I was recently quite critical about the Government of Barbados’ announcement of their participation in a pilot for the Cyber Nations Training Initiative, a programme created in Canada with a mission of training 100,000 people from the Caribbean and African countries as cybersecurity operations analysts, incident responders, and cyber literacy coordinators.
This initiative at face value is highly commendable as it addresses critical national workforce development needs for cybersecurity. Where I believe it goes off the rails is the expectation/objective that a 4-month crash course in cybersecurity will guarantee that the 200 persons trained will obtain remote jobs with Canadian or other foreign businesses making CDN$60k or more per year. This is simply out of touch with the realities of the cybersecurity profession and relevant workforce demands. Moreover, these unrealistic expectations coupled with a requirement that interested parties commit to a BBD$14k (USD$7k) student loan, basically sets individuals up for disappointment and frustration when the government’s promises don’t come to fruition.
All the above being said, I would like to use this blog post to recommend an alternative approach for cyber capacity building to the government. Hopefully, they’re willing to engage and cooperate with myself and across various stakeholder groups to effectively deliver.
STEP 1: PREPARE
- Identify an executive sponsor in government for cybersecurity workforce development. This person should have authority, be empowered, possess advanced training and a strong understanding of the country’s multi-dimensional cyber workforce needs, and be afforded the necessary human and financial resources to execute.
- Develop and publish a vision for the national ICT workforce, highlighting cybersecurity as a critical priority area.
- Encapsulate cyber capacity building and workforce development into a refreshed national cybersecurity strategy.
- Work with key stakeholder groups to undertake a cybersecurity workforce readiness assessment. Available tools like the Cybersecurity Workforce Planning Capability Maturity Model (CMM) can be used.
- Engage and involve stakeholder groups such as academia, technical community, civil society, and the private sector (especially critical infrastructure providers). From the government perspective, key ministries with cyber-related and national security activities, law enforcement, military, and the judicial service should participate.
STEP 2: PLAN
- Perform a cybersecurity workforce risk assessment to better understand risk exposures and risk tolerance, define mitigating actions, and assign owners and due dates.
- Create an inventory of the existing cybersecurity workforce.
- Determine existing/future needs and address the gaps. Key functional areas should include:
- IT audit
- Security management
- Governance, risk & compliance (GRC)
- Security awareness and training
- Security education (e.g., University of the West Indies, Barbados Community College, and private training centres)
- Judicial officers trained in handling cyber related cases
- Cyber law and policy experts (e.g., privacy, cyber diplomacy, ethics & technology, emerging technologies, Internet governance, etc.)
- Law enforcement and military officers trained in cybercrime prevention and cyber defensive/offensive capabilities
- Incident response
- Threat intelligence
- Penetration testing
- Security operations
- Security architecture
- Application security
- Computer forensics
- Considerations need to be made for staffing the public sector and private sectors, exporting talent, attracting foreign direct investment (FDI), and creating local cyber-focused startups.
STEP 3: BUILD
- Develop and align positions in a national workforce framework, considering entry-level through advanced positions.
- Ensure that non-technical traits for cyber professionals are also factored into training and development plans.
- University of the West Indies (UWI) and Barbados Community College (BCC) should include mandatory cybersecurity courses in all IT and computer science diplomas and degrees. They should also develop undergraduate majors in cybersecurity and postgraduate specialist degrees in cybersecurity. The UWI Faculty of Law should develop postgraduate qualifications focusing on cyber law, Internet governance, and ICT policy.
- UWI should seek to establish an international cybersecurity research centre and explore twinning with other centres led by world class institutions (e.g., Harvard Berkman Klein Centre, FGV School of Law – Sao Paulo, Stanford University Centre for Internet and Society, Internet Interdisciplinary Institute – Barcelona, Chatham House, Oxford Internet Institute, Strathclyde Center for Internet Law & Policy, etc.).
- Prevailing cybersecurity requirements should be considered in the redevelopment of all general tertiary education curricula.
- Foster private public partnerships (PPPs) to offer cybersecurity scholarships and/or fellowships to high potential students and professionals.
- Partner with global organizations like ISACA, (ISC)2, EC Council, PECB, Global Forum for Cyber Expertise (GFCE), and others to provide industry recognised and broadly accepted training and certification.
- Collaborate with the Organization of American States (OAS), IDB (Inter-American Development Bank), Caribbean Development Bank (EDB), International Telecommunications Union (ITU), European Commission, and others to finance and deliver a broad range of capacity building trainings across key government agencies.
- Accede to the Budapest Convention on Cybercrime to become a priority country for cyber capacity building programs, among other important benefits.
- Train judicial officers (Supreme Court of Barbados) to better oversee computer crime cases and develop local and regional jurisprudence.
- Commit to a dedicated annual cyber education and training budget for the public sector.
STEP 4: ADVANCE
- Public and private sector organizations must develop retention plans for critical cyber resources, and particularly to combat brain drain.
- Create and implement a plan to attract foreign direct investment (FDI) in areas like managed security services, business process outsourcing, and to fund innovative local cybersecurity startups.
- HR departments in public and private organizations should develop career paths to help cyber talent navigate their careers.
- Formulate continuous development opportunities for existing cyber talent.