How To Create a Training Program Aimed at Cyber Novices and Ninjas Alike

How To Create a Training Program Aimed at Cyber Novices and Ninjas Alike

We spotlight the change agents and what it takes to drive transformation in government.
image/svg+xml
Ann Barron-DiCamillo
Former US-CERT director, now VP of cyber threat intelligence and incident response at American Express

When Ann Barron-DiCamillo came into her new role as head of the U.S. Computer Emergency Readiness Team housed within the Homeland Security Department, she realized quickly there weren’t enough training opportunities for cybersecurity analysts. The main challenge was finding money for training as that budget was anemic. Barron-DiCamillo solved this issue by taking dollars from the cyber operational funding and using those to build out a complete training program.

Ann Barron-DiCamillo
Ann Barron-DiCamillo

“When I went ahead and carved money out of my operational budget, I felt it was a real operational dependency,” she says. “I can’t have operators that don’t have the right training in order to do their job.”

Working with Northrop Grumman as the contractor and leveraging connections with organizations like SANS, they built out a training program targeted for all levels of cybersecurity professionals, from the very green analysts to cyber ninjas. Now, someone like a network analyst in tier one could identify what certifications, training and experience were needed to move up the ladder.

“Be creative in how you go about solving a problem.”

The program became so successful, it grew beyond just US-CERT and the National Cybersecurity and Communications Integration Center to become a National Protection and Programs Directoratewide program.  

“By the time I was leaving, it was seen leveraged across the organization,” Barron-DiCamillo says. “It went through two versions and it’s going to continue live and breathe and be applicable to change as the environment changes because it’s so modular.”

There were folks in HR who wanted to put these shackles around people that if they took this training, they would owe the government x number of years in service, according to Barron-DiCamillo.

“I just think that’s a really negative incentive to the workforce,” she says. “I want my workforce to know I’m investing in them and the security of the organization by providing this kind of training.”

Barron-DiCamillo’s thought was that if cybersecurity was everyone’s responsibility, then someone taking the training and moving to another organization wouldn’t been seen as a wasted resource as that person would be better armed with knowledge on how to bolster cybersecurity.

“And truthfully, this program became one of the biggest retention capabilities we had, because we were investing in individuals and their skill sets, and that was seen as very positive across the organization,” she says.

Success breeds success. When people outside of US-CERT saw how well the program was doing, they wanted to bring that to their own organizations, Barron-DiCamillo says. The organic growth of the program also helped its wider implementation.

“I didn’t come in from the top and force this across the organization; I built it from scratch and it got its own legs and it became successful through that effort,” she says.

Her best advice for people looking to enforce change in government: Think outside the box.

“I always say be creative in how you go about trying to solve the problem,” she says.