By Jeremy Wittkop, InteliSecure CTO
People, process, and technology. Where do we turn when it is the people side of the equation we most need to address? An increasing number of organizations are asking this question as the shortage of cybersecurity talent continues to become more dire. There are more threats evolving every day and it seems there are legions of cyberattackers ranging from divisions of cyber militaries on the state-sponsored side, to the ever-increasing digital crime epidemic that appears to be sweeping the globe. There are marketplaces, instruction manuals, tips and tricks, and even entire portions of the internet that seem to embrace lawlessness and appear to be dedicated to the pursuit of separating valuable data from its’ rightful owners.
“Since the massive breach at Target in 2013, many other organizations have fallen prey to cybercriminals. The next year saw hacks into UPS, Goodwill, JP Morgan Chase, Sony, and others. Forrester Research predicted that 60% of brands would experience a breach of sensitive data in 2015. That estimate may have been conservative considering that last year, those organizations successfully targeted by cyberhackers included the FBI, the Trump hotel chain, Experian, and Scottrade, among others.” – Fast Company Article, (Fast Company – July 27, 2016)
This problem is not soon going away, in fact it is increasing in scope. There is very little downside for an attacker as an unsuccessful breach rarely has meaningful consequences given the fact that there are few laws and treaties in place that allow for the global prosecution of cybercrime. (I speak at length about this issue and potential ways it can be solved in my book which you can find here.)
Think about what it would take to rob a bank in the 1950’s. You would need to assemble a crew of like-minded individuals, physically compromise the bank, overtake the security guards by force and subdue the customers, socially engineer or destroy the bank vault, and flee the scene without getting caught. You would generally have a few minutes. Compare that to cyber crime where you can attempt to rob 100 banks without any help sitting in front of a keyboard in your pajamas sipping coffee. There is no likelihood physical harm will come to you if you’re unsuccessful, and as mentioned previously, if you are caught, you are unlikely to face prosecution or any significant jail time. Further, the average response time according to multiple studies is in months or years for cyber-crime as compared to response times of traditional police forces which are measured in minutes. As a result, there is little to stop or dissuade attackers from continuing to attempt to penetrate our networks and steal our most sensitive data except our cyber-security professionals or white hats.
Prior to going further, I think the terms White Hat and Black Hat could use further explanation. These terms are becoming commonly used, and it is important to understand what they mean. In the American Western television show The Lone Ranger, it was easy to tell the characters and their motivations apart based on what colors their hats were. The protagonists all wore white hats and the antagonists all wore black hats. That distinction is often used in cybersecurity circles to classify the people protecting legitimate business and government interests (White Hats) from those who are seeking to conduct some form of illegal or immoral activity (Black Hats). There have subsequently been all kinds of other colors of hats that have been added to describe different motivations, but for the purpose of this discussion, understanding the difference between White Hats and Black Hats is sufficient.
The White Hats we employ are the heroes we rely upon to protect us and our most sensitive information and similar to the television show the Lone Ranger, who also wears a white hat, are often gravely outnumbered. Unfortunately, the real world does not always grant us a happy ending and unlike the television show, our White Hats do not always manage to overcome the incredible odds they face with respect to manpower and funding. They need help, and they need it in the form of training, skills development, and most importantly, more good guys.
In most cases, the attacking group has more people and more capital at their disposal than the people trying to protect the network. This is often the result of the difficulty many businesses have with valuing their information or doing a proper Risk Analysis and Cost/Benefit Analysis with respect to their security programs. It is important to note that there generally is a favorable cost/benefit analysis associated with investing in strengthening an organization’s security posture, it is simply uncommon for a proper analysis to be done when considering cybersecurity investments. The reasons for this escape me.
The bad guys do not have that problem. They know if they steal 40 million credit card numbers, precisely how much each credit card will yield on the open market. They also know how much they can get for a health care record, and generally have a buyer lined up for a piece of Intellectual Property prior to targeting an organization. They have a very clear idea of what the benefit is, and how much effort and cost they should expend trying to achieve that benefit based on the margins they would like to maintain for their efforts. In short, attackers that have a profit motive are running their operations like a business, but the irony is that their targets, often legitimate businesses, do not run their security programs in the same way.
“Your cybersecurity strategy must be built into your business strategy” –Tom Ridge
The news continues to get worse. Even for organizations who have decided to invest in cybersecurity, there is a dearth of suitable talent. There is a plethora of technology available on the market that are tools to help an organization succeed in protecting their environment, but those technologies are simply tools. If you had thousands of hammers, drills, wrenches, etc. but no skilled carpenters to use them, how many houses could you build? The same challenge faces cybersecurity initiatives in many organizations. To this point we’ve defined a few of the contributing factors to the larger problem. Essentially, organizations do not know how to, or choose not to take the time to value their information assets, they do not spend the time to intertwine their security strategy with their business strategy by evaluating and redesigning business processes in a secure manner, they do not do a proper cost/benefit analysis for their security programs in many cases, therefore they fail to invest properly in cybersecurity in many cases, and the organizations who do choose to invest have significant difficulty finding the right people. The focus of this series is solving the people problem. (If you are looking for assistance with the other contributing factors, InteliSecure has Consulting Services offerings that can help.)
The shortage of qualified professionals is not likely to improve in the near term as the same Fast Company article cited above reported that 82% of organizations report there is a shortage of skilled cybersecurity professionals today and the number of openings is expected to grow 53% over the next two years. With more organizations seeing the ramifications of not investing in security, it is likely that demand for strong cybersecurity talent will continue to increase for the foreseeable future. Certified Information System Security Professionals (CISSPs) are security professionals who have met stringent cybersecurity requirements including an extensive valuation and who have a minimum of five years of Information Security experience. According to an article in Network World, “U.S. employers posted 50,000 jobs requesting CISSP credentials in 2013, a year in which the population of CISSP holders numbered 60,000.” When new job postings requiring a specific skill set begin to approach the total number of people who possess said skills, you are likely to see a worsening shortage. Even with the increase of interest in these types of professions among younger people, the demand is set to outpace supply for the foreseeable future. In a subsequent post, we will discuss ways in which the cybersecurity community can become more diverse and approachable in order to help fill the gap in the long term, but those solutions will not tangibly impact the statistics for a number of years.
Businesses seeking to protect themselves from cyber threats have to solve this major problem. According to ISACA, by 2019 there will be 2 million more cybersecurity jobs than there are qualified professionals to fill them. This problem is also trending in a direction that indicates that it will get worse before it gets better.
In order to address this skills gap, we need to look at long term and short term solutions. My intent in this series of posts is to review some potential solutions to both the short term and the long term problems. These ideas are not intended to be a prescription to solve the problem, but just some preliminary ideas to jump-start the thought process. The first step to solving the problem is to admit that you have one. I am confident most people reading this article understand there is a problem in cybersecurity related to a lack of qualified professionals. Now we need to develop strategies to solve the problems we face.