[BreachExchange] Cyber Expert Shortage Leaves Networks Vulnerable

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 18 18:17:10 EST 2018


A quick glimpse at any of the real-time digital attack maps can be enough
to make even those familiar with cybersecurity slam their laptops shut.

On one recent day, Russia, Germany, Vietnam and the U.S. together saw at
least 4 million new computer infections within their borders. The same day,
distributed denial of service (DDoS) attacks flowed through the world's
internet pipes at more than 500 billion bits per second.

Single-day snapshots barely hint at the dynamics of risk to infrastructure
and other critical systems imposed by hackers. But the danger isn’t all
that keeps corporate and government security chiefs up at night — rather,
it’s the lack of people with the necessary skills to manage that risk
adequately that proves more troublesome.

One report predicts this shortfall will reach more than 3.5 million
unfilled cybersecurity jobs by 2021. The skills gap is already having major
repercussions on organizations entrusted with sensitive data or critical

Warm Bodies Needed

Without knowing the specifics of each network breach — information that is
closely guarded by victimized organizations — it’s hard to know just how
much unfilled posts and underqualified workers contribute to major events.
But the constant drumbeat of successful intrusions — ones that resulted in
the stolen data of about 57 million users of ride-hailing app Uber, 143
million hacked records from credit-rating agency Equifax and 3 billion
swiped Yahoo user accounts — sounds like a systemic malady inside
cybersecurity operations. The talent shortage is widely believed to be part
of the problem.

Frederick R. Chang, executive director of Southern Methodist University’s
Darwin Deason Institute for Cyber Security, told a U.S. House of
Representatives subcommittee that a lack of qualified personnel is making
network intrusions all too common.

“An image that comes to mind is from the child's game of whack-a-mole,”
Chang said. “Cyber defenders within an enterprise are stretched too thin,
quickly moving from issue to issue in an effort to keep their networks

Michael F. Ahern, director of corporate and professional education at the
Worcester Polytechnic Institute (WPI), agrees. His team has been creating
cybersecurity training programs for several critical industries. “I was an
engineer in the power industry for 30 years, and I know that some of these
companies are being attacked thousands of times a day,” Ahern said. “There
are not enough cybersecurity workers at a time when the trend is that more
and more hacks are successful.”

There is plenty of evidence to back that assertion. A global study
published in November 2017 asked 343 professionals about the effect of
labor pool shortages, their organizations’ practices and the discipline’s
status in general. They ranked staff shortages as one of the top
contributors to network breaches.

Seventy percent of respondents said the gap has already impacted their
organization. The skills most importantly lacking in candidates included
security analysis and investigations, application security and cloud
computing security.

This shortage of adequately trained staff “represents an existential threat
to our national security,” said report author Jon Oltsik, a senior
principal analyst at ESG. “And the implications of the skills shortage are
becoming more pervasive and ominous.”

A Job Seeker’s Paradise

The demand for cybersecurity experts might be reduced through automation.
Machine learning appears particularly promising. But even if it pans out,
it will only mitigate the problem.

If you’re a qualified job candidate, career options abound. For you, the
future is rosy. If, on the other hand, you need to fill critical roles in
cybersecurity, the outlook is grim, if not dire.

Analyzing data from October 2016 through September 2017, job market tool
CyberSeek found a dangerously shallow talent pool. More than 285,000
vacancies were unfilled during that period. (And only 746,858 people made
up the cybersecurity workforce.) Some places like Washington, D.C.,
Delaware and Colorado were acutely short workers; supply in the nation as a
whole was classified as very low.

To broaden the talent pool, some companies and government agencies are
retraining employees. Some are partnering with universities to expand the
cybersecurity pipeline, even recruiting from fields not typically
associated with cybersecurity. Engineers are particularly well suited.
Their retraining as cyber experts may take as few as 16 hours of classroom

A big obstacle to attracting new blood in the field, though, according to
WPI’s Ahern, is the misperception that computer science is impenetrable
except to the geekiest of geeks. Nothing could be more wrong, according to
Ahern. “This stuff can be learned. It just requires a candidate to be
curious about computers,” he said.

Market conditions are adding financial incentives to those wading into the
labor pool. The U.S. Bureau of Labor Statistics reports that unmet demand
for information security analysts has driven the median annual salary to
more than $92,000.

Multiple sources will have to be tapped to fill the void. An adequately
staffed workforce will require young new talent from training programs and
specialists who can be diverted from other fields.

“Cybersecurity is a young field, and it has to learn fast how to stay ahead
of threats,” said Ahern, “because hackers are learning just as fast.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180118/fb635a8a/attachment.html>

More information about the BreachExchange mailing list