Threat Intelligence

09:15 PM
Connect Directly

To Improve Security, We Must Focus on Its People

New technology can help cybersecurity bridge the talent gap, but tech won't do much without people to operate it.

RSA CONFERENCE 2019 – San Francisco –It's no secret cybersecurity has a people problem. Businesses struggle to find and retain talent, and they're competing to hire the most skilled professionals. Still, burnout puts them at risk of losing those valuable employees.

The industry will be short an estimated 3 million people within the next two years, said Ann Johnson, Microsoft corporate vice president of cybersecurity, in her RSA Conference keynote. Seventy percent of IT employers say they face a moderate to extreme shortage in IT experts.

What's more, she continued, work-related stress is causing 66% of IT professionals to seek employment elsewhere. Of those, 51% would take a pay cut in exchange for less stressful work. Technology can help solve these problems, but not if we don't improve the focus on people.

"We must come together as an industry to address the major gaps we have," said Johnson, noting how in addition to growing its talent pool, cybersecurity is challenged to diversify it as well. "If we do nothing to address these gaps, it will impact every single one of us in our everyday lives. We have the skills, we have the technology ... we must have the will."

Diversity and inclusivity go beyond gender, ethnicity, and race, she added, and security will benefit if we encourage additional ideas, capabilities, and backgrounds to help solve industrywide problems. "Educational background, social background, there's a lot of things that make up diversity," Johnson explained in an interview with Dark Reading.

We must focus on the power of people to improve security, she continued, pointing to initiatives inside and outside Microsoft to bring more people and skills into the industry. As part of the Security Advisor Alliance, for example, the company partners with junior-high and high-school students to educate them on security principles, capture-the-flag exercises, and employment.

Another example is the Microsoft Cybersecurity Professional Program, which teaches students 10 skills over 10 courses ranging from Enterprise Security Fundamentals, to PowerShell Security, to Microsoft Azure Security Services. Johnson also spoke about the Microsoft Academy for College Hires (MACH), which pairs undergrad and MBA students with employees to train them in various disciplines; Johnson noted some worked with her incident response team.

Working with students has taught valuable lessons in how future generations will learn, she said. In working with middle- and high-schoolers, for instance, experts found games helped engage students. "Gamification is important; making it fun is important," she added. Gen Z is "truly digital native" and prefer instant communication.

Johnson also emphasized the importance of bringing new skills into the industry. "Businesses have a fixed mindset around the type of people they want enrolled," she noted. Cybersecurity job descriptions demand a STEM degree, three years of coding, and other technical qualities.

"We're not going to solve for our talent shortage if we only hire the person who fits this tiny, tiny little profile," she said. "Businesses have to think differently about how they bring people in cyber."

Mental Health: It's Time to Talk About It
If security jobs remain unfilled, defenders will burn out, Johnson warned. "These folks are first responders, but we don't treat them like that." Security pros in different parts of an organization may be working around the clock when an event strikes or have to fly somewhere with little notice to help with incident response.

For CISOs and their teams, the stress level is always high, she added. If we want to empower people and amplify human capacity, we must consider the mental health of first-line defenders, she said. Mounting stress on defenders leads to more mistakes the longer an attack goes on.

Microsoft recently conducted its first "personal resilience training," a program designed to train people on how to handle stressful environments, which received a positive response among participants, she added. "We must protect the mental health of our cyber defenders," Johnson said.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/8/2019 | 1:58:34 PM
Recruiting through Education
I always think that High School courses just test aptitude and not really application. Due to this many of the courses being taught are antiquated and underutilized in the "real" world. Higher education has already started to implement technology and even information security focused curriculum but I think by that time it is already too late because youth have been enticed by other vocation potentials.

If instead we started in high school to teach about information technologies, how they function and how to secure them it might draw more interest to an impressionable mind. Also, with the benefits that these fields over based on the current landscape of low enrollment should definitely entice individuals to say that this is more than a viable option for pursuit.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.
PUBLISHED: 2019-03-22
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability ...
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exist...