references should be included in Appendix 4: Where to
Learn More?
The document, and an online survey for feedback, is hosted on its webpage:
https://www.nist.gov/itl/applied-cybersecurity/nice/about/working-group/work
force-management-sub-working-group/workforce
<https://www.nist.gov/itl/applied-cybersecurity/nice/about/working-group/wor
kforce-management-sub-working-group/workforce> .
Thank you!
With just a quick glance that looks like a very good starting point for a solid cyber stance for organisations. And yes, supply chain / third-party risk should definitely be mentioned strongly - procurement processes need to taking into account external risks to the business and ensuring that those engaged are also taking cyber-hygiene seriously.
;This note is not a comment on the new NICE document; I will look at that draft later to decide if I have meaningful comments to submit to NIST.
For now, these are thoughts on the general statement, “Cybersecurity is everyone’s job.”
Such a claim is logically equivalent to declaring any of the following:
* Occupational safety is everyone’s job.
* Workplace sanitation is everyone’s job.
* Workforce diversity is everyone’s job.
* Business development is everyone’s job.
While most of the workforce should know all of these business needs are organizational goals, we don’t, or at least should not, try to divert attention away from primary job focus to a long laundry list of “stuff someone needs to take care of.” Can you imagine the level of quality performance if a department manager stopped to empty every full trash can she passes in the building? How about the head accountant scrubbing all the sinks in the restroom before returning to the office? Should the IT Director of an insurance company take time to meet with the executives of a customer corporation considering changes to their employee life insurance program?
The U.S. Army recently acknowledged the impact of so-called “ancillary training” that had become so heavy that soldiers have not been able to build and maintain high capability in primary jobs, like, you know, infantry combat. For discussions on the Army action and reasons for it, see
Army Cuts Some Mandatory Training and Other 'Burdensome' Requirements
https://www.military.com/daily-news/2018/04/25/army-cuts-some-mandatory-training-and-other-burdensom...
and
The Army just dumped a bunch of mandatory training to free up soldiers’ time
https://www.armytimes.com/news/your-army/2018/04/24/the-army-just-dumped-a-bunch-of-mandatory-traini...
and
Good news, soldiers: The Army has slashed even more mandatory training requirements
For my own discussion on the mistaken idea that, “Cybersecurity is everyone’s job,” see my 25 minute presentation at INFOSEC World 2016,
Why Won’t They Follow the Rules? Maybe It’s the Boss’s Fault!
https://youtu.be/VhkH3BfWcd8
I owned my own IT consulting company in the DMV (District, Virginia, Maryland) region for many years. Did a lot of laps around the beltway. If this document was intended to reach those small to medium sized businesses that I served, it won't easily. I chose my target customer by who they employed-roughly those companies that employ 80% of the American workforce, had vertical markets that interested me or needed services that I offered. Most of those companies are lucky to be maintaining their payrolls, rent for their facilities and set aside a small amount of money for lean times. They could barely afford my reasonable rates for IT services when I was performing them. Now I provide PKI and CAP consulting to Federal Agencies.
This document takes on the personality of the large group of heavy hitters that wrote it. It uses vernacular and industry buzz words that Jane Doe, Operations Manager of Beltway Printing company is not going to understand. If she has an IT consulting firm that is somewhat knowledgeable about Cybersecurity they may have some idea on what to do but there is no guarantee of that.
I'm not sure how this document would ultimately reach the target audience. No one is going to be bored at work and say to themselves "I think I'll hop onto the NIST website and read their publications".
I think the target should be the IT consulting firms, the BBB, and any other organization that supports small to medium size business (non-profits).
Just as a note on your title: I used to start the topic of personnel management and security awareness with the note that we frequently cite "Security is Everyone's job," along with the truism that "Everyone's job is Nobody's job ..."
I've included some comments on the NICE document in the discussion under "Should everyone become security professionals?"