Remarks at the International Cybersecurity Championship and Conference

On behalf of NICE and the United States federal government, I want to extend my welcome to San Diego and the United States for the International Cybersecurity Competition and Conference.

I wish to congratulate all of the athletes who are competing in this year’s games.  I know that this week is the culmination of a year or more of hard work and dedication.

I also want to thank the coaches who have mentored, trained, and supported the athletes.  You are inspiring and motivating the next generation of cybersecurity professionals.

And, thanks to all the financial and in-kind sponsors who have made this conference and competition possible.  While NICE and the National Institute of Standards and Technology or NIST are proud to be a founding partner of the US Cyber Games, we know that our grant award is just a small portion of what it takes to prepare the athletes and run events like this throughout the year.

To all the athletes in the room or watching online, you are participating in cybersecurity competitions because you already have a taste of what working in cybersecurity will be like.  But your brothers and sisters, cousins, friends, or classmates may be unaware of the variety of types of careers that cybersecurity has to offer.  We encourage you to be ambassadors to help convince new generations of young people to discover and explore a career in cybersecurity.

Cybersecurity careers are not just available or possible for youth and young adults.  We need to ensure that anyone with the aptitude, attitude, ability, or interest in cybersecurity are presented with opportunities to reskill or upskill into the profession.  Whether it is participating in a training bootcamp, returning to a college or university, or enrolling in a registered apprenticeship program, there are a variety of different learning pathways for working adults to enter the rewarding field of cybersecurity.

I expect that many of you participating in this competition have acquired and are building technical skills that will lead to a career in the Protection and Defense of organizations.  Roles such as cybersecurity analysts, threat and vulnerability analysts, penetration testers, and incident responders are critically important to enterprises.  This is what the NIST Cybersecurity Framework might refer to as the functions of Detect and Protect.  In the world of workforce, we think of this as Cyberspace Defense.  That is why in the United States we have a growing number of colleges and universities seeking designation as Centers of Academic Excellence in Cyberspace Defense.  As exciting as this category of work can be, I often refer to this as the Reactive side of cybersecurity as we are constantly working to address risks in technology that result from vulnerabilities in products or services.

Similarly, the information technology and operational technology staff of organizations Operate and Implement the technologies – both developed in-house or procured as commercial off the shelf products.  These roles range from network administrators, to system administrators, to technical support staff who play a critical role in implementing, integrating, and securing networks, systems, and data. While their primary function or purpose may not be cybersecurity, we are increasingly reliant on technology professionals to mitigate the risks of insecure products or services.

Consequently, an overlooked and increasingly important set of roles in cybersecurity are those who Discover, Develop, or Design products and solutions.  This is where more Proactive cybersecurity can occur.  In the United States, there is increasing attention to building products that are Secure by Design that also include Privacy Protections.  While secure product development is not novel or new – in fact, security professionals have been calling for this for years – there is increasing pressure from consumers of commercial products and services, including the United States federal government, to create incentives if not regulation to make security the expected standard before products go to market.  That means we will require a new cadre of software developers, product designers, and technology architects who have learned cybersecurity and privacy principals and put them into action in companies who are part of the supply chain to enterprise customers.  We can expect Supply Chain Cybersecurity to require more professionals on both the supplier side as well as consumer side to meet this growing process need.

If you are not drawn to a technical role, there are many other leadership, management, or functional roles that focus more on process.  Ultimately, the cybersecurity of enterprises is reliant on effective Risk Management and there are a range of roles in the fields of Governance, Risk, and Compliance to be filled.  Ultimately, C-level executives and boards of directors are responsible for the Governance of the enterprise – to include the assignment of roles and responsibilities and provision of resources to minimize risk and allow organizations to fulfill their mission.  There are also roles for legal advisors, policy developers, compliance officers, procurement officials, auditors, risk managers, and human resources or talent management.

We also need professionals who focus on the development of people – both those will assume significant cybersecurity roles in organizations as well as all employees within organizations who need to learn and practice safe online behaviors.  These individuals may also serve as teachers and faculty at our schools or institutions of higher education and are part of the in-demand workforce.  The instructors who facilitate training are part of the cybersecurity workforce.  And those who design curriculum or develop credential programs such as degrees, certifications, certificates, and more are needed as part of the overall ecosystem. Employees, students, and consumers also need to be regularly reminded and informed of their responsibility for keeping networks, computers, and data safe, secure, and private.  So, we need individuals who develop and implement Cybersecurity Awareness and Behavior Change programs.

Finally, we do not live in a perfect world where ALL products are secure by design or where technologies are implemented in a way that maximizes security and minimizes risks.  In fact, our greatest vulnerability are People or Humans – whether it be threats that come from bad actors or nation states, the insider threat of a disgruntled or mischievous employee, or the social engineering of employees or consumers that leads to data compromise or loss, fraud, identity theft, or business disruption.  That is why we need individuals in enterprises as well as Law Enforcement that can help organizations Respond and Recover to events (again, two NIST Cybersecurity Framework functions).  The responsibilities range from the coordination of incident response, to conducting digital forensics, to re-establishing business continuity, to cybercrime investigation and prosecution.  For individuals with the curiosity and skills in problem-solving, this may be a very attractive and rewarding set of roles to pursue.

I would be remiss if I did not mention there are other roles that are typically not performed by companies or private sector organizations but reserved to governments.  These offensive cybersecurity roles are appropriately restricted by law and can include functions such as intelligence gathering or cyberspace operations. 

Each of these categories of work that I just described are contained within the NICE Workforce Framework for Cybersecurity or NICE Framework.  If you are not familiar with the NICE Framework, I invite you to stop by our table in the Exhibit Hall to pick up a one-page description or ask us questions.  The NICE Framework provides a common taxonomy for describing cybersecurity work.  It is used by employers to conduct assessments of their workforce staffing needs and to build position descriptions.  It is used by education and training providers, including competitions, to ensure that learners are developing the knowledge and skills needed by employers.  And as a learner – whether a student, job seeker, or employee – you can use the NICE Framework to identify the right career path for you.

I want to close with a few reflections on some of what I heard yesterday.

First, you all are AMAZING.  The fact that you are at the Championships and rose to the top of the talent within your respective countries and continents is a testimony to your skills and determination. 

Second, I love the motto from Team Europe: “Let’s Amaze Our Brains”.  There have been a lot of comparisons of cybersecurity competitions to team sports – and all the analogies are well placed.  However, a soccer player or marathon runner is preparing their BODY for PHYSICAL FITNESS and ENDURANCE.  While there will be the need for endurance the next two days, you have been exercising and training your BRAINS for the mental fitness that is necessary to win the International Cybersecurity Championship.

Finally, while you represent 7 teams from multiple countries and continents, we are of ONE COMMUNITY – the Cybersecurity Community.  As Jessica Gulick mentioned during her opening remarks yesterday, today and tomorrow you are competitors but on Friday and beyond you are colleagues working towards a common mission to DEFEND CYBERSPACE.  And although we may speak different languages, use different currencies, and have different cultural values, we are UNITED in our need to raise up the next generation of individuals who will contribute to not only SECURING CYBERSPACE but BUILDING MORE SECURE TECHNOLOGIES to make cyberspace a safer space for all.

Good luck in the competition and best wishes to all of you in your careers.