Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/6/2015
10:30 AM
Tsion Gonen
Tsion Gonen
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Does Hollywood Have The Answer To The Security Skills Question?

The Oscar-winning biopic about famed WWII cryptanalyst Alan Turing -- the father of modern computing -- was long overdue. But a lot more needs to be done to inspire the next generation of computer scientists.

For better or worse, films tend to be a prism through which we can view the values and topics that interest our society. So I think it’s a positive trend that two of the biggest blockbuster releases of 2014 gave cybersecurity the Hollywood treatment.

The more modern setting was found in the movie Blackhat, starring People Magazine’s reigning “Sexiest Man Alive,” Chris Hemsworth, as a convicted hacker working with American and Chinese agencies to capture a cyber-criminal who was attempting to cripple the international banking network. Sure, we can raise an eyebrow at the casting of Thor as a cyber-genius with firearms training, but there’s a bigger picture at play here.

[For InfoSec professionals, the truth is much more interesting than the fiction portrayed in Blackhat, The Movie: Good, Bad & Ridiculous]

The Academy of Motion Picture Arts and Sciences has looked even more favorably on the Internet’s “sexiest man alive,” Benedict Cumberbatch, for his portrayal of Alan Turing, the father of modern computing. In The Imitation Game, which garnered eight Oscar nominations, including Best Picture, and a win for Best Adapted Screenplay, Cumberbatch plays the WWII hero and cryptanalyst who successfully led the British effort to decode the German military’s Enigma encryption machine. The cryptography and mathematics expertise that led to Turing’s code breaking is the stuff of legend, and sharing this story with the masses was long overdue.

So why is it significant that these two movies were made in the same year? While Hollywood studios tend to oversimplify security stories, they do know a thing or two about generating publicity. In the midst of a cybersecurity hiring crisis, compounded by a skills shortage, could these big-budget motion pictures renew interest in Science, Technology, Engineering and Mathematics (STEM) education and create the next Turing or the next generation of white-hat hackers?

It’s no big secret that one of the biggest problems facing the cybersecurity industry is that it is nearly impossible to keep pace with the growing volume and complexity of cyber-attacks launched by covert foreign government agencies, organized crime syndicates, and hacktivists. Exacerbating this problem is the fact that fewer students are interested in computer science.

Look at the numbers: According to ISACA’s 2015 Global Cybersecurity Status Report, a global survey of more than 3,400 ISACA members in 129 countries, 86 percent of respondents see a global cybersecurity skills gap, and 92 percent of those planning to hire more cybersecurity professionals this year say they expect to have difficulty finding a skilled candidate.

The Bureau of Labor Statistics also projects a massive shortage in the IT workforce by 2020: There will be 1.4 million openings, but only 400,000 computer science graduates with the necessary skills to fill the positions.

Figures on the extent of the cybersecurity professional shortage differ, but reports estimate that the U.S. has only one-thousand top-class cyber pros across the private sector, the military, and the civilian government. By comparison, China has nearly 10 times that many trained cyber warriors according to a 2013 USA Today op-ed by Alan Paller, founder of the SANS Institute cyber training school, and George Boggs, president emeritus of the American Association of Community Colleges.

So, in addition to hoping that Hollywood will help increase the sex appeal of cybersecurity careers, what else can be done to stoke the educational fires? Here are two steps I think are most important:

Step 1: Create an academic pipeline for cybersecurity experts, starting in grade school, not high school. More STEM investment, earlier, means there will be a better chance of creating the next Turing.

Step 2: Consistently define career opportunities for students, and help them understand the various kinds of roles that may be available to them: penetration testers, vulnerability researchers, malware researchers, forensic specialists, cryptography engineers, etc. Progress is being made on this front, including:

While simply throwing more manpower at cybersecurity may still not be enough, there was a lesson in what Turing created. He knew that in order to break the automated Enigma codes that changed daily, he would need to design a machine that could match that automation, because it would simply take too long for his human team to break them. Who knows where the next great mind will come from, and more importantly, what kind of technology one person may develop that could swing the cyber war in the good guys’ favor?

Tsion Gonen serves as Chief Strategy Officer for Gemalto's Identity and Data Protection Division. He is responsible for developing global business and product strategies, and identifying and capitalizing on emerging market trends within the information security market. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
ajones980
100%
0%
ajones980,
User Rank: Strategist
3/6/2015 | 11:10:12 AM
But who would be intreated?
I don't know if there are any movie studios that would be at all interested in improving the uptake of InfoSec staff. Sure, you might say SONY, but they've repeatedly demonstrated a desire to cut security despite past breaches.
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/6/2015 | 3:23:53 PM
Re: But who would be intreated?
Personally, I'm still a little confused as to why everyone seems to think there's an issue the skill level of information security professionals. I remember talking about this back in January (maybe), sure everyone can use more education, but if you're trying to draw a line from all of the hack\break activity to infosec professioanls and weak skills, I'd suggest looking at the corporate policy makers\enforcers instead. We as security professionals do not make the rules or determine what is most important to a company (unless they really want to hear it from us), no, we just take they're requirements and figure out the best way to secure it, and usually it's not what we would recommend, but you play the hand you're delt... besides, what's Hollywood going to do, make a movie about some heroic security guy\gal reviewing SIEM or AV logs... or cruizing through security blogs trying to see what's happening or arguing in a meeting with variuos business departments trying to explain why strong complex passwords are a necessity? Who'd want to see that? No, everyone wants to be a hacker... and even their depections of that are over the top as well as unreal.

 
ajones980
50%
50%
ajones980,
User Rank: Strategist
3/6/2015 | 6:43:46 PM
Re: But who would be intreated?
I'm not sure anyone's questioning the level of skill of existing InfoSec professionals (though I could point to a few who need some upping in that regard) - the bigger problem by far is a lack of numbers of skilled professionals. Any time you look for skilled security professionals, it takes a long time to find them, and there is intense competition for hiring them.
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/6/2015 | 7:42:43 PM
Re: But who would be intreated?
Of course it should take time to find and hire the right person and you should also expect to have competition for good people.

I think the so called "lack of numbers" is due to companies looking for people who have experience in "everything", so to speak, and when you do find them yes it will cost you. I think the larger problem is companies do not want to pay what a person is worth based on his\her experience but rather what Gartner or some internal HR guy thinks a skilled person may or should be worth. I also think that security has change so much since the early 2000's when outsourcing started and companies starting cutting staff and thus started the piling on of what a security person had to be responsible for and\or knowledgable. Add on to that compliance regulation... admistration of security systems... technical writing, it's very easy to be pigeon-holde or caught up into a single area. I know guys who are basically stuck as firewall admins because that's all they know because when they were trying to move on their companies threw more money at them to stay, they're making very good money doing that but what happens when the comapny want to hire someone younger... for them to train? I hear you and agree to a degree, but I believe that companies are making business decision when hiring instead of trying to hire the right person available. And even when you can get someone from another company, they still need to learn your company and that will take time, sometimes more than they may want to allow.

I was lucky in my career, when I retired from the military in 98', I went to Community College to learn network administration, which I did until 2003 when I moved into security and got my CISSP. I learned audit, got my CISA, I took as much training as I could get my company to pay for and as much as I could afford myself then when back to school to get my BA in IT and some other security certs, like CEH and Information Assurance (Security) Certificate. But I did that because I saw what was happening around me, not necessarily because I wanted to.

So maybe I am making your case for you somewhat but I do believe companies need to invest more in developing people and not just poaching from another company.

Thanks for your comment, have a good one.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/8/2015 | 11:30:26 PM
Or embellish
There's also embellishment and flat-out lying about how the Internet and technology works -- which is very popular in Hollywood.  Remember that Sandra Bullock vehicle The Net 20 years ago?  Back then, it was ridiculous from a tech standpoint.

(Now?  Much, much less so.)
aws0513
50%
50%
aws0513,
User Rank: Ninja
3/9/2015 | 11:45:39 AM
The human wiring
No doubt, there is a shortage of people with IT skills worldwide.
This shortage impacts the IT security sector as well... if not more so.

Over the years, I have learned something that may be a contributing factor toward the IT resources shortage.
I have met many people who wanted to get into IT as a career, to find out they just didn't make it as far as they had hoped.  For a time I wondered why only a limited number of my peers seemed to be moving up in their careers while a larger number were stagnant, or had left the technical side of IT altogether.

One day I had an epiphany moment.  I was attending a concert where there was a cellist solo that was exceptional.
I had played the cello from grade school all the way through high school.  I made it to second chair in my junior year through pure attrition.  I stuck around long enough to get that chair.
The girl in the first chair was in my grade and started playing the cello the same year I did.  We had the same instructors all the way through all of our schooling.  But there was a marked difference.  It was talent.
She played that cello as if it were like breathing.  She made the cello make music in a way that I could only dream.  I was mechanical in my playing.  I could read the music along with her, but she would make it sound almost perfect the first time, where I had to scrape at it a few times to get the music correct.

She had natural "wiring" in place that allowed her to have natural talent for playing the cello where I had only the interest.

In IT, I have seen this same model over and over again.  Many people who liked IT, but of those people I found that many did not have the talent or were not driven to spend the time necessary to pick up the skills necessary to be effective in an IT career.

Yes, most people have the capacity to learn IT skills, but few have the determination, and fewer still that have the natural talent.  (Funny thing is that I have also found a small number of people who didn't know they had the talent and only discovered it when I set them in a direction that deviated from their intended, self-driven course.  But those were few.)

For IT security, the problem is amplified by the very characteristics that make some people excel at IT.  IT has always been about problem solving.  Puzzles wrought into numbers and then pumped through logic designed to solve the puzzle efficiently and effectively.  For many aspects of IT security, this is great. 
But the people who are really good at IT security are the people who have developed the "soft skills" necessary to help implementation of IT security practices.  Unfortunatly, logic and human interaction are not exactly a perfect combination.  In logic puzzle solving, soft skills take a back seat to hard science.

It takes someone with natural talent or are very driven to find and negotiate reasonable solutions to IT security problems while mitigating impact on business operations.  I have met some very good "book smart" IT security professionals that couldn't GREP...  or even GROK...  a system log.  I have also met some very talented IT people that could write a program to get out of a paper bag, but put them in a conference room and they clam up or forget to bring the "tact filters" with them.

More and more I find the IT security field to be bordering on a skill set comparable to lawyers or accountants.  A highly skilled career that requires specific talent and training to excel.
Can we train more people in IT security vocations?  Certaintly.
Will those that we train in the IT security vocations do well in the field?  Depends on the person.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/10/2015 | 10:01:29 AM
Re: Or embellish
"The Imitation Game" as good as it was (and a long overdue tribute to Turing) took a few liberties with the truth in its Hollywood version of what actually happened. Here's one fact-checker's critique. But overall, I think the movie does raise the profile of the security professional for the general public and if it inspires the best and the brightest to make a career of it, all the better.

 

 
TsionG
50%
50%
TsionG,
User Rank: Author
3/10/2015 | 1:14:18 PM
Re: But who would be intreated?
No, movie studios do not have a stake in improving cybersecurity. My point was that the attention that Hollywood is now bringing to cyber may create more interest in STEM education as a natural follow on effect of the popularity of these films. It is still up to the government, our education system and the cybersecurity community to take the steps I outlined.
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/10/2015 | 5:27:23 PM
Re: The human wiring
"She had natural "wiring" in place that allowed her to have natural talent for playing the cello where I had only the interest."... or maybe she just wanted it more so she worked harder because she really wanted it. Along those lines, as I said before, I see people who are content with being where they are, they don't want to move up, and other don't realize how hard it is to get AND maintain those skills. Was your goal was to make second chair... why not first chair... too much pressure from being in that seat or pressure from the second's and third's who really wanted to be first? Everyone has "talent"... practice is what make you first chair not talent, and in the case of IT I would say it's knowledge and the ability to be flexible and not to take personal the decisions you do not agree with.

My experience in IT Security is... if you can't get leadership to do the right thing for securiy versus the right thing for business... just wait, and don't gloat.
ODA155
50%
50%
ODA155,
User Rank: Ninja
3/10/2015 | 5:32:14 PM
Re: But who would be intreated?
Security is boring... learning security can be exciting, but everyone want to be the hacker, until they realize just how difficult that really is... remember, in the movies in 2-3 hours you go from everything is loverly to hell-in a hand-basket to figuring it out to saving the world.
Page 1 / 2   >   >>
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.