Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  July 31, 2016 2:00am-4:01am EDT

2:00 am
people want something they can understand. the banking system is important to our lives and we want something we can understand. when something is very difficult to understand there is a temptation to say, it must be easier than that. as you know in your own life, it is not easier than that. it is incredibly complicated and difficult and i do not think we will find perfect a >> at c-span's washington journal live every day with news and policy issues that impact you. , senior writer and co-author of the almanac of american politics will join us to discuss where the presidential race stands.
2:01 am
wilsoneone from the center will join us to talk about the suppose it hacking of the e-mails at the dnc by russians. it c-span plush washington journal beginning live at 7:00 a.m. eastern on sunday morning. join the discussion. >> this sunday night on q&a, journalist discusses his book. isat looking at bothering it trying to capture the complexity of human beings and fathering is a way in to care there and we tend to think, this is a bad guy, this is a good guy. but a lot of these men had different parts. they were competitive -- compartmentalize. some could do amazing things. some could be horrified.
2:02 am
>> coming up sunday night on c-span q&a. >> next, a look at what the federal government is doing to address cyber security with the homeland under secretary for cybersecurity. developing the cybersecurity workforce from the center for strategic and international studies. this is just under two hours. >> good morning. welcome to csis. we are having probably the last event of the summer so i'm grateful for all come out on a particularly hot day. on the other hand, we are not going to talk at all about the conventions so you can look on the bright side. we are going to talk about workforce and shortage and how to change that. so the schedule for today is that we live deputy undersecretary phyllis schneck who most of you know of course
2:03 am
provide opening remarks. we will then follow up with remarks from candace worley from intel security. phyllis will then take questions and we will have a panel that will be introduced to you later. the study we did is interesting that was a global survey and some of the results were unexpected. you send a survey out you never know what you would get back. one of the things i didn't expect was we asked executives around the world what the things you find that are useful for building cybersecurity skills effort building a workforce. they said three or four things which the speakers would say about but the one that stood out for me out of going to do a spoiler is they said gaming. gaming experience was useful for building the cybersecurity workforce. so those of you who played pokemon go on the way over, we have an opening for you.
2:04 am
let me introduce our speakers. phyllis schneck as the deputy undersecretary for communications in cybersecurity in the national protection and programs directorate of dhs and she is the chief cybersecurity official for the department of homeland security but on that point to read her whole bio because it's longer than the actual report. phyllis has done so much that it's incredible. she was previously at mcafee word she was a ceo for the public global sector. cybersecuritye commission eight years ago on the cybersecurity. she was chairman of the board of directors for the national cyberthreat training combines which we denote which was a partnership between law enforcement and corporations. she was the chairman of the fbi episode. i am just giving you the highlights, by the way.
2:05 am
and she was the chairman for women leaders in information security. i think repeatedly. and she was in the private sector before mcafee and, of course, a doctorate in computer science from georgia tech. nice campus. and comments set of skills. i was kidding candace on the way in here and that she needs to pad her resume a little bit more. but candace is also one of the leading experts in security pictures vice president for enterprise solutions and marketing in intel security group at intel corporation. has been both at intel a prior to that mcafee for 16 years, recognized throughout the industry, well-known speaker to many of you. tremendous abilities in predicting future trends which is one of the things i hope to talk about today. i think i will stop there and you can say more.
2:06 am
we have two very powerful speakers to open the event and then we would go over to the panel. i think what we'll do if phyllis has time she will stay and take a few questions. if time permits. with that, phyllis, please -- . phyllis: thank you. good morning. thank you. it is an honored to be here. thank you for all the many years of getting to work with you at all the work you do in this you. thank you to the audience for big i know this is your day job appreciate the fact you get 500 e-mails later to read because you here. i appreciate the effort. important topic. many thanks to intel security for writing the report. for all the work the dissemination of the world can see the work, to patrick arnold for many years and pakistan's a lot of work a lot of work for this interest as well as including make sure someone with private partnership meetings at the capitol had gotten set up correctly out west.
2:07 am
finally, to candace and many of us look at as a role model. is a pleasure to be at and it's a humble experts to talk but we need so much but what is the sheer is what we have in the department, where we going and cyber and why we need such a strong pipeline going forward. we need to come to this thing with all we've got. many of you of have heard me say before the cyber adversary has no lawyers. how many lawyers in the room? so no offense. cyber at this rate has no laws to protect to follow nothing have to do right. they have plenty of money and all the to do is execute and they only have to be right once. we protect the way of life, because i visited as it intersects our electric grid, railways, water, banks and everything we do. if i cannot eat it, it does
2:08 am
probably lit up and electrified. we have to make sure going forward it's not about blocking everything that is exactly as gibbs attempted skimming it, understood what the risks that we managed. how you can build things and i would make a world more resilient so the cyber of us are onto something and, two things happen. we remove all of the noise so we would notice it and the of the dress and what does come in attitude and try to execute someone else's instruction on your computer make something that happened, your computer will be the event it or notice at the when it notices it it needs to to everybody else. "see something, say something." what we do is look from the cyber perspective is look at how would the technology more enjoyable. how we can keep things like consumer electronics a lot of fun, how we can look at this explosion in internet of things as a really good thing because going forward we with to protect that technology and encourage the private sector to innovate.
2:09 am
and i am from private sector so i will say to make a ton of money because then you can innovate more and make better things for us in government and others to consume. my addition to our vision was the self-healing ecosystem. help the cybersecurity and the connected ecosystem work like the routing system. when you send traffic to go from machine to machine and if one machine is unavailable or sick or not working, the our protocols that were everybody of that at last he was replaced machine but nothing stops the data we have to work in cybersecurity. they made jokes at me at my going away party about what a you doing when i announced i was going into government. i will say i walked into the planet.eam on the i have 2000 and the finest scientists i have ever seen. i oversee all of the cybersecurity of operations so that incident response, the 21st of operations center, the billy to rip apart malware and no where came from, the work in partnership and outreach and education, and training at all these cybersecurity and
2:10 am
operations. federal law enforcement partners, u.s. secret service, part of the department of homeland security on investigations are just part of immigration and customs enforcement and certainly our brothers and sisters in the fbi and intelligence committee. how do we do this? we need more people. i need to grow that team. part of the challenges been as a look at this, this is a top priority, a priority to my boss undersecretary suzanne spaulding and it is a priority to her boss. it's a top order to president obama. he put this in the cybersecurity national action plan. a lot of the things were doing is looking at what can we do as the department to make the only attractive folks to our department easier but how do we bring them on? when i first came and we looked
2:11 am
at what other things on our team that are amazing and great. i still making that list. incredible crew. when i go out, less often than it used to be but people don't want to know what the department did in cybersecurity. number two, that no data get into government. we are trying to make it easier. one is get out and talk about what we do. we are the folks back on airplanes. my team got an appointment with the ukraine when according many people lost their lives writer and christmas. we talked to go with all of the world. many thanks to those who participated. but how do we make sure people know what we do so if they think about working for government that can think about working for the department or other parts of our government. number two, how do we make it easier. i gave a keynote to about 500 people in silicon valley and somebody raised their hand and said are you trying to steal our people? i kind of laughed at that and i said, you pay them four times what i can right now so if i do, i'm flattered by that, and cool. but i do want to take people. we will talk about that in a few minutes. we don't want to steal.
2:12 am
what to create a new trend where a career and of learning from the millennials is this is the preferred way, whereas my grandfather worked at one company for figures and got a watch when he retired. the new careers do several different tours of duty is over to the places. we are hoping some of it will be in the government for the skills you will learn and the skills you bring back up to the private sector. we spent a lot of time with the outreach folks, one of our top experts in that we can mitigate with folks. lingon, wayne we work with the press -- when we work with the press. we want to get that 20% response and mitigation that high-energy, but this is not yesterday's government that we people that can committee what they do that with people that are the best in the basis that are constantly learning. they go upstairs and see things you would never see anywhere else. how do we attract people with the salary differential?
2:13 am
number one come a mission can usually draw i've enhanced answer to this extent i've ever had in my field. you get to see and do things and you get to see and do things and effect change and do positive things in ways you would never have imagined. one of the first things i realized was when they started showing me things, how much government does so that somebody like me never had to know about it. how do we show that? the department is look at several different things. wednesday streamline the hiring process. the are things we can't control. how long it takes to get a clear and to go through some of the other guiding processes. there are things we can control or management end of the part of the department of homeland security as is the secret service or the tsa, please but i think of the job is hard. management runs for us the financials and the way our department runs. many important functions are there. with are doing is saying what of the processes and hiring we can make faster for you? so, for example, if there's a long queue moving somebody passed somebody that for some
2:14 am
reason is not going to advance in the queue quickly, finding ways and automated processes to move those people forward. tracking people. i made a couple of key hires when i came in. believe it or not both of those people were already in government. i called them every couple of weeks to make sure that they knew we were still interested. even though the process takes a long time on some of the clerks side, making sure we get some customer service just like h.r. and the company we do. reaching out. also making it faster, streamline some the processes, automating some of the processes. things like a temporary job offer, today and tomorrow we are fair downtownob
2:15 am
at the omni. we will be able to hire people on site. assuming that has all the backgrounds and clearances we can bring in. we are looking at ways to say for your first few weeks on the job when you may not be declared, can we do some concurrent processing, no need for security process to process your insurance forms and figure where the offices. as look at the transformation, that's a word we use for really changing the national protection and programs directed in one key way. making sure our teams focus on the cyber response at our team so focus on the physical response haven't org chart. so combining the cyber economic side, report on this two years ago, but looking at would respond such as the ukraine convenient folks who understand keep 60 gig on both sides of the grid. you also need the folks understand the ip protocol to pick up what monitoring systems went wrong. make sure we bring our cyber and real-world systems together a more efficient way. as we do that we're hoping to attract people to suggest that say yes, then is something i want to do. i see an application for cybersecurity beyond the purely technical data hear about in the news.
2:16 am
cybersecurity goes into the actual way of life. we are looking at how the finest of this great report i could help us influence how we do hiring, talk to people. the are some great grass in the report. one shows how people focusing care most about promotion and training. so if we look at that, how do we show people they are actual career path? one of the things i did when i came in was i deliberately hired executives to work for me who are technical. skilledered my top people respected them more than people who were not technical. we have to show those top skilled people, those cyber ninjas there is a career paths for you that does not require you to go to management leadership or stay technical. you should not have to make that choice. you should be able to do it you do best. looking at focusing on
2:17 am
areas of spending, education, the dynamics of our actual environment and anything that can eliminate or us or our employees how to make settlement not only a more attractive place to go but an easier place to understand how to come into. weakederal workforce, as look at some of the programs, we have rodney leaders in here who is running a program. cybern look at a professional, people looking to join out with an ip background. federal,sionals in state, local. law enforcement. and helping some of the veterans programs to either target the folks into the cybersecurity part of government as well. there's a great program with an ice and homeland security wounded veteran programs that teaches them cybersecurity. i got to meet a graduate of that class back in 2013.
2:18 am
and these are amazing, smart people to return to bring it more and more of this mind share. we are currently recruiting the butall know about, we are also offering hiring for a more direct way. to me a lot of the folks doing the hiring and they can get temporary job offers for folks who coming today. we have a cyber shoot internship program but i've met a lot of high school students, show the our operation center so we found ways to bring students in. i spoke to a group called " girls who code." can imagine what it might be to talk about them. i credit my team for helping to enable folks. young women who have taken else some other not nerds to learn how to write computer code. they are cool. they just want to do something that does the things inside technical and they're really smart. how do we show them that world in a way that never seen before
2:19 am
but whether secretaries on a program which is very, very competitive for entry-level professionals that coming. we do a lot of work in helping people on career path how would you aim at every different part of your career, what do you want to do, and how do you aim towards someone who might want to go towards executive services. we do a lot of mentoring with employers and employees and how cando we help them get to those right places. one of the first times i realized how much students like -- light up and how much people light up when they go see what's going on the inside and i'll submit it was right after a brief our new secretary back in the winter of 2013. after he got the briefing on my vision and our vision and where we are going to go with cybersecurity of the next few years, he said, where did you go to school? and i said georgia tech. i could realize one of his staffers told me he didn't like powerpoint. we went to the ends of the earth. we didn't have a lot of choices to get markers and paper. i did not at the time that he did actually like powerpoint. and he thought it was utterly
2:20 am
ridiculous that his highest tech people were writing with magic markers. but he said, georgia tech, ok go i want to go down and meet where you came from. he planned a day where he also gave a big speech at morehouse, his alma mater in atlanta. they welcomed a new president and we visited the school. i must've talked about when it students, was able to bring in our cabinet secretary of the department who enjoy every moment of seeing the research project on meeting the students, ask me about the google last one that one glass gentleman was wearing. another came up and bragged he was a bitcoin operator. i did a lot of explaining on the way back. it was fun to watch the student say, well, this really goes on in government. and government came here and these people pretty much came in and wanted to talk to us and hang out and they are not all-star g and stiff. the students said they had a very good time.
2:21 am
that is when we realized we needed to find a way to attract these people. all the students i met with were very interested in coming to see how they could be a part of their career path going forward. our answeruch that now and this report will help us figure out how to build a bridge between the government and public sector. the pan i am wearing the secretary gave to me last week when we had a discussion about hiring and workforce and why he came to government. it is about our commitment and the unfolding commitment to make sure that we get the absolute best and the brightest. we do some amazing work. there's nothing my team can't do. there's no adversary they can't figure out. not big enough. i want to get the best and brightest. we will make your job a lot of fun.
2:22 am
that goes into a special program my burst -- my boss worked with along with intel. her thought and his thought was what do we do to do a joint program between private sector and government that enables people to get the financial benefit of working in the private sector, innovate, build and understand imports of building and shaping a market. how do we also let them have this experience in government and see things they've never seen before. i can say that the man our shop make sure skills the sharp dust. run,ill constantly constantly be excited and come out as sharp as you have ever been in your career. how can we give those skills to young students of they can transfer them over to t private sector are. indo a tour of duty government, private sector, and go back and forth with a couple really good options. one way is we have figured out a way to pay for the education in return for service to the government. and figure out a way to help
2:23 am
theyand a career path that would be mentors guided by both the government and the private sect or. we would build on the success of the program that we got a lot of good results from called scholarship for service that we call fund with the national science foundation. there must be 1000 students that come to that dinner. talkactually listen to our the food so i know they are interested. but they always come to us and said to want to come to teach us to come back and said i want to come back. we want to build on the success and say can you build programs that let typical between the government and private sector. our management director calls this a passport. if you just go and out. how do we build that professional so we have a new way, a new career path that is high impact, highly promotional and enables people to if we do it right, making the most money when kids go to college, so it's not a financial issue but you see the best of industry, the best of government and you can bring the best of both to each world. want other things we're doing
2:24 am
-- one other thing we are doing inside the hs is we found a way to use direct hire. so if you want to eight cybersecurity job and you do a good job we can actually hire you without going to the website process. whoave folks on the team have put together what i would payee and incentive pay. noticesbeen giving out to people so that they feel they have a career path. it is a great way to show appreciation. when we have coffee and cookies that is because something about them personally. so we have no real way to show appreciation but we can try to do this. i am very excited about what they are putting together. i think it is a trend-breaking ground breaking kind of move. you change a career. you create more people like
2:25 am
canada's and give them government and cyber experience and let them bring both to each and i think that will create along with more diversity, i am very big on, if you look at our adversary it is global. adversary.iverse if we address that with one demographic, when gender, one kind of person, we are at a disadvantage. i like to make my things as diverse as possible. if we focus on that, we will cause a lot of pain to a very large adversary. csi thank you very much to is, to jim, to all who wrote this great report. [applause] >> so, candace is cool. i was talking to her before the event. you have to here which is to say. --ore the lettuce sits down,
2:26 am
before phyllis sits down, the average lifespan of a political appointee in the federal government, 18 months. that means half of the lead after 18 months. how long have you been there? >> three years in september. >> so you are doing double the average. it's a tremendous sacrifice especially for someone like phyllis. so let's get for another round of applause. [applause] phyllis: thank you. i work with great people but it is truly enjoyable, so thank you. >> it's a difficult job and is a lot of sacrifice, so thank you. candace, do you want to come up? candace: thank you. as the previous folks said, thank you for coming today. i know you were also very busy. i also want to thank phyllis. she and i worked closely at mcafee.en she was
2:27 am
having known her skills and capabilities i just want to say i'm thrilled to death she is is a public service and she's involved in cybersecurity at a federal level. frankly, i sleep better at night that because i have incredible admiration and respect for capabilities and you should all be thankful she is the one taking this role a and she is helping us keep this country safe. i also want to thank csis for the great work they've done with us. they been a longtime collaboration partner with us. we work with them on a number of reports that we have created and i think this latest went around the talent gap is actually a one that is extremely important market.elevant to the i want to talk about the last couple years around, do we have a talent shortage. i think one reason we decided to do that report as we want to put that question to bed. i think many of the customers that we work with the company of agencies will work with you if there's a talent shortage because they have difficulty filling the roles they have open. we decided we wanted to put an
2:28 am
exclamation point at the end of that sentence and say that is absolutely a talent shortage. 82% of respondents others report concurred that have actually -- an extremely difficult time filling the roles in their organizations at every cybersecurity talent gap in terms of capabilities and knowledge and being able to get the right folks into their organization. are some fairly significant implications to that. req, whenave a open you have positions that are not filled in your cybersecurity organization, in all probability of either the people you have on staff are working 24 hours a day which means they're headed for burnout or they're probably not quite as alert the next what is -- as they might have been if they had had a good nights sleep. it also means you have some things that are probably not getting done. when you have open positions, you're probably going to look at the things that are least critical, not that they're not critical, least critical of those be the things that get
2:29 am
traded off. you can't ignore an incident that has occurred you have to do the incident response. you can't ignore potential breach that you suspect may have occurred. but you might delay that patching of the operating system or the application. d laying a patch in an operating system is an incredible gift to the hacking community because it is a private way they used to get into an organization and penetrate the ecosystem or the network. and so the talent shortage is, , in fact, putting or stationed -- organizations and companies at greater risk. we had about 71% of the respondents who felt their inability to get the right talent and find the people to fill the role is in fact increasing their security risk as an organization. many of them reported lost update as one of the potential risks of company can secure its it also has a reputation
2:30 am
implications either for the agency or the corporation. that gets into the press, gets to the customers that has been abridged and have a lack of trust in that organization from a security perspective. there at way a implications when you're unable to a full staff that's doing that everything from i call the janitorial of security, is patching and updating, a upgrading the current -- the current applications to a later version, all the way to responding to critical incidents, making sure that your network is as impenetrable as possible. there are serious implications. i personally thought was the interesting things was 50% of responders require a technical degree. a degree in computer science or mathematics. having been in this for 16 years without a technical degree, i
2:31 am
found that a rather interesting statistic because i've had a fairly good and long career in this industry despite the fact i didn't get a computer science degree. i have a management degree with a minor in computer science. there's a lot of psychology when it comes to hacking and penetrating organizations. so as i look at that degree i also noted that what companies were saying or survey respondent were saying although they want that technical degree there to a -- there are two more things -- two or three more things that were more important to them than a technical degree. one was working experience. the other was professional wasifications and the third hacking competitions. so although the required most of them required a technical degree, it was a third priority for the insurance of looking at a candidate to determine whether not there with the best for the job. things like that professional experience can hacking competition, professionals with
2:32 am
tensions they ranked more important. had an interesting dichotomy. i really want a technical degree but if you do not have experience or hacking competition or professional certifications, maybe you fall further down my recruitment list. so kind of interesting so specific and out of the survey. i think especially since were in washington any of you are involved with kind of government agencies, respondents felt universal across the globe that governments could be doing more, but they were not doing enough to help build the cybersecurity talent funnel. that government could play a more active role. intel security is being very proactive in terms of trying to work in partnership with governments as well as with some of our customers and with other vendors in the industry to try to figure out how do we solve this problem and build the security talent pipeline. we work with a number of universities, some of the government agencies in putting together programs that will help
2:33 am
to try to drive that pipeline development. i think we are also doing things at a very young age. we have a program where we have a set of materials that our employees can volunteer to use, go out to the local schools and teach online security to elementary students, junior high students and high school students. i personally have not had the courage to go to high high school and teach it yet because often times, those guys are more educated on security, on computers as most of the folks in our organization. but that elementary school and junior high, and am aware of it aside as an issue, being online is an issue and they need to be concerned starts to plant that seed in the mind that computers are more than a gaming console, more than social chat. that there are implications to being online. and hopefully planting those seeds so when they get to high school and college we can have a discussion about cybersecurity as a career. i spoke with a group of women at
2:34 am
new york's polytechnic institute a year or so ago and they were trying to get more women to go into the cybersecurity program. one of the things i told of his -- i told them was that this was a career that you don't just go to work every day. you get to be a hero and a warrior and a caretaker and a teacher. this is a career where you play a number of personas because the industry itself that are able to respond to the hackers may be -- mandates that. you turn into a career pretty quickly. there is an opportunity to create those personas in their mind that make it feel like it is not just about sitting at a keyboard. i think we have an incredible opportunity as an industry in partner with the government and in partner with our comrades in
2:35 am
the security space and private industry to work on solutions to build the time -- the talent pipeline. i am extremely excited about working on this program and helping to drive this initiative forward. hopefully, you will find this useful and thank you again for coming today. [applause] we have time for a few questions. there are microphones in the back. question, hold up your hand. i will start by saying there are -- i have two questions. the first question is and it is for both of you -- you have a microphone so you will have to come up. in thekforce has changed time since you have been in cyber security. it now different about than when you both came in a few years ago? candace, would you like to go first?
2:36 am
peoplerk with a lot of that do not have a technical degree. astronomyked with majors, geography majors, anthropology majors who were writing code through the application. incredibly talented, committed, passionate people who had simply created a hobby of computer programming. they turned that into a career. time, and the report indicated that holding a degree in computer science became more important because those were people i knew very early in my time at mcafee. having thatars ago, degree became a critical part to hiring someone. thathas overshadowed those
2:37 am
have gained their skill set with alternate means. there have been -- there has been an evolution of the attacker. if i think about the attacker they werest started, 18-year-olds in their basement trying to get their piece of malware on the front of a newspaper somewhere. that image has changed dramatically. weird talking about organized hacking. adversaries are as well-funded as we are and as well educated as we are carried as organized as we are and that means the talent pool we have to tap has to be capable of thinking in a way that our adversaries think. that is where the gaming comes in. when you think about the gaming angle -- iowa my husband and my i watch my husband
2:38 am
gaming takesr -- massive deductive reasoning and the ability to see multiple things going on at the same time and determine which are most important for them to take action on. we joke about gaming, but yet when you think about it takes to play some of those games, it's incredibly difficult, multi- ,asking and multi-reasoning have to be quick at making decisions and when you think about what you have to do in a cyber security field, a lot of the skill sets apply and i think it's an untapped talent pool that we have to encourage those kids who love to game to consider the field. >> may be the next study should be on gaming. [inaudible]
2:39 am
>> i grew up around computers and to me this is where the cool factor was, but i soon realized i was probably the only girl that can write computer code and i recall my college kasei roommate who to this day is my best friend, she came to see me writing code at some ungodly hour in the night at the lab, but it's not about writing thousands of lines of code in managing firewall. is beyond that. the spectrum of what you need to be in this field. first and foremost, you want to look at how this field has our debt -- our deputy secretary went to -- and gave the keynote speech last year.
2:40 am
that does not mean someone we think will hurt government. it been someone from that crowd with those skills opening the doors to what has previously been perceived as government. there is a whole spectrum of skills we need. i did a commencement speech at johns hopkins recently. i told people you have highly technical skills. learn to communicate. tomarned a lot of this from at my company. you have to learn how to do cleanup. you have to understand how the malware works. but no one else among the decision-makers to whom you have --explain this [indiscernible]
2:41 am
>> or you find yourself in a meeting or you are at the table and you are the person and you have to convey what happens in a normal language. the second skill i think you need is to understand how to build teams. you can be the smartest person in the room, but if you can't work with everyone around you and if you can't work together in some way it won't work, so the gaming skills, i think, and people skills need to come together with the hard-core tech and that's a lot of how it's changed. >> a footnote, australia's survey form has a space bar you can fill in your ethnic group and allows you to fill in what you want, so 25,000 australians on the last survey filled in that they were klingon. but maybe building on something that says i was thinking about-- i was on a panel in the naval academy and had to admirals and a general. they were all women.
2:42 am
i got to talk to the head of tense fleet, navy cyber command, she is a three-star admiral. how theyou think about workplace looks really different. but you can tell us from sort of a long-term perspective what is it like for women now, how is it changed and how do we get more women in this workforce? that is a tough one. >> my philosophy on that is that i want to be hired because i am the best person for the job and i want to hire people that are the best people for the job and i don't care if they are female or klingon. the fact that this industry has afforded me an incredible career , i am very grateful for that. it has been an amazing company to work for. i started as the product manager for the antivirus product and
2:43 am
ended up running one of the largest businesses in high-tech security. securityech specifically has been incredibly good to me. not because i was a woman but because i was capable and i met my commitment. women, ilk to young say focus on doing the best job that you can. be excellent at whatever you aspire to be and you will move forward in your career. if you work for an organization or a where that does not happen, leave. of companiesusands out there that would be thrilled to have you if you are excellent at what you do. still to this day, i am often the only woman in a room or one of only two women in the room. who cares? i am a gm in the room. i am a vp of marketing in the
2:44 am
room. a product manager in the room. i want them to see me in that role. i think being a woman in this industry is a great industry because oftentimes, i have worked for companies who did not see that as an issue let alone see it and i am very ok with that. i want to be seen as what i do and how good i am at it and as long as you focus on that, i think there are very few places in the world where you will not do well. >> thank you. >> once again i agree with candace. you talk to high school girls and is sometimes hard because for them to get across that if you will.
2:45 am
my nieces have no limits. that culture is changing on its own. they do not see boundaries. >> when you do talk to young women like that, if you are the only woman in the room, then you are definitely the best woman in the room. motivatednerally more to prove your ability as a result of being the only woman there. you often feel like you have to work harder and be better so that people recognize that you are outstanding in your job. say -- ing woman to can be the best and i can stand out because i may be the only one like me -- that is a great selling tool. in high school, you want to be like everyone else. that is the challenge in high
2:46 am
school. as you get past that and into college and in your career, it can be awesome. >> this is just like sports. team on a girls volleyball and a girls softball team. we want the best and the brightest and i don't care if that is a tropical fish. we want to see what you can do and what you build into the team. hasink the focus on women been obviously cultural. i think it is fun. you stare them in the eye and you compete and you work the meeting and you produce.
2:47 am
that is the key. really am going to give you people a chance to ask a question. i have to ask one more which builds on this discussion. both of you have been in the geek world for a while. and when you think of the unique world in the 1990's and your image of a guy -- of a geek, it was usually a guy. how has the increase in women in the workplace changed the culture. this has implications for improvement. what has changed about being a geek now then 20 years ago? government is of everyone is wearing a suit. we want our folks to be
2:48 am
comfortable and feel like they are on a technical team. we decided to let them wear jeans. and i remember that it ended up wiring a memo. i was new to government. i went to the undersecretary and said -- it is the process. it all worked out. and i wore ripped jeans to the meeting to discuss it because my point to someone else in the room that opposed it is -- will you respect me any less because i'm wearing jeans? everything you see on the news has largely been handled before it comes on the news. i don't think they need to be wearing suits to do that. we want them to be comfortable. i am not allergic to pizza. i walk upstairs to get candy in a big crisis.
2:49 am
being a greek -- a geek is no different. >> there is one difference. so many of the incidents are high profile. when i first started, you had code red and a few attacks that were high-profile. now, when an attack occurs, the people who understand the attack need to be able to communicate. i had engineers that were brilliant that i worked with but i probably would not put them in front of a customer because they just say what they think and although it is accurate technically, it may not be the best thing to say to someone under extreme stress in crisis. they are a little sensitive during those times. one of the things we have seen is that the more technical people that we have in the organization that have a in frontty of meeting
2:50 am
of the press or customers, tilting that communication's -- communication skill set is much more important today than it was in the early 2000. ands often more technical they have to go in front of the board. someoneot going to put without communication skills in front of a board or the press. i think in addition to the geek technical skills and take speak, you can still find candy in thes and coke cans garbage can at the end of the day. the skill set that i have seen highlyis that these technical individuals have had to build up their communication game because they are called upon to do many discussions. do we have any questions in the audience?
2:51 am
>> i'm with the council of scientific society president. we face a lot of the same issues in terms of getting and recruiting good people. there are two things that i'm interested in. one is, if you're going to be training people for a job you will be shortchanging them because if you educate them for a particular area of knowledge, they can then amplify and go forward quite a bit more easily. i am worried about these programs possibly being shortchanging. secondly, you keep saying you have to be an interpreter to the people in the room. why can't those people be like you instead of you having to interpret to them? why can't they be like the head of the department of energy? >> i could spend an hour, but i
2:52 am
will spend a minute and thank you. to candace's point, i think on on the communications -- it's very important to get the point out as some people are very good at that some people are highly technical and there are some people that have absolutely no interest in speaking publicly . i believe people are most productive when they do they love doing, so if you have the scientists that have no desire to go and speak to the general public, we need other people that can speak and i have learned that this both in corporate and government in terms of briefing styles. sometimes have 30 seconds to convey what happened overnight regarding a widescale attack to a secretary or a deputy
2:53 am
secretary. have a microphone in their face in minutes and they are smart and they will get it but you have to give it to them in a way that has depth and impact. and i think that only comes with practice and there are certain people that just don't enjoy that, so we don't force it. there are plenty of people that are like candace and me and jim and others in here that can do both and there are others that prefer to stay with the media side into a next line job of its many things and they have to know what's going on to translate it and there is the other end of the spectrum that would prefer to not have to deal with this. it's what you like. that's my opinion that's how we run and i like people to focus on what they enjoy most and that in which they will excel the most. to your other question and i understand it's a real point, so if you're not going to spend a long time in one place i think what you are asking is how do you get the skill set that can help you grow. i think as the program was designed they will look at that. a lot of the hard-core technical
2:54 am
skills-- and having been in both , you would need in the department or a hard-core security company the skills are the same. the understanding of how marketing engines and research and development engines and budgets and quarters and revenues and shareholders drive one side and the other side, the one side is doing it for the money so they can innovate more and do it for the money and keep people happy with the money, but often thinks come out. on the other side we do a mission and the money for my site right now is fuel. i go to the hill and asked for money so we can do our mission, the hard-core, what you are generating at the scientific level is not so different, but the skills of understanding how to drive a company or how to help a government and its citizens and global partners, those are the very different skills and i think you need both . i probably would not say
2:55 am
anything different. i agree. problem-solving, understanding financials, communication skills are transferable regardless of the security industry, financial specter or government agency, whatever. those core sets of skills translate. computer science skills, writing code translates whether you are working for a secured company or working for a banking company writing applications for their internal systems. i think many of the skills that you need in this industry does translate. even if we look at say the hacking competition or wargames skills that you might develop as part of a program, you are going to develop reasoning capability. you are going to create a better set of problem-solving skills. i can't think of a single job where better problem-solving and inductive reasoning would it be an incredibly great set of assets to have, so i think that we say there are cyber security programs because we will look at those training programs through that lens. 90% of what you get out of those
2:56 am
programs would be translatable to a different industry -- . >> we had one in the back. >> i don't need that one. >> you do to get it recorded. >> ok. i apologize to the people in front of me. years ago had a recommendation in there that curriculum needed to be modified especially and engineering disciplines where that is where the next generation of industrial control systems are coming out and you have more cyber security knowledge in there. in this study when you're looking at the gaps or technology's better out there and looking at ways of how do we get to the people with the skills, did you guys see a lot of increaser progress made in getting cyber security knowledge incorporated into the various disciplines and curriculum out there so that the devices that we buy for the infrastructure are embedded with cyber security rather than what is now basically a bolt on add-on?
2:57 am
>> i think writing secure code, there's been an increased focus on that and curriculum because i think you can't very well covered without secure code nowadays. in the past we worked with universities around a piloted curriculum for cyber security. that was a pilot we did a couple of years ago with a couple universities on the west coast and it was interesting, those classes filled up in 15 minutes. in talking to the dean of one of the schools he said it was like a rock concert. literally there was a lot a line around the block with kids wanting that curriculum. so, there is demand in universities for that curriculum and that content by students. i think it's incumbent upon security industry and government to work more closer with
2:58 am
education to build that out, so i think there is been baby steps in the direction. i don't think we are as far as we need to be and so i think that's a lot of some of the discussion that we have been having and those at the corporate level as well as with those organizations to try to accelerate out of it. in terms of like building for industry and that kind of stuff i think that will be both getting of that into curriculum, getting the mindset of students coming out of computer science degrees to think about how do i design with security, but it's also incumbent on corporations that are building those devices to make a priority to develop the architecture with security in mind and manufacture some level of security capability into the industrial control or whatever that device is from the get-go. adding it after it has already shipped is very difficult. building it in upfront, so can be managed by system after the fact, much much better.
2:59 am
so, i think it will be a combination of industry and education. >> mike, i will embarrass you by pointing out that i have known you for how many years and thank you for that question. there is a whole side of the systems that is not typical cyber security and not the protocol, so how do we bring those teams together to look at the light flashes often on? how to we bring those teams together with the guys that are running ip protocol and standard internet speak to monitor this stuff and one of the areas you look at a lot is our control system. i will do a seamless plug for this team. ics industrial control system, the systems that run your electric grid or your water or your lights or your energy or natural gas. looking at those systems that are controlled by electronic signals where they control mechanical functions and it's this area is a lot of the reason we're reorganizing our field
3:00 am
response to natural protection. that shows the real mission. it takes these devices that are dictating and enabling our world and shows the connection to cyber but brings it together. some of the talent in that industrial control unit -- that talent is where we have to build . that is part of where we want to add those rock stars. that is where we are focusing a lot. because those systems are pre-uniform across the different structures, water, gas, oil, electric -- but the key is working with manufacturers to make a more secure and working with the operators to please not use the passwords that came on the package when you monitor them over the internet.
3:01 am
we monitor this 24/7. there are tens thousands exposed we have gone out in campaigns saying if you own or operate one of these systems, you are owned. so let's look at that from a risk management consequence. at what level will we put what level security, not a five dollars lock. >> well, both candace and phyllis have day jobs. you may have suspected that and we're fortunate that candace will stay for the panel discussion. her comments have been great, but phyllis for some reason feels she needs to get back to work. so, please join me in thanking our two speakers.
3:02 am
[applause] >> can i ask the panelists to come up. >> in the report that we did, we surveyed eight countries. to analyze how companies and
3:03 am
governments should approach cyber security workforce development. cyber security spending, educational programs and public policies. with the help of this panel, we are going to dig a bit deeper into these dimensions and examine dimensions and examined international approaches to cybersecurity workforce development. so without further ado let me introduce the panel. we've already met candace in her opening remarks and have heard how cool she is. the next we have rodney petersen, director of the national initiative for cybersecurity education at the national institute for standards and technology. koosman strecker and senior government relations officer or a found and directed the cybersecurity initiative. next we have a simone, chief cybersecurity officer at
3:04 am
cybervista where she lived product development and education and training curricula as well as workforce initiative for executives, cyber practitioners and continuing education. famously, she was a senior associate at booz hamilton. last we have director of cyber cooperation at the embassy of israel. in this capacity mr. becker joint reserves the israeli national cyber bureau in the office of the prime minister. mr. becker leads the bilateral engagement between israel and the u.s. in the cyber realm. so to jump right in one of the findings from the survey was only 23% of respondents said traditional bachelor's degrees were fully preparing students for a career in the cybersecurity. are traditional degrees no longer the best investment for people wanting to enter this
3:05 am
field? how can we improve the quality of our cybersecurity? >> thank you. it's an excellent question. first, i want to thank csis for the study and report. one of the things that strikes me in the introduction is the shortfall leading to critical for builders to companies and nations. that vulnerability really implies it's a part we don't talk enough about. we talk about technical mitigation, processes and other software designed, system vulnerabilities but the human element is a critical part of risk management. later in the report you said 97% of boards are aware of cybersecurity as an issue so i hope this report and the work we are doing at the national initiative for cybersecurity education will raise awareness and a sense of urgency around the workforce as part of risk management. specifically to your question about the quantity and quality of what education is producing for cybersecurity workforce, we recognize that as a concern, a challenge and an opportunity that the nice program is built a
3:06 am
strategic plan that identifies a few goals but one is focused on nurturing a diverse learning community. the first thing i would say if they traditional pipeline most of us are familiar with students going through k-12 schools and universities have been to the employer is not the only pathway to give you any cybersecurity. it's an important pathway and a long-term pathway that we want to invest in and improve upon but there are other pathways including the fact a lot of cybersecurity professionals could change jobs midcareer and already have a bachelors degree in the field like psychology and want to get some skills and training whether it's through a training certification program or through a community college degree nondegree program. our other goal is to not only nurture this diverse workforce but to accelerate learning and skills development. the final pathway is to recognize that the training and
3:07 am
education and skills development happening in our high schools and community colleges, training certification providers are as much fun as what happens in a -- as much value as what happens in the traditional university setting. i think we need to think more broadly about that diverse learning community and not focus on the traditional pipeline that would be an important long-term solution but not the only solution. three things i would say about improving the quality is to make sure it is employer driven. the way to close the gap between employers and satisfaction and what education and training providers are producing is more conversation, more alignment between the two so that educational institutions, training providers are producing what employers need. the second thing is what the report references is to more hands-on learning, more actual learning through doing as opposed to just the knowledge or lectures if you will. the combination i think we'll -- will increasingly close that gap.
3:08 am
and a third thing, the way to bring employers and education providers together. if you're not familiar there's a national cybersecurity workforce framework referred to as a nice workforce framework that creates that standard, the way to get employers and training provided to think toward come. -- thinking more in common. i think if we can focus on what we have in common common vision , and goals we can make progress both in quantity as well as quality. >> and so these three initiatives in talk about cybersecurity, the skills and education, is this a unique field in terms of how challenging it is to train and develop the workforce? >> i do think it's unique in some perspectives and there's a number of reasons for that. like rodney said one of the interesting points i found in the report was about 9% of top universities currently offer in the u.s. a cybersecurity major or minor program. with in the grand scheme of university programs is a small number. the question is not only where is that pipeline coming from but how long can we wait to get them
3:09 am
to the point they would be ready and willing and capable participants in the workforce it is a significant amount of time. for that reason you need to look to alternative methods whether through continuing education, certification programs. one of the reasons among many that's a difficult is cybersecurity in many ways is a very hard to plan to i to put -- is a very hard discipline to put your finger on regarding what skill set does that require. it's a multidisciplinary field. the are a number of disciplines that you can specialize in what you like to go into cybersecurity. that's one of the things that makes the field so wonderful. you can have an analytic or psychology degree and apply that in cybersecurity but you can be in forensics or malware analysis and provide technical skills. it makes it difficult to create a pipeline or programs that can address all of those different disciplines and.
3:10 am
different -- different disciplines. another reason it's been challenging is that the field relatively speaking is new. i don't mean new in the sense that it has not been around or our moreessed in connected world, but as far as the profiles received and the amount of time people have had to explore this as a career field, is really fairly recent. to be able to develop programs to catch up to that we are playing catch-up. that's one of the reasons that at cybervista i say we are kind of like the unsexy side of cyber because we are the education folks. we want to help people retool those skill sets. if universities are not going to programs and failed in a period that will address that need, and -- then we need to have some gap fillers. we need to address the workforce where you can transition people from one career field that in an
3:11 am
adjacent area into the cybersecurity field. as an example there's a 9% premium on salaries for i.t. professionals going into cybersecurity. to be able to take additional skill set and give people enough credentials or certifications whether it's some of the skill set, to be able to get a clear, clearance, those are the types of things we need to look at now in addition to higher education. >> i want to touch in your point about creating different programs to address all the different disciplines and may be asked about israel's experience. could you speak but israel's approach to leveraging, to leveraging nontraditional sources of education and training with military service and how israel is going to cybersecurity workforce? >> sure. we are taking cyber very seriously. we understand this is something that will change even in the future of our state.
3:12 am
about five years ago we had a big shift in the way the government is dealing with cyber in israel, building the organization, within the government but part of it is understand how important is the phase in high school students decision. regarding cyber security. and what they are thinking about not through just gaming which is very important but also through three different programs. currently we have a five year plan and the government is
3:13 am
currently funding $100 million which in israeli terms is a lot of money. part of the curriculum in high school and towards the end of the high school, including in the curriculum exams. part of it is to take very interesting challenge, to ask students to participate in afterschool programs, not part of their official curriculums, and different areas of israel and we found there is a big demand for that. we promote this program about two years ago when currently we have almost a thousand people each year that are participating in that program. it's important not just for the decision regarding what strategy at the university in israel, also very important for the part of the military service which is compulsory service since the founding of the state of israel. i believe we would like not to have it but this is a necessity in our neighborhood. presently we understand we need to find the most talented people to be part of those units and those programs help us to find
3:14 am
those people through competitions but also through just participating in those programs. i'm talking about the military, talking but every year, every every boy and girl at the age of 18, starting their military service. some of them are going to technological duty. after usually two years for girls and three years for boys but if they choose to be part of the technological unit, it's the same amount of years for boys and girls by the way, and is between four to five. after four or five years they are finishing their military service and now in the public or private sector. some of them are starting at university immediately after that and graduate in computer science and other studies. some of them go to the private sector, opened their own startup or be a part of large enterprises. some of them deciding to stay in the government.
3:15 am
this decision is very critical but its influence from all what we have learned in previous years. >> moving into the role of the employer and cybersecurity workforce development, candace, could you talk about what kind of employers to both provide and shape cybersecurity education attorney? -- education and training. are there any issues that come to mind that it been successful? >> i think the customers i speak with, they are very focused on making sure they continue to provide training to their security teams. obviously staying current with the skills, could with an understanding both the adversarial as well as malware in general is absolutely critical for them to be able to do their jobs. most organizations that have pretty solid security teams are pretty significant amounts of investment into professional
3:16 am
certifications, into continuing education for their specific around the computer science skills out of those kinds of things. they are often doing things like hacking competitions. they would do a competition internally. wargames and setting up teams of people who now are competing against each other in a hands-on real-time data format. those are skills they can develop internal for the organization as well as leveraging external skills through training organizations or universities that have specific curriculum about these -- curriculum around cyber security or or skills that would be relevant to cybersecurity. there's tremendous opportunity for corporations to be part of providing training, and providing the training will also help them retain. >> that is counter to some of
3:17 am
the concerns i've heard from employers but one of the interesting highlights of our survey is that training is very important. what would you say to an employer that says if i train my workers in the believe, just be more valuable to other companies? >> many times that the function of creating a work environment where people want to be. i think phyllis made an incredible point earlier which is she may not be able to pay as much but they have a mission. the culture of that organization in the mission becomes the motivation for the people that go to work for her. i think creating an environment that fosters kind of that says that i am part of something bigger than my current role or my roll alone is enough anyway to get your people to stay. if you think about the millennials, social conscience is a big part of what makes them tick.
3:18 am
so thinking about how in cyber part of what we do everyday is help people and corporations protect what's most important to them in the digital world. if you are a person where social conscience is important to you, being a part of an or decision -- being a part of an organization that makes that a priority is a great reason to stay in your job. >> one of my favorite quotes personally is one from richard branson when he talked about train your people like you want them to actually be able to leave, but treat them so that they want to stay. i think there's a number of lovers from the employer perspective that often speak to you want tohow do stay. if you're working for dhs and there is a mission, that is certainly one aspect that can could be a motivating factor as to talk about how employers can pull the levers. yes, there is a salary in the
3:19 am
private sector and there is a time a place for people's careers where that is going to be the primary concern. the further education opportunities. we tend to espouse so much more than just giving someone a training opportunity and then showing them that the day -- that they can agree that the you are the things you can achieve by having the skills. >> at some point money stops being a motivator but it's all the other stuff about the organization and the role you have that motivates you to stay in that company. to pivot to governments and companies turning back to , israel, from an outsiders perspective israel is doing very well on this record just a their investing and have high school programs and their political leaders are engaged. what problems has israel in town -- israel dealt with in cyber security workforce development and what still needs to be done
3:20 am
on that front? >> it's a great question because, currently there is a very unique situation regarding israel and the cybersecurity sector. in israel, there are about 257 different companies. just one third of what the u.s. has but still in israeli terms, it is a big challenge because those companies always need more people to work with them. another thing is that because it is a global challenge, and it is a global world, not just factding -- but also the that national companies are part of the israeli echo system. the israeli echo system, in a nutshell, is part of the academia.
3:21 am
part of it is also the private sector. to keepest challenge we israeli ecosystem strong, are proud with what we have created a our biggest challenge is to keep the israeli ecosystem strong. together with all the multinational companies involved in the israeli cybersecurity sector in the last two years. >> the obama administration yesterday about a new directive about albany different agency roles and responsibility to cyberattacks. while this isn't directly related to the workforce per se i'm wondering how can these agencies deliver on the initiatives and respond. what is the us government doing to address this shortage, to facilitate hiring or maybe even outsourcing some of these cybersecurity capabilities? >> so the title about the director, the cyber incident
3:22 am
coordination, and my first reaction to that is that's an operational concert or maybe a policy issue. like all of these issues when you get back behind the scenes it takes a skilled workforce to make things happen. there's a couple rolls called out in the directive i think are obvious ones, handlers are people who identified it does -- and therefore need to share them. a second one is about restoring and recovering from incidents. many of us do about business continuity role is important just focusing on those tuples roles, that is part of the workforce that is quite frankly independent. to report talk to intrusion detection as a high demand skill. we do know the incidents until we discover them. i think it is directly related to both the directive in terms of how it's going to happen and who's going to do the work. what's more interesting though when you drill down into the directive and it talks about the implications of a cyber incident, the impact in other words, it lists these type of
3:23 am
work roles, this is an operational continuity, adverse financial impact, privacy protection, liability risks, compliance issues, communications to affected users, and external affairs including media and congress. those are work roles that a variety of people will have to play to carry out that directive effectively. it's a great illustration of where our nice workforce framework is moving to recognizing quite frankly cybersecurity is are the ones responsibility. i know that seems trite and attacked our vision for nice is a digitally comedy that is enabled by a skilled and knowledgeable cybersecurity workforce. there really are the right of -- are a variety of people including lawyers, policymakers can financial people and others are going to have a cybersecurity route responsibility of in the context of cybersecurity incident management if you will. in the fall we plan to publish the next version of the nice workforce framework and in addition to sing seven categories of work, 30 specialty
3:24 am
areas in the corresponding knowledge and skills and abilities you also see work role data. that's what the federal government is doing a just assessment of her cybersecurity workforce is look at the work roles that are performed both within i.t. or position and outside with respect to cyber security. >> that kind of is a good time doing excitement about different future skills and technologists and how these develop over time given with industry as a whole is heading. if you were advising someone, what skills should they learn to be competitive given the technological development and how should they require them? ? >> it's a tough question because
3:25 am
the technologies and automations that are being developed are so fast but also patchwork. so when i talk to folks are looking to enter their field or looking to the transition from maybe an adjacent i.t. field i tend to focus on so many areas that that require higher order levels of analysis or data comprehension or critical thinking. it's still applying it to a technical means but as was mentioned earlier it's getting to a point that we want to be able to actually separate the and focus on what's important. -- separate the noise and focus on what's important. the skill sets that we need for people is to actually get those items that are important. and allow technologies to be developed that can separate that and just focus on the important component. it's tough because we don't want want to pigeonhole people into only one skill set. we don't want to see or the capable of doing incident response because the reality is you will have to potential bring that up to your second team.
3:26 am
-- up to your executive team. but you need those foundations. i think professional certifications in the landscape we have today are an integral point for people that are looking to break into that field. they set that baseline of knowledge despite what technologies to develop and despite what we automate served as a way for people to understand and opposed the particular to understand what is your baseline level of knowledge. just as an example, there are 49,000 open jobs currently for -- and the u.s. and our 65,000 -- and there are 65,000 holders. being able to address some of us -- some of those current needs and then transition as technologies change is going to be absolutely critical. when we talk about those skill sets and we talk about how do we
3:27 am
evolve, one of the things we see in cybersecurity entity dolls feels but most the killian cybersecurity, it changes so quickly. the evolution rate is just exponentially higher than you'd see in other disciplines. so there's this need for continuity and consistency and training. the skill set you might develop coming out of one program are not necessarily going to be what you need to be sustainable. that will be true as we continue advanced technologies and create opportunities to automate some of these basic processes. >> as we advance these technologies and move towards a more automated cybersecurity environment, one of the interesting findings from the report was that nine out of 10 respondents believe technology can partially compensate for a gap in cybersecurity skills. is this the magic bullet? can that solve all of our cybersecurity problems? how will the cyber industry
3:28 am
skills shortage evolve in the future? >> i don't think there is a silver bullet. i think automation can begin to address a capacity issue. if i think back to early in my time in security, most of the customers that i would talk with our like yeah, i'm not automating processes with security because my neck is on the line if something goes wrong. so that automate the testing of patches or signature file or automate some critical process with security, and it goes south, i am probably in the unemployment line tomorrow. that's not going to happen. at that point is a good industry as a whole was still relatively immature in the early 2000's. customers were still building kind of that trust and respect of security products provided i
3:29 am
-- security product providers. i think we've come a tremendous distance in terms of the credibility of security products and the confidence that customers and agencies have in those products. we are now at a point where the conversations we are having with customers is there are certain things i'm ok with automating. so i set up automated testing to test signature files. i have created automated test rigs for operating system patch updates so that i'm not having a person sit in front of the machine and click buttons to a process to test whether something is going to blow up in my apartment. -- blow up in my environment. we have evolved from the user or consumer's perspective to be ok with automating what i tend to call some of the more than the -- more than the janitorial tasks. on the other hand, there are many tasks best to require a
3:30 am
grave matter. you need a person in a chair looking at a screen going through data try to get which data is most critical are relevant to potential incident. you could literally be looking at gigabytes of data trying to figure out which pieces of data are associated with anything. yes, there are probably probably some algorithms we could build in computers to sift through the at the initial level but when it comes down to the final determination of which of those is associate with an attack, what that attacked it, how did it get into environment, what system did it touch what did it from the organization?
3:31 am
how do we remediate the damage that they've done and remove it ? many of those types of tasks you need a person to be doing that. it's very difficult to get a computer to be able to do those levels of assessment. i think from automation perspective there are lots we as vendors can do to begin to build automation into the security process come into the security products that we deliver to market. there will always be roles that require humans to be part of the intervention. i think we could also build into those programs things that make those tasks easier. so how do i get the system to do that first level of filtering? i know this is a standard call. i know that this was a standard policy that was applied by the security program. but my goodness, nor what that application doesn't inject that process. there's an event that has injected a process. is having somebody see that point in this point and that point, they can tie this together intellectual and say those three things together equal bad, when
3:32 am
anyone of them individually might not have raised a flag. i think automation can play a role but there will always be a critical need for people who have a deductive reasoning and problem solving and critical thinking skills. >> i think you're finding may be one of most new and original findings in the report. a lot of things have surfaced before and i would think it is a solution but not a solution. i could just give a couple of samples and my own experience are i think we're mitigating the workforce issues to automation or through efficiencies if you will. one is the federal government for good reasons were all required to take mandatory cybersecurity awareness training. that training would happen in the classroom like this wikified instructor presenting material. we have online training that is available that kind of eliminates the need for that physical person to be present. to say that isn't so
3:33 am
necessary in some situations. that automation i think has led to efficiencies and really address the workforce issue. the other example that comes to mind is whether its account generation password change the ball the rest are used require a physical person at a helpdesk to change without begin to automate that in ways that are increasing efficiency and security in some ways as well. what i would remind you is behind those automated efforts is innovation and creativity. that's a whole nother workforce we need to make those things happen. i agree it has sufficiency. it's an important finding that you have made but it's not the silver bullet. as part of the overall strategy we need to keep in mind. >> something i used to see in some financial institutions and retailers that we would consult with is that technologies were great and they weren't automate functions but the reality is there needed to be humans who codify what the uses of those technologies and how they efficiently and effectively work together. the reality was they came down to in some cases a cost-benefit analysis. if you are making an large investment in some technologies that accomplished 20% of what you need to do what it turns out it's capable of doing 80% into
3:34 am
just another people able to utilize that in the right way or the network to properly with other technologies give invested in, then the technology as good as it could be isn't as effective. you need humans to set of processes up in your organization as the customers in order to make them work. >> from a government perspective, we take the same approach just as was described but we need to make process automated and to understand as i said where the human is most critical. also we take another approach, depreciate away the needs of the national -- from the large enterprise needs mainly because of the mistake and impact that might be made for nation, from national security perspective. taking us to approaches together we are working very close with the leading r&d centers in israel. with leading universities and together with the private sector in israel to understand how do i make it as much as we can edify
3:35 am
-- how to automate it as much as we can and find out what are thecritical places to keep humans. >> great. i think we have time for some questions. anyone in the audience. or i can take moderate prerogative and start off with one of my own. being that we are in washington, and i feel like we are in the height of the legal under political seasons there's been a lot of rhetoric about may be closing some of our borders and with immigration policies and i was wondering how would that affect the tech community and cybersecurity where diversity is so important to? how do you see this record or some of these proposed policies having an effect on workforce development and the ability of employers to hire a diverse workforce?
3:36 am
>> let me think carefully about this answer. [laughter] >> so what i did say is that certainly i think should the country decide to go in that direction, that it will make it even more critical for us to work with universities to go but into the pipeline of technical talent coming out of university. i think we have seen over the course of the last several years a lower than we would like to percentage of students coming out of university with engineering and computer science degrees. i think industry in general has looked to the international
3:37 am
community to make up the capacity delta in terms of leveraging people from overseas to fill their roles. i think if we're going to limit accessibility to that broader talent pool, then it would be incumbent upon especially the country and as a corporate and government community to make it a number one priority to start developing more programs that facilitate an increase in technical degree programs. >> i would just give a quick example, and nonpartisan answer i might add, related to the scholarship versus program that phyllis refer to. that is when the ways the federal government is incenting students to both receive a degree and get the tuition, room and board and fees paid in return for government service. historically that has been limited to u;s.s citizens. shortage of people who can pursue masters agree and ph.d and will be the professors and teachers of the future.
3:38 am
so whether it's a result of immigration policies or domestic policies, the bottom line is to get the scholarship for service and then go to work for the government and get a clearance is heavily favored in the favor of u.s. citizens. >> one of the most an >> one of the most interesting statistics i found was there are seven percent of top universities who have an undergreat program but a third of the universities have a graduate program. of that third, 68% of the student population is foreign students, and so while i don't necessarily have a comment on immigration side of things, i do think that's very interesting and troubling, when you think about the different perspectives coming through the programs
3:39 am
today, and if that stopped, i think it tells me, one, we need more programs that can actually address the need but a that is woefully inadequate, and we should continue to see a diversity. there are no borders in cyberspace, and unless you're going for cleaner or something -- for a clearance or something else, i think it's really important that we get that diversity of perspectives, looking at different adversaries and having a different perspective of the political situation. >> i'm not the person to comment on the immigration, but i can share with you the fact that the
3:40 am
israels are 25 u.s.r & d cyber security centers, your companies, meaning that the connections are very tight, and those companies decided to be in israel, and sometimes just with front office, just a few people doing -- for new israeli technologies, sometimes it's thousands of people working for a u.s. company in israel. even sometimes the global center of cybersecurity for the company and i think this is fascinating. >> with the comments you made about 68% of the students in the advanced degree programs are coming from overseas, the question that begs to be asked, is that because they're not enough u.s. students applying for the programs, and the question is, why is that? or are they being beaten out by the more talented folks from overseas. why only 34% of u.s. students in those advance programs? >> what i hear from chancellors, and presidents and deans at colleges and universities is because many of the undergreat undergraduate
3:41 am
particular leave college and get high-paying jobs with the knowledge and skills they obtain in four years and there's not an incentive to return for masters and ph.d so there's a talent shortage in the graduate school pipeline. secondly is the incentives aren't there when you talk about leaving the government to go to a higher paying job in industry or elsewhere, the same is true to be a teacher or faculty member, which pays even less than working in the government. so it's really hard to attract researchers and faculty if we're not offering competitive salaries, and you just look at higher education as the example and contrast what we paid for doctors and medical school professors and others who are highly skilled and highly in demands. we reward them with high
3:42 am
salaries but don't reward science professor, professor who is cybersecurity the same way. >> a lot of these programs are fairly new, and so like the rest of the field there is some level of marketing, private industry has a marketing problem, and we need to be more invested about recruiting people into the field, whether it's because they're taking that educationalout or actually pursuing it as a career field. so regardless of whether it's because there's not enough demand from domestic u.s. students or whether it's that they're being weeded out, still think that problem could be solved by continuing to really actively recruit and show people the path they can have by
3:43 am
selecting a career in cyber security. >> as a computer science student and millenial, i'm curious, from any of you, what do you find the most frustrating, i guess, aspect of recruiting specifically the millenial generation? >> well, i'll throw something out. part of it is that melding a millenial work force with a work force of previous generations can be challenging, right? so many of the folks that are in industry today are part of the y's.boomers or gen is that next? i get my letters mixed up.
3:44 am
many of them don't use social media as often. many still want to pick up the phone or walk down the hall and talk to someone rather than instant message, and so you end up with a little bit of not culture clash but a different approach to communication. a a different approach to work. and i know as a manager of large groups, that becomes one of my management challenges, how to get these diverse generations, who really approach communications and work differently sometimes, to find common ground, so that they can successfully execute on a project together. the reality is i'm not putting all millenials on one project and all baby-boomers on another. they're going to bring different skill sets to the same project, and i need both or i need three or four generations in a project. one, because it brings diversity of thought. different experiences, different approaches to problem-solving. that gets you a better result. but with diversity you get andbut with diversity you get difference of opinion. you get debate. you get conflict. and as a manager, you have to figure out how to kind of bring
3:45 am
that team together. so, often times you end up being teacher, coach, playground referee. so as a manager, i'd say that been one of my bigger challenges. not just with millenials but in how to create a cohesive team that is represented across multiple generations -- . >> i have two daughters that are millenials so i have to be careful what i say about what frustrates me about millenials. i want to turn it around.
3:46 am
i'm less fruited about millenials, i'm optimistic. sigh progress and opportunity. i'm more frustrate bid the work force in which they're trying to enter that is trying to build models and systems off of, as we heard -- previous generations who say there a long time and have traditional ways of coming to and from work every day. we need to recognize that millenials are perhaps going to stay for a shorter period of time than the lifelong career. when you talk about diversity egg that's a good thing. if they're coming in and out of industry to government or from one company to another, they're bringing diverse experiences and other ways of thinking that is very valuable to the organization. i think secondly we need to take -- in the federal government is a great example, part of the new federal cyber security workforce strategy, job rotation is a good thing. not always a career ladder where you advance, advance, advance, more pay, more bay, more bay, but getting a different experience working in another department, getting another assignment, working all together, dhs employee. that job rotation keeps millenials engaged, adds value to the organization, and that's just the new normal. >> millenials often -- they like to work from home.
3:47 am
right? the diversity to work whatever environment makes them feel comfortable. think they generally like social causes. they like organizations that are socially conscientious. cyber security is -- it's all about trying to make the world a safer place at some level. i've never worked in an organization that was more geographically diverse than the one i'm in right now with intel security. we have a large work force working from home, we have people all over the globe. if i look at my team alone i have three or four soho workers, people who work in europe and several locations in the u.s. it gives them maximum flexibility to live where they want to live balancehe work-life
3:48 am
that thereand not are not long hours. plenty of times it's a 17-hour day, not an eight-hour day, but at the same time it gives them a lot of the elements that they're looking for in a job. >> i think that makes complete sense, and i'm going to pull a rodney. my biggest frustration is actually a good motivation for employers because all the mel lenals i have hired are so motivated and ambitious and you must provide them the entitlement to excel and succeed and that's a greater burden, good period, but a greater burden on us as an employer to provide those opportunities. immigrant makes our organizations better. we are more successful when we create those environments to give people those opportunities and to feed their ambitions and motivations. i have found millenials the most passionate creative thinkers we have worked with and they're approaching problems in a way that i think a lot of their predecessors may not have looked at the problems because they were looking through a paradigm of a fairly traditional model.
3:49 am
so, the frustration is ultimately to fix it is more work for us but that's a good thing. i'm so happy to have that challenge as we look at this -- just a contingent of the work force that is so eager to learn, and if you give them that opportunity, they will eat it up. and i think that's really something that we should be taking advantage of and providing them the infrastructure and perspective for them to take advantage of it. >> i guess if there's no more questions from the audience, i would like you all to join me in thanking our panel for their time and insight here today. [applause]
3:50 am
[inaudible conversation] on newsmakers this weekend, we talk about the presidential race with governor terry mcauliffe. he shares his thoughts on hillary clinton's running mate and the a lot from act e-mails. you also talks about virginia's status as a swing state. watch that interview today at 10:00 a.m. and 6:00 p.m. on c-span. and many of the featured
3:51 am
most talked about speeches from last week's democratic national convention. you will see speeches -- republican national commission. you will see by's presidential nominee michael pence, donald vanka, a vodka trump -- i trump and others. >> the prime minister of singapore is headed to the united states this week where he will be the guest of honor at the white house state dinner. it will be the 13th time white house has hosted a state dinner with president obama. as a preview. >> the white house press secretary is here and i would like to welcome you in honor of the singapore president.
3:52 am
in a few is -- indiscernible] -- obviously, [indiscernible] -- without further do, i will turn it over to know over the floral information. thank you. >> hello. welcome to the press review. the whitelorist of house. our color here
3:53 am
is yellow. -- [indiscernible] -- singapore is known for its orchids. the united states is known for its world-class -- which we have showcased. both of them together it represents the harmonious friendship between both countries. we hope you enjoy it as much as we enjoyed creating it. thank you. >> good morning. i am to end. senior director for asian affairs at the national security council. we very much look forward to welcoming the singapore
3:54 am
visitors. visitors are and the opportunity for united states to reaffirm our ties and friendship with america's most important and closest partners. singapore clearly is one of our strongest, closest, most reliable partners. lee visitsminister the white house next week we will be celebrating the 50th anniversary year of one of our bilateraltant relationships in asia. next week's visit presents an opportunity for president obama reciprocate death totality that prime minister leah and the people showed him when he visited and 2009. the events will allow the president to demonstrate the close professional and personal relationship he has with the prime minister based on mutual respect. during the visit we will see a display of close u.s.-singapore
3:55 am
cooperation across the board. singapore serves as host to our military forces in the region. it is one of just two southwest agencies in the counter active coalition. it is a primary component of the trade agreement, home to over 2000 american companies and it is a partner and advocate of the transpacific trade agreement. the prime minister will discuss range ofration on a issues including law enforcement, global security, maritime issues and combating climate change. the leaders will discuss how we can further grow our strong defense relationship and ties to train people. the two leaders will also highlight economic and strategic importance of the transpacific partnership trade agreement. represents a crucial opportunity to revitalize the global economic architecture and strengthen america's influence
3:56 am
at the center of it. tpp will eliminate more than 2000 tariffs on exports. it will make sure countries follow the same labor and environmental standards we follow in the united states. good for the united states, for the region, for the world. the prime minister's visit clearly reflects the vitally important role played by partnership.the united states is engaging more deeply across all of southeast asia and afghan which is to theely essential regency and prosperity. both of our countries are devoted to building a regional order were are all countries play by the same rules. resolving problems peacefully and cooperating to resolve issues. now i will turn it over to chris.
3:57 am
>> incidentally, for our first course we are serving maryland crab which is actually from cambridge, maryland, with his accented by an asian hybrid of citrus kind of like a cross between limeade and kumquat and it is garnished with wonderful route vegetables. sweet potato, yam. wanthe second course, we to celebrate summer. we are highlighting local ohio andfrom a farm in also marrying this with some wonderful asian flavors, the
3:58 am
mangopapaya and grape pickle accented with sorbet which is another wonderful tropical oriental fruit. we are highlighting american beef garnished with roasted yams from california and also garnished with wonderful baby kale and wondrous lemon grass. i would like to introduce you to our executive they current chef. -- two hour wonderful bakery chef. >> good morning. my name is suzi morrison, i am the executive pastry chef. present to you in my left hand a plate of desert, a handmade creation of page same great cake layered with accents of coconut milk,
3:59 am
palm sugar, and bright yellow ands from california virginia farms. marinated with a variety of american red wine and included juicenge and pomegranate and a light chamomile glaze with dried chamomile from the white house kitchen garden. it is garnished with honey from the white house made into brittle, fluffy, honey meringue. in my right hand is a creation made of caramelized allman nougat. with orchids, roses, and ribbons all hand-pulled and made of ofar included in a variety assorted miniature pastries which are pineapple, coconut, white chocolate truffle, puree, sesame.
4:00 am
tarts, black sesame macaroons, and finally -- what did i forget -- the triple layer all meant take. thank you very much and have a nice weekend. announcer: the u.s. chamber of commerce is one of the first stops the singapore prime minister will make when he visits washington, d.c., this week. we will have remarks live monday at 6:30 p.m. eastern on c-span. announcer: d c-span bus isn't the little fear, pennsylvania this week asking people about the democratic convention and the issues most important to them in the 20 16 presidential campaign. >> i am valerie, the superdelegate for cleveland -- hillary from cleveland, the great city in oh


info Stream Only

Uploaded by TV Archive on