Statement of issue with the cybersecurity jobs gap

There has been a consistent message over the past few years with regards to cybersecurity education. Namely, that the field is dangerously understaffed and that there are over 1 million unfilled jobs globally.

This hype has contributed to a significant number of new cybersecurity programs being created at all levels of higher education, from community colleges all the way up to institutions such as MIT, Penn, and Brown. According to ISACA’s 2016 Cybersecurity Skills Gap infographic, there will be a global shortage of 2 million cybersecurity professionals by 2019.  Frost & Sullivan indicate a shortage of 1.8 million professionals by 2022 in their 2017 Global Information Security Workforce Study.  Combined with this is a focus on data breaches and hacks, with large numbers used to communicate that this is a serious issue.

At the same time, according to the Online Trust Alliance, 93% of all breaches could be stopped by basic cyber hygiene. Verizon’s 2017 Data Breach Information Report indicates that 81% of reported breaches used as data in their report came from stolen or weak passwords. The FBI has indicated that two-factor authentication dramatically reduces the risk of data breaches or hacks. 

Combined with that, a large number of vulnerabilities that have been discovered over the past year that have engineering issues as their root cause. The two most glaring examples of this were Meltdown and Spectre. However, the Microsoft vulnerabilities that led to the WannaCry and Petya/NotPetya attacks cannot be discounted. Neither can Heartbleed or the other attacks on secure communications.

What we need to focus on with training and engagement

When you combine these two factors, which are basic hygiene and engineering issues, the question becomes one of focus. Instead of focusing energies on developing new analysts and new cybersecurity jobs, perhaps we should be focusing where we have the greatest potential effect.  There are several areas where I think we could have the greatest effect on improving security.

The first is reducing end user training overload.  As part of my job, a major component of it is to develop training and communication plans for our team.  We have very high variety and a very diverse workforce.  One commonality is workload and workflow.  Team members don’t have the time to sit through training, and they don’t like being lectured to.  What happens, in my observation in general, is that people tune it out because they feel it is not relevant to them.

An important lesson I learned from a Chief Medical Officer I worked with is that current training methods weren’t enough.  You have to get out there and engage and work very hard to establish two-way communications with the workforce.  What I learned from her was to redevelop our training plans to focus on short communications that are relevant and reinforced with communication on who to contact in case of an issue.  Further work with multiple public relations and communications teams has reinforced everything she said.

We need to be focusing on how we communicate and integrate with our users, so that we can do a better job of providing them relevant information they can use.  We also have to make sure that we’re not being onerous.

Secondly, it’s about evolving the engineering and design processes.  We believe security to be critically important, and it’s important to have vendors and internal development match that ideal.  While cybersecurity analysts are critically important to analyze potential issues, the current focus has not been on how to address these issues from a design or engineering perspective. 

One of the companies that got this right was Microsoft, who in response to significant issues with Windows XP, redeveloped their entire product development lifecycle to address core vulnerabilities, and empowered key engineering leaders like Mark Russinovich to re-engineer their products to improve security.  Microsoft was able to address entire classes of vulnerabilities, and developed a significantly more secure code base because of it.  Most importantly, vulnerability management at Microsoft greatly improved.

Understand the entire development process.  Sit down with the project managers and team, and talk with them about what they do.  One item you will find is that more often than not, they do have a basic understanding of security.  What they will most likely need is guidance and advice from you and your team.  Whether or not it’s the internal team or a third party, speak with them and find out what they do, and address their needs and concerns.

Incorporating risk management and security

What we’ve observed is that organizations who are the most successful with addressing security and risk are the ones that incorporate risk management, and by extension, security, into their product management processes.  When you build security into every step of the workflow and educate the team members on what they need to do, you get immediate benefits.

Include team members in the overall risk management program as your third step.  Security can’t be a black box to them.  The one thing that can disengage people the most is by asking them to do tasks or change their processes without explaining why the changes are needed or what they really mean to them.  Instead of spending your educational budget on developing more analysts, get the whole team up to speed on the basics so they understand what it you are asking for and why.  Target the education to improving the team’s knowledge of security.  Develop appropriate metrics to define and measure success.  Empower them to work toward a common goal of lower risk.

This leads to developing workflows for the teams that integrate into your risk management plan which paint an accurate picture of your environment.  This gives you something that can demonstrate success using the metrics we described before.  More importantly, this give you a view into it that you didn’t have before to accurately assess and address risk, plus you’ve educated the team at the same time.  You’ve also created those feedback loops to monitor, review, and course correct security across your organization.

We do have a job shortage in cybersecurity.  It’s not a lack of analysts or specialists.  It’s a lack of professionals who know how to assess and address risk, and who know how to span traditional boundaries to engage and educate customers on how they can be empowered to improve.  Adding people dedicated to cyber security doesn’t correct the engineering issues or development processes that generate the holes in the first place.  Engaging teams and doing the hard work does.