This article is in response to an article recently published on ITSPmagazine: Stuck in Cybersecurity Hell? Professional Education Is the Only Way Out by Howard Shrobe.
Please note that my post that follows here does not reflect the viewpoints of my employer.
I have the utmost respect for Mr. Shrobe. After reading his article, I wanted to share some alternative viewpoints from the perspective of a practitioner and a student of the discipline.
I am a security engineer and have worked in tech, critical infrastructure, retail, and insurance defense industries. My response is not an argument against higher education. In fact, I am currently a graduate student finishing up my M.S. in Cybersecurity. Not only do I advocate formal education, but I also encourage anyone who will listen to be a lifelong learner.
However, I respectfully disagree that professional education is the only way out of the cybersecurity hell we find ourselves in.
The assumption that education is the only way out ignores the realities of:
- The many security staffs that lack the power to affect change
- Current business approaches towards cyber
- Complexities of borderless networks
- Hybrid environments & legacy systems
- Public policy attitudes around the importance of cybersecurity…
….just to name a few.
Allow me to explain.
Security Is Optional, Not Mandatory
Businesses continue to relegate security as an option instead of a priority that gets correlated with profit and loss. In fact, over 90% of executives who responded to a 2016 Goldsmith survey said they cannot read a cybersecurity report and 40% report feeling that they are not responsible for their companies being hacked.
Despite breaches dominating headlines for the last several years, many companies, global in size and SBEs, have one person security teams, insufficient staff, or none at all.
Retailers are especially notorious for overworked and understaffed security staff, if they have any at all. Profit margins are historically low, so it is not uncommon for the network engineer to also be the security administrator, analyst, architect, auditor, manager, and all around swiss army knife with the unrealistic expectation to protect all the IP enabled things.
Security Is Compliance Driven
Many executives take the gamble of accepting the risk of a breach because it is cheaper to operate with minimal security than invest millions of dollars in systems that have been neglected for years, sometimes decades.
Result: cyber has and continues to be a “check the box to get the compliance team off of my back” exercise. While the public may be shocked to hear this, those of us in the profession see this every day.
Yes, every day.
The Automation Myth
Retail is not unique in treating security as the red headed step child that no one wants to claim. Companies that we rely on every day view cyber as an option that can be dealt with at a later undetermined date. Even the ones that invest in next generation tools neglect to invest in the people and processes to manage those tools because “automation”. They fail to appreciate the care and feeding required for the tools they purchase, so tech is partially implemented and/or not deployed in a way that provides the telemetry required to be effective.
But pretty dashboards, so yay!
Cheap Foreign Labor
Companies have outsourced large portions of their IT systems management to cheap foreign labor with people sitting in different time zones all over the globe. Do you have any idea how difficult it is to manage security across multiple service providers?
They’ve also opted to take the more cost effective approach of allowing BYOD, so unmanaged unsecured devices have access to many of the networks we assume are protected.
But we have the perception of cost savings, yay!
The Academic, Private/Public Sector Disconnect
There’s a huge disconnect between academia, private, and public sectors. I cannot speak for all universities, but from my experience and conversations with students at other schools, the universities tend to be vendor agnostic. Therefore, the students are learning using open source tools instead of the tools found in enterprises.
So when they come out of school, they are not equipped with the technical skills that companies want. Students gain a lot of other valuable skills, such as research, presentation, and tool related context knowledge. However, I believe this is a missed opportunity between vendors and universities.
With so many security products available, I can certainly understand the rationale for being vendor agnostic. BUT, that does not negate the fact of missed opportunities here.
Cyber Being Taught by Non-Practitioners
My biggest beef with academia: students are learning cyber from people who never spent a day in their life in a security role. Nobody hires a chef to teach a medical student how to save lives. Some of these InfoSec students will end up working in hospitals and utility companies where they could have a direct impact on decisions that saves lives. Therefore, academia needs to approach security education with the level of seriousness that would be afforded to other fields that could affect people’s lives.
We’re in 2017, and there’s no minimum cybersecurity baseline that ALL companies must adhere to or face a regulatory penalty stiff enough to force action.
PCI basically lets the retail industry police itself.
SOX is focused on certain controls around financial data, but cyber is a nice to have byproduct of those controls and does not govern other organizational data. Clearly, cyber protection is not the intent.
NERC-CIP has standards that are open for interpretation.
To date, most of the companies that have experienced breaches have returned to business as usual. Meanwhile, the new administration asked for a cyber miracle and we haven’t heard much about it since.
Tripwire conducted a survey at the 2017 RSA Conference and found that “only 17 percent of security professionals are confident in the U.S. government's ability to protect itself from cyberattacks this year”.
Security requires top-down leadership. Where art thou leadership?
So let’s recap some of the hurdles:
- Companies lack security staff and budgets
- Cyber is check the box audit exercise
- Perceived automation=unmanaged security tools
- Service providers with staff & unmanaged assets spread across the globe
- BYOD is common in corporate environments
- People with no IT background are teaching cyber
- Top down cyber leadership is missing in action
All the training in the world will not make a difference if the organizations do not prioritize security and place appropriate value on attracting/retaining the best staff. Likewise, all efforts will fall short without the ability to identify and secure (or isolate) the assets that connect to the network.
Professional education will certainly help, but is not the only way to get us out of this hell. I’d argue that it won’t even get us to purgatory.
However, I do have 5 simple and straight forward solutions that I believe will get us at least to the cyber highway out of hell:
1. Boards: Take Blinders and Ear Protectors Off
Cyber is messy, complex, headache inducing, and a buzz killer. We get it; we do this for a living. However, the only way we will ever get true commitment to security and funding to make a difference is by the Board of Directors making it a priority. Do not settle for the CEO’s word on risks that he/she may not fully understand. Do not settle for the CIO’s word because…see next section. Have a trusted cybersecurity professional on the Board to communicate the TRUTH about the level of risk to the bottom line in dollars and cents.
2. Stop Letting Security Report to the CIO: Conflict of Interest Officer
The CIO’s job is to increase shareholder value through efficient and competitive use of technology. Their bonuses are often tied to the RIO of the company’s IT expenditures.
Let’s explore a typical scenario: Mr. CIO has a $10 million budget. He can:
A) Spend the $10 milli on apps or acquisitions with a clear line of sight into generating $15 million back and a 20% bonus potential from the $5 million profit = $1 million cash/stock bonus.
B) Spend $10 million on security staff and tools to protect the company but will not necessarily translate into profits or a bonus to pay for that new Porsche he saw last weekend at the car show and beach house.
CIOs are humans and (most) humans are greedy.
This is a direct conflict of interest and why security should not report to the CIO. The end.
3. Cyber Flight Upgrade: From Storage Under Airplanes to 1st Class Seating
Hire a CISO or CSO, whatever term tickles your fancy, and have him/her report directly to the CEO and Board of Directors. No middle man, but reporting directly to the people who approve budgets and are accountable to shareholders.
4. Invite Diversity of Thought to Dinner Next Week
This is for academic, public, and private partnerships. Seriously, talk to each other. Have your people call their people today to make dinner reservations next week. Academia needs to stop building programs without industry practitioners who understand the challenges facing private industries. Likewise, the people who are directing NSA School of Excellence programs need to stop building programs as though everyone who completes those degrees will work in the government. They won’t, because the private sector pays better and some of us do not live near public sector jobs.
And please, whatever you do, make sure everyone at the table does NOT look like you. I realize that may be an uncomfortable request, but true diversity of thought requires just that.
5. Academia: Offer Competitive Compensation to PRACTITIONERS!
Why are you offering your cybersecurity instructors the same salary as English 101 teachers? Just why? The English teacher, while his/her job is important, will not be tasked with teaching students to defend the network that controls electricity and gas to your house. Or life support machines at hospitals. Or water dams that protect communities. Or water systems that provide clean water. Or access to bank accounts so you can swipe your card and feed your family. Or defend our nation from adversaries that seek to harm our way of life.
Guess who will do this work? Cybersecurity professionals.
Therefore, the people who teach them should be compensated appropriately. You will never attract and retain talent with the existing pay structure.
Please fix it.
6. Bonus: Mandate Every Company to Have Cyber Talent on Board of Directors
Dear Senate Leaders currently debating S536, otherwise known as the Cybersecurity Disclosure Act of 2017: JUST DO IT!
There’s certainly value in formal education; however, it is not the only way to fix the issues facing the industry.
I am in total agreement with Mr. Shrobe's view as captured in his article that 2FA, secure architectures, built in product security, and industry architectural principles are needed. Ongoing training is necessary too. However, we need to address the fundamentals first.
Security requires top down leadership, academic/public/private sector partnerships, and diversity of thought.
The 5 solutions presented above might get us to the highway out of cybersecurity hell. Let’s just hope that IP enabled teddy bears and toasters don’t turn on us before we get there.
About Keirsten Brager
Keirsten Brager, CISSP, CASP is the founder of hiddencyberfigures.com. This personal project is dedicated to increasing the number of women in cyber by mentoring & sharing success stories in her demographic. She's a security engineer by day, cybersecurity graduate student, CompTIA exam developer, and public speaker.