Volunteering: the Key to Cyber Security?
By Tom Seest
At BestCybersecurityNews, we help entrepreneurs, solopreneurs, young learners, and seniors learn more about cybersecurity.
If you’re interested in learning more about cyber security and want to make a difference, volunteering your skills is an excellent way to contribute. Not only will this give you hands-on experience, but it’s also a great opportunity to network with professionals within the community.
According to a report from the National Governors Association, several states have started creating civilian cyber volunteer responders. These include Michigan, Wisconsin, and Ohio.
Table Of Contents
MiC3, also known as MiC3, is a volunteer group of cybersecurity experts that offers mutual aid to local governments and private organizations in case of cyber incidents. These volunteers are supported by both Michigan National Guard and Michigan State Police officers.
MiC3’s mission statement states that its mission is to assist local governments and businesses to “protect their critical infrastructure from cyber attack and data breach.” Members are available for support during cyber incidents as well as providing training and education to fellow volunteers.
MiC3 requires at least two years of information security experience and passing a series of tests to demonstrate basic knowledge in networking and security concepts, along with IR and forensics skills. The organization accepts ANSI-certified/DOD 8570-compliant certifications in core security disciplines.
In addition to meeting technical requirements for membership, members are strongly encouraged to take a six-day SANS cybersecurity training course. This class provides them with hands-on practical expertise in network and security operations, incident response, as well as digital or network forensics.
At the conclusion of their training, members take on a challenge that requires them to respond to an incident within one hour. According to Dan Groll, founder and leader of MiC3, this exercise provides members with insight into what type of quick response is necessary during times of crisis.
MiC3 currently has approximately 30 members and is working to expand its presence throughout the state. This will guarantee that businesses and government agencies in all parts of the state, especially rural ones, will have access to trained security professionals in case a major incident occurs.
NGA highlights the significance of creating and supporting a community of information security volunteers in its report. Such programs typically prioritize training and provide members with networking opportunities not otherwise available through other sources.
Davenport reported that while Michigan’s nonprofit MiC3 has experienced high attrition, the state is working to improve the program. To restructure MiC3, which is made up entirely of volunteers, and make joining easier for new members, MiC3 plans on restructuring itself in the future.
MiC3 requires at least two years of security experience and the passing of a series of tests to demonstrate an understanding of networking and security concepts, as well as information retrieval (IR) and forensics. Applicants are strongly encouraged to obtain ANSI-certified/DOD 8570 compliance certifications in core security disciplines like Security+, C|EH, CISSP or GIAC.
MiC3 program is an outstanding example of the vital role a statewide volunteer cyber security team can play in guaranteeing all states have access to resources necessary for protecting against attacks and data breaches. It’s a model recommended by NGA in their new Cybersecurity Workforce Framework.
State and local entities across the nation have formed groups of cyber-savvy volunteers to combat digital threats. They do this by offering assistance with incident response, vulnerability assessments, and other activities like that.
Wisconsin was one of the early states to launch a volunteer program and has seen great success in recruiting a diverse array of participants. In fact, its ranks now total more than 350 members – an amazing feat given the size of the state.
The state is also investing some resources in this effort, such as providing free or discounted training for new volunteers. Such incentives can be motivating for those new to the fold and could potentially improve the cybersecurity knowledge of its workforce.
Greenberg reported that these efforts are helping the state keep its own cyber systems secure from attacks and have contributed to its reputation as a leader in cybersecurity within the public sector. Furthermore, these improvements have allowed for faster response times when facing attacks against its own systems, according to Greenberg.
In conclusion, incorporating this type of effort into the state’s cyber defense strategy is a wise move. Not only will it save taxpayer dollars, but it will also lead to partnerships that make a state an innovator in cybersecurity research, education, and innovation.
To maximize the success of such a program, standards and documentation must be created to guide its operations. Furthermore, an advisory board made up of stakeholders from private, academic, and nonprofit sectors should be formed to address more complex matters – like what services should be offered and how best to recruit and retain volunteers who will represent the initiative.
As cyber security threats grow, states are creating volunteer cybersecurity response teams that can be quickly mobilized to support state and local governments as well as critical infrastructure sectors when incidents arise. Organizations such as the Michigan Information Security Community (MiC3), Wisconsin Information Security Community (WISCOM), and Ohio Cyber Response (OhCR), for instance, have set the bar for more efficient volunteer cyber responses within their states.
MiC3 is a state-led, unpaid network of information security professionals with at least two years of experience. Its membership comes from various sectors such as government, industry, academia, and nonprofits; currently, it boasts more than 80 members across three regional teams who have all been trained in one or more of its mission areas: incident response, cyber assessments, or technical assistance.
Since 2013, MiC3 has relied on word-of-mouth, networking, and an online test to attract new volunteers. Initially, it created ten five-person teams across different regions of the state, later adding a sixth team for Northeast Louisiana; now, there are over 80 active members ready to respond in case an emergency strikes.
Its volunteer leadership also sponsors an extensive training and professional development program, giving members the chance to acquire certifications that can be applied to careers in cybersecurity. Furthermore, members have access to a vibrant professional networking forum where they can network with peers and other practitioners from around the country.
However, one area of difficulty for the OhCR is its capacity to provide cybersecurity outreach and technical assistance (mission space one), which usually involves conducting risk assessments and suggesting solutions to address security weaknesses. This work has proven more challenging than anticipated due to SLTT government employees lacking familiarity with cybersecurity fundamentals or having no related background in this subject matter.
To address this problem, the OhCR is actively seeking to expand its partnership with colleges and universities that offer “cybersecurity 101″ courses tailored specifically for these organizations. Doing so would enable the OhCR to extend its reach in key areas without needing additional volunteer effort.
Although this strategy has proven successful so far, the OhCR is considering several other approaches as it grows its capacity. One option is partnering with an existing governing agency that already provides cybersecurity response capabilities in the state; doing so could reduce overhead costs and simplify starting a new organization.
Ohio has chosen to house its volunteer cybersecurity response team under the authority of the Ohio National Guard, providing members with legal protections and assurances that their service will be treated as active duty by the state. While this governance structure may not be as transparent as programs run by private sectors or nonprofit organizations, it was a deliberate decision designed to simplify program introduction and implementation.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.