Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

10:30 AM
Tsion Gonen
Tsion Gonen
Connect Directly
E-Mail vvv

Does Hollywood Have The Answer To The Security Skills Question?

The Oscar-winning biopic about famed WWII cryptanalyst Alan Turing -- the father of modern computing -- was long overdue. But a lot more needs to be done to inspire the next generation of computer scientists.

For better or worse, films tend to be a prism through which we can view the values and topics that interest our society. So I think it’s a positive trend that two of the biggest blockbuster releases of 2014 gave cybersecurity the Hollywood treatment.

The more modern setting was found in the movie Blackhat, starring People Magazine’s reigning “Sexiest Man Alive,” Chris Hemsworth, as a convicted hacker working with American and Chinese agencies to capture a cyber-criminal who was attempting to cripple the international banking network. Sure, we can raise an eyebrow at the casting of Thor as a cyber-genius with firearms training, but there’s a bigger picture at play here.

[For InfoSec professionals, the truth is much more interesting than the fiction portrayed in Blackhat, The Movie: Good, Bad & Ridiculous]

The Academy of Motion Picture Arts and Sciences has looked even more favorably on the Internet’s “sexiest man alive,” Benedict Cumberbatch, for his portrayal of Alan Turing, the father of modern computing. In The Imitation Game, which garnered eight Oscar nominations, including Best Picture, and a win for Best Adapted Screenplay, Cumberbatch plays the WWII hero and cryptanalyst who successfully led the British effort to decode the German military’s Enigma encryption machine. The cryptography and mathematics expertise that led to Turing’s code breaking is the stuff of legend, and sharing this story with the masses was long overdue.

So why is it significant that these two movies were made in the same year? While Hollywood studios tend to oversimplify security stories, they do know a thing or two about generating publicity. In the midst of a cybersecurity hiring crisis, compounded by a skills shortage, could these big-budget motion pictures renew interest in Science, Technology, Engineering and Mathematics (STEM) education and create the next Turing or the next generation of white-hat hackers?

It’s no big secret that one of the biggest problems facing the cybersecurity industry is that it is nearly impossible to keep pace with the growing volume and complexity of cyber-attacks launched by covert foreign government agencies, organized crime syndicates, and hacktivists. Exacerbating this problem is the fact that fewer students are interested in computer science.

Look at the numbers: According to ISACA’s 2015 Global Cybersecurity Status Report, a global survey of more than 3,400 ISACA members in 129 countries, 86 percent of respondents see a global cybersecurity skills gap, and 92 percent of those planning to hire more cybersecurity professionals this year say they expect to have difficulty finding a skilled candidate.

The Bureau of Labor Statistics also projects a massive shortage in the IT workforce by 2020: There will be 1.4 million openings, but only 400,000 computer science graduates with the necessary skills to fill the positions.

Figures on the extent of the cybersecurity professional shortage differ, but reports estimate that the U.S. has only one-thousand top-class cyber pros across the private sector, the military, and the civilian government. By comparison, China has nearly 10 times that many trained cyber warriors according to a 2013 USA Today op-ed by Alan Paller, founder of the SANS Institute cyber training school, and George Boggs, president emeritus of the American Association of Community Colleges.

So, in addition to hoping that Hollywood will help increase the sex appeal of cybersecurity careers, what else can be done to stoke the educational fires? Here are two steps I think are most important:

Step 1: Create an academic pipeline for cybersecurity experts, starting in grade school, not high school. More STEM investment, earlier, means there will be a better chance of creating the next Turing.

Step 2: Consistently define career opportunities for students, and help them understand the various kinds of roles that may be available to them: penetration testers, vulnerability researchers, malware researchers, forensic specialists, cryptography engineers, etc. Progress is being made on this front, including:

While simply throwing more manpower at cybersecurity may still not be enough, there was a lesson in what Turing created. He knew that in order to break the automated Enigma codes that changed daily, he would need to design a machine that could match that automation, because it would simply take too long for his human team to break them. Who knows where the next great mind will come from, and more importantly, what kind of technology one person may develop that could swing the cyber war in the good guys’ favor?

Tsion Gonen serves as Chief Strategy Officer for Gemalto's Identity and Data Protection Division. He is responsible for developing global business and product strategies, and identifying and capitalizing on emerging market trends within the information security market. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
3/6/2015 | 3:23:53 PM
Re: But who would be intreated?
Personally, I'm still a little confused as to why everyone seems to think there's an issue the skill level of information security professionals. I remember talking about this back in January (maybe), sure everyone can use more education, but if you're trying to draw a line from all of the hack\break activity to infosec professioanls and weak skills, I'd suggest looking at the corporate policy makers\enforcers instead. We as security professionals do not make the rules or determine what is most important to a company (unless they really want to hear it from us), no, we just take they're requirements and figure out the best way to secure it, and usually it's not what we would recommend, but you play the hand you're delt... besides, what's Hollywood going to do, make a movie about some heroic security guy\gal reviewing SIEM or AV logs... or cruizing through security blogs trying to see what's happening or arguing in a meeting with variuos business departments trying to explain why strong complex passwords are a necessity? Who'd want to see that? No, everyone wants to be a hacker... and even their depections of that are over the top as well as unreal.

User Rank: Strategist
3/6/2015 | 11:10:12 AM
But who would be intreated?
I don't know if there are any movie studios that would be at all interested in improving the uptake of InfoSec staff. Sure, you might say SONY, but they've repeatedly demonstrated a desire to cut security despite past breaches.
<<   <   Page 2 / 2
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...