Saturday, August 20, 2016

So You Think You Can Cyber?

With a new school year looming, students ask themselves, "What do I want to do for a living?" Several summer interns at my day job and elsewhere have asked me about the information security field. The top question has been consistent which means it's time for a new blog post!

Why is cyber security such a hot field now?

It's a byproduct of accessibility of Internet connectivity and proliferation of connected devices. Twenty years ago, only the biggest companies and governments had the bandwidth, literally and figuratively. As ecommerce caught on, crime quickly followed. It started with the curious, the attention-seekers, and espionage. By the early 2000's, financially-motivated attackers emerged with the rise of online banking. Malware spread through email, attacking both corporations and consumers by impersonation (e.g. Zeus), while laws and defenses scrambled to catch up. Then came exploit kits which up-leveled the scale of attacks leading to an explosion of criminal activity. Skilled information security analysts, digital forensics investigators, and vulnerability analysts (pentesters) were in short supply. The technologies needed to combat the threats either didn't exist or came at high cost. "Information security" was a checkbox on audit reports for regulated industries and payment card processors that auditors themselves didn't fully understand or appreciate which meant they could be easily satisfied by incomplete or vague responses. While the industry struggled to define itself, the demand for highly skilled and experienced workers grew - too few people and too few products/services to fill a fast-growing field. The inevitable happened. Breaches became more common with increasing impact. Heartland and TJX proved to the criminals that they only needed to be right once while the defenders had to be diligent 100% of the time. Thus the odds were in favor of the bad guys. In the last 5 years, the number of significant breaches and huge dollar losses made its way into the mainstream press which brought cyber security issues into the common vernacular (at last).

As pointed out above, defenses need to be effective all the time, which requires a highly-skilled workforce with a depth of technical knowledge, problem-solving skills, legal awareness (particularly for incident responders and forensics specialists), and to continuously maintain the knowledge and skills. Add to the mix soft skills like grace under pressure, non-linear critical thinking, and, one that's often overlooked but absolutely essential, playing well with others. The attack surface grows constantly, crosses operating systems, devices, platforms, and programming languages while the threats constantly grow and shift, encompassing script kiddies, hacktivists, fraudsters, organized crime and nation state attackers. One need only look at a Target or Sony situation to understand the risk of taking shortcuts on security technologies and practitioners. There's no such thing as a "set and forget" security product or service - all security solutions require people who understand the threats and the technologies in order to maintain the products and services, which all require tuning to each organization's specific needs along with constant care and feeding to maintain effective vigilance. To stay on top of this ever-growing, ever-shifting landscape, we need a steady flow of new talent coming into the field, and there's just not enough of them. Meanwhile, experienced practitioners are hopping around from company to company because we're being chased by staffing recruiters dangling big paychecks literally every day. There's also a high degree of burnout because of the stress. So, it's basically a matter of supply and demand. There just aren't enough workers to fill the more than 1 million job openings (see http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#63aa9ec37d27). Folks in the industry are trying to change this through outreach at all levels of learning, from grade school-level up to advanced degree programs.

So, do you think you can cyber?