If you think everything’s gone cyber now, just wait. “Digital transformation” is shifting all aspects of modern life — think automated grocery stores, driverless cars and trucks, even our social lives — and it all brings new forms of risk.
Consequently, security is becoming one of the top fields in the world. But it’s not the same discipline it once was. For every new risk, every innovative web service, connected device or IT-powered process, CISOs need experts who can understand the exposure. As the threat landscape becomes exponentially more diverse, the security industry must become much, much more diverse in response.
The complexity of this challenge is compounded by the talent shortage the security industry is facing today: the Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study projects 1.8 million vacancies in cybersecurity by 2022.
In order to bridge that talent gap and build a more secure world for everyone, the discipline must evolve.
When cybersecurity was new, it was almost a gamer culture. Script kiddies in hoodies were playing around in garages trying to break stuff. The threats were closer to vandalism, with some of the earliest worms simply hijacking systems and sites to taunt their owners. The efforts of hackers were rudimentary, juvenile, sometimes borderline criminal, but they were just getting started.
At the same time, controls were considered an IT problem. Build the firewall. Close the loopholes. Monitor the traffic. So naturally, organizations looked to the IT department. Ex-military personnel were also valuable, because they understood the basic concepts of risk and securing assets against compromise.
In our own recruiting efforts today, we talk to men and women with business backgrounds who say they would never be interested in cybersecurity. And their reasons don’t always match up with the field I know — reasons that are tied to that lingering perception of hacker kids doing cyber combat with IT guys wearing pocket protectors.
Our industry’s talent shortage is exacerbated by a misperception of what the field is all about. As long as that’s the case, we’re never going to see it mature to the level it needs to longer term.
The good news is, those perceptions are rapidly changing with the evolving nature of our world. From shutting down power grids in Ukraine to multi-million-dollar heists on banking systems in Asia, cybersecurity has dramatically upped its intrigue in recent years.
It’s not just for geeks anymore
Today, we still need IT skills and military minds, but the world has become a different place, and security involves much more. As security professionals, we have to consider criminal intent, hacktivism, espionage, and (cyber) warfare.
This “CHEW” is the new frontier, and to beat our adversaries in this environment, we can’t just rely on those same skill sets — because cyberattacks aren’t just about hackers writing code. We’ve seen nation states use targeted marketing campaigns to influence public opinion. We’ve seen public fitness-tracker data used to follow military members around sensitive locations.
To combat today’s constantly innovative information warfare, CISOs need diversity on their teams, because everyone has their expertise, but also their blind spots. CISOs need people who understand the real world and its nuances, know the angles and motivations, and have the analytical mind to anticipate the next attack vector. Your morning read on world events is as valuable as anything else when it comes to understanding security risks.
There is also a need for segmentation and specialization. Protecting a smart city or transit system requires a deep knowledge not just of IT, but also the physical systems, the train tracks and stoplights, the industries and people who rely on that infrastructure, and the business processes that keep it moving.
Consider crypto-currencies. You may have a systems architect on staff who understands Blockchain inside and out. But does she understand world currencies, the markets for trading them, each country’s position on them, and how that affects the financial industry? Can you really understand all of the threats to a crypto-currency system unless your team has that kind of holistic view?
What we’re talking about here is flipping this discipline on its head. Yes, you still need an analyst who can find the needle in the haystack of a security technology, but no longer will we lead with controls.
Instead, we’ll contextualize our assets within the broader landscape. Then we’ll figure out the origins of the next threat. And from there, we’ll build controls as targeted and sophisticated as the attacks.
So for students who want to become cybersecurity professionals: It’s not just about IT and controls anymore. The more you read about what’s going on in the world, the more you understand about specific industries, about how business models are changing, the more effective you’ll be. The knowledge you gain in this world of security, none of it is throwaway.
And for potential candidates today, what’s my biggest recruiting pitch today?
This shit is fun.