Preparing for unknown factors in cybersecurity

Government is facing a shortage in cybersecurity skills, but the risk is complicated by unknown future threats, says Alain Penel of Fortinet

Tags: Fortinet IncorporationTraining
  • E-Mail
Preparing for unknown factors in cybersecurity Security professionals need the right skills to adapt to unknown threats, says Penel.
By  Alain Penel Published  December 5, 2016

There is a known crisis in cybersecurity: a massive shortfall in qualified and trained security professionals. There is also an unknown solution to this crisis. Why? The broad and growing scope of the challenge requires a corresponding broadening of skill sets that are both known and unknown.

Multiple studies identify the cybersecurity labour shortage and illustrate the drastic need for more experts, especially in the public sector. In a 451 Research study of more than 1,000 IT professionals, security managers reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5%) and inadequate staffing (26.4%). As recently as July 2016, the US Federal government issued a memorandum discussing how it was attempting to address recruitment challenges for the Federal cybersecurity workforce.

There was a point in time when the public sector could attract qualified staff with the promise of stability and benefit packages. This is not the case today, nor is this just a public sector challenge. Private companies are also feeling the talent shortfall, but these companies can often offer better compensation packages than the public sector.

Unfortunately, the problem is not limited to competition for resources. The real cybersecurity challenge is the unknown.

Former US Secretary of Defense Donald Rumsfeld coined the phrase fourteen years ago in Department of Defense briefing: “There are ‘known knowns’. These are the things that we know. There are ‘known unknowns’. That is to say, there are things that we know we don’t know. But there are also ‘unknown unknown’s. These are things we don’t know we don’t know.”

The known knowns and known unknowns represent the current status of the cybersecurity industry. Unfortunately, attack methods and breaching techniques are constantly evolving. This means that finding the talent to overcome present challenges is only part of the solution. Sure, we know the tried-and-true breach methods. But what about the attacks we don’t yet know? If the method is unknown, then so is the required response. The talent shortfall, therefore, is about much more than just a limited technical pool.

Cybersecurity: History repeating itself

During the 1960s, there was a push to interconnect computer systems. But even at that time, concerns were raised about security and data protection. However, these concerns were disregarded in order to focus on connectivity. This same focus continues today. Ease of connectivity first, security later. The reality, though, is that the two are intertwined. Connectivity and security must be coordinated together and be able to scale equally. Data without protection is unreliable and dangerous. Security without data is an empty bank vault. The balancing of this yin and yang is the ultimate goal.

Though connectivity was the initial focus, today cybersecurity has assumed greater importance. This new prioritization is critical as we continue to encounter cybersecurity’s unknowns. To avoid history repeating itself, this cultural shift needs to flourish, because defective, altered, manipulated, compromised or breached data nullifies the benefits of connectivity. This will therefore require growth in the security talent pool and a broader definition of the talents required for that pool. Fortunately, government agencies are helping to build talent through organisations such as the National Initiative for Cybersecurity Education (NICE), but work remains.

Cybersecurity: Now hiring

The financial services and healthcare industries, and the sensitive personal data that they hold, have been a main target for attack by cybercriminals in recent year. While these industries are bearing the brunt of current attacks, research shows this will soon change. Fortinet’s recent Cyber Threat Assessment Program (CTAP) report showed that manufacturing is likely to be the next industry specifically targeted by ransomware.

Manufacturing’s quest is greater efficiency, often achieved through greater automation. Automation, however, brings greater exposure to cyber compromise. This same concern extends to the supply systems supporting these manufacturing developments, such as transportation.

For example, automation of the manufacturing floors substantially increases targets for attack because the manufacturing sector’s success is built upon hitting delivery timetables; it cannot afford the massive negative effects of a disruptive attack. Transportation systems supporting manufacturing, commuting, or leisure travel operate in a similar fashion. Most are controlled by computers, with the assistance of humans. Successful attacks on any part of these systems have cascading, not isolated, consequences. System defences must address the known attack methods, but also anticipate the unknown.

These concerns are not limited to the private sector. When we take a look at government agencies’ needs, there is not a single sector that requires a more robust cybersecurity workforce. Government agencies are responsible for various systems and infrastructures that support the critical infrastructures mentioned above. Homeland security therefore always incorporates the risks to our critical infrastructures — from roadways to transportation systems to manufacturing and beyond. Incapacitation or destruction of any of these homeland segments would have a debilitating effect on security, public safety and the economy. Technology alone can’t protect these systems because the threat is not just technical. In order to fully protect these critical infrastructures, we need skilled cybersecurity professionals in a wide array of competencies to protect against the known and the unknown.

Knowing the known to uncover the unknown

While the workforce shortfall is one we cannot ignore, the question becomes, ‘How do those entering the cybersecurity field know what tools and skill sets they need?’ Here are four key capabilities that those entering the cybersecurity field should have in their knowledge toolbox:

• Understanding: A basic level of understanding how IT messaging works is foundational in any cybersecurity position. Having the knowledge of how programs exchange messages and what data or information is included in those messages is paramount for cybersecurity professionals.

• Human Nature: The common misconception within IT is that you only need to know how technology works. This is contrary to the world in which we live. Sure, understanding how technology works is necessary, but what is more important is having an understanding of the people using the technology. Knowing human nature, and the characteristics of those using the technology, will provide a better understanding of how preventable breaches, such as email phishing attacks, are still able to overcome technology barriers and infiltrate networks.

• Lock & Key: When you think of how much of our personal information resides in digital form, cyber threats become more personal. From banking to healthcare to our taxes, all are for the most part done online or in digital form. These are the known knowns. We know the type of data and we know it is at risk, but without skilled professionals prepared to keep this data protected, all of our online information can be compromised and held hostage. We must apply the key learnings from these knowns to mitigate and to block future unknown threats.

• Education is Power: Through the National Initiative for Cybersecurity Education (NICE) program, the US Federal Government is taking steps to establish an ecosystem of cybersecurity education, training, and workforce development across the public and private sectors. Keeping up to date with NICE’s recommendations and similar best practices and baselines will help cyber security professionals and their employers to stay one step ahead.

Solving the known unknowns and the unknown unknowns of tomorrow requires educating, building and reinforcing our cybersecurity talent pool. While there are many unknowns on the horizon, what we do know is that cybersecurity will continue to remain a hot topic. We need an expanded, skilled cybersecurity workforce today to protect against the unknown threats of tomorrow.

Alain Penel is Regional Vice President – Middle East, Fortinet.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code