Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/16/2020
10:00 AM
Simone Petrella
Simone Petrella
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybersecurity Bounces Back, but Talent Still Absent

While the demand for cybersecurity talent rebounds, organizations will need to focus on cyber-enabled roles to fill immediate skills gaps.

Leave it to a global pandemic to disrupt industries many of us have assumed to be stalwart. Companies fortunate enough not to traffic in hard goods are realizing they can survive (and cut significant costs) by moving to work-from-home workforces. This shift, with an estimated 62% of the workforce now working from home, demonstrates the increased need in hiring for cybersecurity personnel required to manage these new business models. At first, this sounds great for the resilience of the cybersecurity sector — but this means the already existent skills shortage for security professionals is about to get a lot worse.

Related Content:

Special Report: Computing's New Normal, a Dark Reading Perspective

What to Tell Young People of Color About InfoSec Careers

The result is that the lines between what have been considered "pure" cybersecurity roles and, well, everything else are becoming blurred. A recent (ISC)² survey shows that many security professionals are being leveraged to support general IT requirements to accommodate different needs for work at home amid the pandemic. That makes sense. Companies need to have the infrastructure in place to support these new remote workers logging in from their home ISPs while also ensuring the security of sensitive data and intellectual property.

Enter the Cyber-Enabled Workforce
According to a Ponemon study, 88% of employees said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data. Based on this projection, the cyber-enabled workforce within the United States exceeds 75 million personnel, and that number could be significantly larger if it included companies of fewer than 100 employees.

For example, threat hunting is a critical cyber role in many companies. But the personnel required is relatively small compared with the other defense and security functions in the organization. And even smaller relative to IT, network, and cloud roles.

The biggest role needs in security teams are, in fact, not what we would traditionally classify as cybersecurity roles — they're cyber-enabled roles. A cyber-enabled employee should have an above-average understanding of cybersecurity, but does not need the breadth and depth of knowledge that a dedicated cybersecurity practitioner has.

Information Technology
The most common cyber-enabled roles are in IT and are relevant to organizations of all sizes, not just limited to large enterprises with mature cybersecurity teams.

  • Network architecture: Designing and deploying a computer network is a traditional IT role that increasingly requires a solid understanding of security to ensure corporate systems are configured securely and reduce the risk of external attacks. 

  • Cloud architecture and deployment: The move to the cloud has created a similar role for cloud-based networks, their design, and their security.
     
  • Identity and access management: Solutions that verify and authenticate users on a network must be deployed in a way that still complies with organizational security requirements and minimizes data loss.

Software Development
Security development and DevSecOps have been reigning buzzwords for a few years. Whether you believe that developers need to acquire security experience or security practitioners need to learn to write code, most organizations have made a direct effort to infuse cybersecurity best practices into each stage of the software development life cycle (SDLC), rather than after the finished product is released..

  • Application software developers: Computer and mobile applications are used by corporate and individual consumers for all kinds of things (cars, video games, online shopping, social media, you name it). Not only does that mean an application developer needs to understand user’s needs to design and write the code to create a solution, but also do so securely to minimize the risk of data or code within the application from being stolen or hijacked.
  • Systems software developers: These professionals' creed operating systems-level software, more geared towards designing enterprise solutions (medical, industrial, military, business, etc.). The industry focus of their work makes it imperative that these systems are designed securely to minimize vulnerabilities.

Governance, Risk, and Compliance (GRC)
GRC team members are also considered cyber-enabled based on their need to understand all areas of the organization that could present meaningful risk. In this light, their understanding of cyber-risk needs to go well beyond traditional awareness training.

  • Risk manager: A traditional risk analyst or manager examines a series of activities or initiatives and analyzes the risk involved in those associated decisions. Given almost every action and activity in business today takes place over a network or technology system, knowledge of cybersecurity is imperative to appropriately apply it to the decision-making process.

  • GRC analysts: Policies, processes, and controls are necessary parts of all businesses. Cybersecurity is no exception, and there's growing demand for people with regulatory and business backgrounds to apply that knowledge in the development of security GRC programs.

  • Privacy analysts: Since most organizations store data on computer networks and databases, a privacy analyst needs to understand those systems and applications in addition to business processes and the privacy regulations of specific industries.

Healthcare Professionals and Medical Device Professionals
Healthcare organizations employ large numbers of employees that manage or have access to sensitive data and medical devices on a day-to-day basis. Compared with other industries, such as financial services, healthcare organizations do not as frequently create discrete cybersecurity positions and are more likely to create cyber-enabled roles. 

  • Data security administrator/analysts: Ensuring that information, and in particular protected health information, is properly handled and stored is a priority for healthcare organizations. Preventing data security violations, especially those protected by HIPAA, GDPR, and a growing number of other regulations, is a primary business concern for the healthcare sector. 

  • Clinical engineers: As medical devices become increasingly connected (by 2025, it's estimated 68% will be connected to the Internet), there's an even greater need for security given the sensitivity of health data. And that's not a traditional security role — that's often the engineers building the devices, although medical device manufacturers have a critical role when it comes to cybersecurity as well.  

It's About the Skills, Not the Roles
While these lines between security and other jobs are blurred, there's a secondary shift in play (also thanks to COVID-19): Our traditional education model has been turned on its head. Degree programs are costly and not turning out job-ready graduates. The market, students and employers alike, are now considering faster, more cost-effective, and efficient ways to align talent to job requirements. And this isn't specific to the private sector. The White House issued an executive order on June 26 that directs the federal government to de-emphasize degree requirements and instead focus on skill, competency, and knowledge.

Companies also need to invest in their workforce strategies and training instead of relying on the external market. It's important to create, tailor, and deliver upskilling solutions to employers based on their unique workforce requirements and roles. That means a need for modular, skill-focused education that allows employees to acquire new knowledge in shorter chunks of time without sacrificing workplace productivity. When an employer defines the roles in their own organization companies can then be more discriminating in selecting and deploying upskilling strategies.

A skills-based approach provides an efficient way to upskill and prepare for the cyber-enabled jobs of the future (and today) without leaving positions unfilled or waiting for a pipeline of candidates through lengthy degree programs. Skills are transferable from position to position and are cumulative, meaning the workforce of the future will be more likely to have cybersecurity knowledge and abilities despite not being in a cybersecurity position.

Simone is chief executive officer at CyberVista where she leads product development and delivery of cybersecurity training and education curriculums as well as workforce initiatives for executives, cyber practitioners, and continuing education. Previously, Simone was a senior ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
9/18/2020 | 5:22:22 PM
Interesting commentary
Thank you for sharing, but it is going to take time to move from a degree based paradigm to a skilled based one. If that is the case, then we might as well hire hackers and bring them in to address some of our "DevSecOps" (not sure why they changed it because DevOps was the start, SecDev is a group in the military and Dev - Development, Sec - Security, Ops -Operations, shouldn't it be SecDevOps since the primary concern is to infuse Security with the already Application design framework, but I digress).

Also, there is a thing called morality, having skills without understanding the consequences would be catastrophic for a business, (Paige Thompson - Capital One Hack). We need people who have a high moral fiber while at the same time they are skilled in the IT arena.

In addition, one thing we are leaving out is racism in the IT business sector. Not just white america, but there are a large number of Indian companies who are looking only to place their own people. There have been numerous interviews where the interviewer was looking for a solution instead of hiring a person not from their origin (India). In addiiton, there have been instances where people from India make calls, ask the person to interview, they interview, do well and nothing comes from it. In the background, they have decided to move someone in a position who makes less money, they ask you to train them and then they move you out because of differences.

The commentary sounds good, but the problem is that we have human traits that go beyond the workplace. Just ask yourself, when you walk into the conference room or lunch room. Look at the people and their likeness, people tend to gravitate to people who look like them, that also translates to the boardroom and in HR. In addition, it is going to take time to change that paradigm, look at Black Lives Matter, this same argument has been going on for years and all they want is to be treated equally and not shot at a police stop.

It is sad, but it happens. I don't think there is a lack of talent, I just think people need to take off their blinders and take a careful look at themselves before making a decision to hire someone who does not look like them.

T
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.