The questions vary from week to week, but they all share a common theme: cybersecurity. One week she may be asked to choose which devices can be plugged into her computer. Her responses are scored and tracked. Answering questions carelessly or incorrectly will land her some additional reading to brush up on the topic.
“It is a constant reminder,” said Zabel, who serves as vice director of the Defense Information Systems Agency. DISA wants to ensure that the workforce is thinking about cyber every week.
These short quizzes don’t replace annual security awareness training — not even for the vice director. But DISA’s Cyber Defense tool does keep security issues top of mind for all employees. It’s a new way of thinking about security training in government — using bite-sized chunks of constant information to teach employees — which Zabel is hopeful will permeate the Defense Department and beyond.
Both the military services and the DoD Chief Information Officer are interested in using DISA’s Cyber Defender tool, Zabel told an audience of information security professionals at the 5th Annual ISC2 CyberSecureGov training event in Washington, D.C.
Government must keep pace with accelerating change with a workforce that does not change very fast, she said. The focus then is how do agencies increase cyber awareness among all employees — even their security experts.
In response to her question, Zabel outlined four tenets to educating the federal workforce in cyber.
- Understand that the environment is going to continue to change, and government must adapt.
“Our environment is a field of constant change,” Zabel said. If you were to look at the mechanical structure of an aircraft about 30 years ago, you would have noticed a lot of IT — even back then. Now consider today’s modern aircrafts: the F-35 and F-22.
“Those things are basically flying computers,” she said.
Everything that government needs to do intelligence, surveillance, reconnaissance, command and control — and more — is dependent on IT. But that same technology is constantly changing.
Even DISA’s IT priorities have and will evolve. Today it's mobility, the next generation of Common Access Cards and software defined networking, but those priorities will evolve, Zabel said.
- Personal development requires role-specific practice and the freedom to experiment.
Zabel is a proponent of commercial certifications, which she described as providing a body of knowledge for learners that is refreshed by industry, academia and government. “Certifications play a very important role for skilled practitioners of cyber,” she said.
Similar to other DoD entities, DISA supports obtaining and maintaining certifications. Zabel shared how an Air Force officer pushed to have a particular security certification training available for all maintainers. He wanted people who are plugging systems into an F-16 to be aware that they are plugging a computer into that aircraft.
In addition to certifications, Zabel wants to see more opportunities for employees to experiment. Some may call it failing fast, but she likes to think of it as a “finding a new way not to do something.”
For example, cyber ranges, or virtual environments set up for security professionals to get cyberwarfare training, provide a needed space for them to practice their skills. The Army is taking the lead on developing a persistent training environment that would be available indefinitely.
- Smaller sessions of more frequent training is more effective than the big, grand event (degrees).
Zabel shared how her past experience teaching computer science at the Air Force Academy gave her immediate and long-term feedback about what works and what does not.
She also pulls from her past experience as a student to shape her thoughts on developing cybersecurity talent. She explained that while her formal education in computer science and cybersecurity provided a foundation for her career, that was a set period in time.
“It ended,” Zabel said. “I got my bachelor’s degree in 1987, master’s in 1996. Think how much has changed since then.”
Those long, deep drinks of training or education are important, she said. But to make sure the federal workforce gets educated and stays educated, it’s the smaller, day-by-day experiences that have lasting impacts. That’s where tools like DISA’s Cyber Defender come in.
- Your organization needs to understand how it values cyber and the cyber workforce because we align investments to values.
“If you are in an organization that fundamentally thinks that they don’t care about information, you’re not going to get very far with training your workforce,” Zabel said.
Training budgets are often the first to get cut, and an organization won’t invest in what it doesn't value.
The value that your organization puts on securing information is reflected in who it hires, what growth path it provides for the cyber workforce, and whether security professionals are part of the C-suite or just thought of as overhead.
“If an organization values information, they need to be ready to align their investments to that value,” Zabel said.