Increasing the Overlap Between IT Security and Domain Expertise
A note to the reader: here at DomainTools, we usually use the word “domain” to mean something very specific, namely, a domain name on the Internet. In this article, we will use the word domain in the context of domain knowledge: knowledge used to refer to an area of human endeavor or specialized discipline.
Cybersecurity is something virtually everyone has to worry about or be aware of. Over the past 5-10 years, organizations and industries that traditionally had little to no information technology (IT) components or staff now are increasingly focused on hiring cybersecurity talent and/or acquiring products or managed services to help protect their information and technology assets. Industries such as manufacturing, transportation systems, water and wastewater, emergency services, and many others are turning their attention to how to protect their devices and infrastructure from cyber threat actors. Even industries that have long standing regulation in this area (healthcare and public health, energy production and delivery, etc) are struggling with cyber preparedness.
Funding cybersecurity can often be a challenge in industries that are developing new capabilities or ingesting new connected technology. Even when funding isn’t an issue, talent is hard to come by. Many industry experts have been suggesting for several years that we are in a cybersecurity hiring crisis—meaning that there are more jobs than there are applicants. As organizations begin to develop a cybersecurity staff, program, or culture, they usually uncover additional problems. Professionals who are trained in traditional IT security programs are not adequately prepared to deal with domain specific concerns in organizations whose main protection needs aren’t traditional IT systems.
Industrial control systems (ICS) are a perfect example of this disconnect. ICS can be broadly defined as any system that uses computer software to control physical systems, such as industrial machinery. ICS are often designed using embedded processors that are real-time systems, unlike traditional multiprocessing type systems. Real time systems are used where timing applications are critical. Typical computing platforms allow the operating system kernel to swap out or delay applications based on demand, usage, security, or other concerns. Many traditional security and information assurance tools such as antivirus or encryption introduce unacceptable delays for real-time, embedded systems. These systems place the physical safety of the machinery and operatives as a higher priority than information security needs.
ICS are only one example of a type of system that is not ideally suited to traditional IT security techniques. It’s not that we can’t protect these systems, but we need to integrate domain knowledge and expertise with cybersecurity concepts to find new ways to protect these systems and data. Most organizations in industries that have cybersecurity needs that don’t fall under the definition of traditional IT find that the Venn diagram in Figure 1 represents the knowledge overlap between their IT security hires and their subject matter experts.
Traditional IT security concepts such as privilege separation, defense in depth, separation of concerns, and segmentation can be used quite effectively in a wide variety of domains, however, to be truly effective these concepts must be applied with knowledge of the domain. The one-size-fits-all approach will often be ineffective at best. This is why security researchers will tell you to invest in people before tools or technology. For a cybersecurity program to be truly effective, security staff must be cross trained with domain experts. This not only means educating the staff who run core business components about cybersecurity (to prevent infection via phishing or social engineering) but also that the cybersecurity staff be educated about the domain they are trying to protect.
There are a number of innovative approaches to teaching cybersecurity that incorporate interdisciplinary knowledge, but universities, trade schools, and certification programs need to do better. Cybersecurity is often not about tools and techniques—when practiced most effectively, it is often about using critical thinking and problem solving skills to apply learned concepts to domain specific problems. That means cybersecurity programs need to include not only information assurance coursework, but also traditional computer science concepts that help graduates understand how computers work, interdisciplinary coursework that help students see how information assurance concepts are applied, and traditional liberal arts that encourage critical thinking and problem solving.
I’ll be participating in a cyber defense competition at Argonne National Laboratory this week. Competitions like these are one of the ways that educators are trying to improve awareness about, and skills in, the cybersecurity applicant pipeline. There are other strategies that are growing in prominence such as cybersecurity apprenticeships. There is no silver bullet, but as our society grows more connected, we need to do more to infuse security into our knowledge of how our connected world works.
After the competition next week, I will follow up with a blog post about lessons learned and reactions from the students, as well as ideas on how security-savvy companies can get involved in building a better cybersecurity workforce.