The convergence of voice and video traffic are quickly transforming the growing complexity of networks at a torrid pace. IDC estimates that the skills gap in VOIP should grow to 19% by 2011.

This changing profile in the role of the network plays a key role in the skills shortage. Network enabled collaboration tools such as social networking apps and the Webex conferencing/collaboration solutions we use in our business each and every day are demanding a new set of IT skills to deliver business value.

My perspective is two-fold on this issue; the first is what I have seen in the resources we have attempted to hire! We give a very straightforward quick written/oral test to all new technical hires. This requires basic networking knowledge and some Unix commands. On average, (after filters from reputable recruiting firms, some with 5-10 years experience) less than 10% pass muster for the first filter we use in our hiring process. This is a troubling fact, which has cost us considerable time and effort to secure the right resources with competent skills. So I can say from our market assessment in a very strong technological job skills market, core Unix and networking foundation skills are slipping.

The second is that we as an IT Operations Management (ITOM) industry need to keep pushing hard to build better proactive and intuitive solutions to aggregate instrumentation from all Data Center tools, including more work around VOIP, video streaming, and collaboration so that we can ease this transition. If ITOM solutions become more proactive across the typical Cisco infrastructure that is commonly installed in the Data Center, we can free up some additional time for advanced “emerging technologies” training where existing IT workers can enhance their core skills and re-invigorate their careers. We have to do a much better job of getting our existing IT professionals trained on emerging technologies!

While there’s less that ScienceLogic can do around training, we certainly strive to do our part to enhance a day in the life of the networking engineers who use our solutions to simplify monitoring of increasingly complex networking, Wireless, VOIP, and collaboration needs.

Blogger: Trent Henry

It sounds so august: "CYBER STORM" (ok, officially it's just plain ol' "Cyber Storm," but a title like that begs for caps).

What is it? Or rather, what was it? The "National Cyber Exercise" was a 2006 Homeland Security (and other federal agencies) sponsored simulation of computer and network attacks. Here's the specific detail from a DHS slide deck:

• Provided a controlled environment to exercise State, Federal, International, and Private Sector response to a cyber related incident of national significance
• Large scale exercise through simulated incident reporting only ??? no actual impact or attacks on live networks
• Specifically directed by Congress ... and coordinated with DHS National Exercise Program

In short, the exercise objective was to pretend that a faux "Worldwide Anti-Globalization Alliance (WAGA)" was attacking U.S. and international interests, and determine how public and private sector targets responded.

Cyber Storm is of interest now for two reasons. First, late last month the Associated Press received a redacted summary report of the exercise results (two years after its Freedom of Information Act request). They found a number of interesting things, many detailed here: news.wired.com. One delicious fact--which supports Burton Group's perspective that insiders are a significant danger--is that someone attacked the off-limits exercise control computers, most likely a participant. When exercises have embarrassingly bad outcomes because people don???t follow the rules, it frequently turns out that the rules have been designed to produce an unrealistically rosy picture of reality. The fact that this happened should be taken as a sign that the exercise conditions were unrealistic, and that in a real incident the results would be even worse than those shown by the exercise. There are many historical precedents for this.

Another important fact, reported by the AP, is that "key players didn???t understand the role of the premier U.S. organization responsible for fending off major cyber attacks, called the National Cyber Response Coordination Group, and it didn???t have enough technical experts." This suggests that there's confusion in the public-private partnership for attack response, and we need better escalation procedures and fuller participation of private companies (who, by some accounts, own 85% of U.S. critical infrastructure).

This brings us to the second reason for interest in this story: Cyber Storm II. That's right, a repeat of the exercise is taking place in March 2008. DHS spells out the mission here: www.us-cert.gov/reading_room/infosheet_CyberStormII.pdf. In addition to expected public-sector agencies, "private sector players from the Information Technology (IT), Transportation (Rail and Pipe), and Chemical sectors along with multiple Information Sharing and Analysis Centers (ISACs) are scheduled to participate."

Here's what's weird: no one's discussing the exercise. Actually, I'm guessing that's not strictly true. Who's not discussing it is Burton Group clients; and they represent hundreds of the largest organizations in the world and own/operate important global infrastructure. These organizations routinely ask us probing questions about information protection, incident response, security program management, and the like. I'm pretty surprised that Cyber Storm hasn't come up. Not even once.

Now, there are some possible reasons for this. First, DHS might be asking people to keep quiet for national security reasons. I could possibly buy that argument. Outside the exercise participants, too much knowledge could be a dangerous thing (and even among participants, could taint the exercise results). On the other hand, if the exercise results show that there is a problem to be fixed and that there???s a shortage of technical experts, thought-leading third parties (such as, I might add humbly, Burton Group) should be among the first people both our customers and DHS turn to ??? us and security consulting firms. If they???re not looking for such help, then I'm concerned they???re sweeping the problem under the rug. Second, enterprises might not feel that industry analysts are important pieces of this particular puzzle. Again, that's something I could buy--but it's at odds with the other intimate advice we offer to security planners, including security architecture for major systems. Third, our client list simply might not intersect with the invited participants, which, while plausible, means that some really important players are being ignored.

Here's what makes me nervous: the possibility that DHS isn't really involving the private sector. That is, amid the massive list of prospective Federal, State, local, and international government participants, individual companies are but a miniscule component. Given the importance of financial services, energy, and other private sectors, this prospect gives me pause. We've heard anecdotes from clients that FBI Infragard and other public-private security contact points aren't fulfilling their promise. Although there's talk of partnership, in the end most organizations don't have clear lines of escalation or incident response to federal authorities. It's my hope that Cyber Storm and its progeny begin to close this gap. But so far, no one's talking.

So help me understand: Is the National Cyber Exercise adequately exercising all stakeholders? If so, please speak up! If you can, let me know...