interview

David Powell

CEO, Federal Business Council

Cyber Moves from the Server Room to the Board Room

October 27, 2015— David Powell, CEO of the Federal Business Council and co-chair of this year's CyberMaryland conference talks about technological innovation, cyber security as an ecosystem, the proper subsidiarity with which communities in that ecosystem flourish, and development of a strong, well-trained cyber labor force.

The CyberWire spoke with David Powell,of the Federal Business Council, who's co-chair of the CyberMaryland conference. We asked him for a look at what we might expect of this year's conference, opening today in Baltimore. He ranged over technological innovation, cyber security as an ecosystem, the proper subsidiarity with which communities in that ecosystem flourish, and, above all, development of a strong, well-trained cyber labor force. Here's what he had to say.

The CyberWire: Congratulations on another year of CyberMaryland. We see a great deal about risk management on the agenda. Would you care to share some of the conference highlights in that regard?

Powell: Cyber is evolving as an ecosystem. While there are tremendous developments in technology and tools on the IT side, we’ve seen a huge leap in the awareness of cyber security as a true business issue: it’s moved into the boardroom. The agenda this year brings the business issues around cyber—risk management; policy; coordination among cities, states and countries; training; legal issues and even the commitment to develop the next generation’s cyber workforce. These are built around mitigation or minimizing risk over the long-term, while embracing technological solutions available today.

You might say we are trying to create a mindset and an understanding that threat, and the solutions, go beyond a technology approach.

For the technology to be most effective, there has to be an organizational mindset.

The CyberWire: What are some of the new tools and methods available for managing cyber risk?

Powell: We’ve seen the recent development and launch of a lot of new and exciting products to identify insider threats, assist with corporate governance and compliance, analytics to measure actual performance of implemented programs, behavior monitoring, tools to quantify risk, insurance to cover losses, training and education programs and partnerships to share best practices.

The CyberWire: In the United States, capital has always been cheap and labor's been expensive. Everyone's feeling a particular pinch in cyber security: the sector depends heavily on scarce, and therefore expensive, highly-skilled labor. What role do you see schools, colleges and universities playing in redressing this labor shortage?

Powell: Academia is responding rapidly.

When CyberMaryland started over five years ago, there were less than ten universities with a four-year degree in cyber security. Today, there are nearly two hundred fifty. Educational institutions are responding to the need by working with employers to identify skills, and then they reverse engineer programs that map to those jobs.

Many community colleges are becoming the training ground for the cyber work force. Many jobs require specialized training that is efficiently handled with a shorter-term proficiency program. We’re seeing schools of all kinds embrace the challenge by developing academic programs that lead directly to employment.

We are also seeing high schools and middle schools create awareness and even certificate training programs. Programs such as LifeJourney, the NSA Day of Cyber and Loyola Blakefield High School’s Cyber programs will be tremendously successful in creating pathways to bring this area into sharp focus for students, parents, employers and educators.

The CyberWire: What's the right role for industry to play in workforce development?

Powell: Industry has to lead this development. By communicating with education providers, and defining and sharing future job descriptions and mapping those descriptions back to educators will help create meaningful programs. Ultimately, identifying and connecting with students or job changers with the aptitude for the many and varied roles is crucial.

Helping students become aware of the future and understand the pathways to developing a career is a key concept behind CyberMaryland. Industry has to be an active participant in defining the skill sets, aptitudes and competencies needed, as well as making sure there is an education path to get there.

The CyberWire: And how can government play a positive role here? Not just the Federal Government, but state and local government as well?

Powell: What we are seeing is that security needs are best articulated and handled at the local, or community-of-interest level. To avoid reinventing the wheel, sharing best practices for solving similar problems could be a role for a non-proprietary entity such as government, whether state and local or federal. There is a tremendous body of knowledge regarding threats, as well as success stories for effective implementation of countermeasures. Supporting the building of communities-of-interest around cyber to share what is working is a growing trend.

It takes time to develop trust among stakeholder communities, which is why public-private partnerships like CyberMaryland are effective. Another great example is the Federal Business Council’s partnership with the National Cybersecurity Center of Excellence, which creates opportunities for dialog and information sharing. Industry supports the implementation and values the ability to come together as a common voice, recognizing that each participant has goals that are important and distinct. The result of gathering the ecosystem is that something great takes place when people are together, communicating.

The CyberWire: Innovation is often thought to constitute an ecosystem with research, capital, labor, governmental climate and entrepreneurship, all constituting vital niches. Tell us about how you, from a perch at CyberMaryland, see each of these in your region?

Powell: Maryland is unique. We have a "Napa Valley" here on cyber security. Many elements are aligned that create a natural environment to support cyber development. Using the "Napa Valley" analogy, we have the right mix of fertile soil (the strong asset base of cyber-related entities located in Maryland), climate (orientation to all things cyber), rainfall (the ecosystem surrounding development), sunlight (the people engaged in the work at all levels) and history (many cyber innovators have spent their careers here).

Instead of wine, our output is cyber innovation and cyber professionals. We can always improve, but we have the ingredients to support the growth of an idea into a viable solution, along with a marketplace that will nurture growth along the way. It’s a special place.

The CyberWire: (We like, by the way, hearing Maryland compared to the Napa as opposed to the Silicon Valley.) Any thoughts on this year's class in the National Cyber Security Hall of Fame?

Powell: This year we'll welcome five new inductees into the Hall of Fame. Cynthia Irvine, Jerome Saltzer, Ron Ross, Steven Lipner and Susan Landau. Each individual has had a profound effect on technology, education, policy and innovation through their work and careers. One reason that the Hall of Fame exists is to recognize the role models—those unique individuals who were innovators and laid the groundwork for future generations. Until recently, many people in cyber security worked quietly, without recognition. It’s important that we recognize these individuals—they are role models for the next generation.

The CyberWire: If you could point to any single challenge, and to any single opportunity the cyber security community must address it, to what would you point?

Powell: Unify.

The CyberWire: Short and clear. We're looking forward to hearing the sessions today and tomorrow. Thank you, Mr. Powell.