Comments
Cybersecurity Faces 1.8 Million Worker Shortfall By 2022
Newest First  |  Oldest First  |  Threaded View
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
6/14/2017 | 10:15:06 AM
Secondary problem
Even if you were to successfully address the labor shortage of qualified and experienced Cybersecurity professionals, due to the white-hot market for individuals with the right skills, you will immediately inherit employee retention issues.  The stability and 'stay-ability' of the desirable talent is very likely to be lured away for more money, the promise of sponsored certifications, trips to Blackhat/Defcon and advancement opportunity. 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2017 | 12:30:17 PM
Competitive Pay and Sponsored Certification
InfoSec resources definitely come from a wide variety of backgrounds.  I've worked with ex-cops, ex-lawyers, ex-history professors, and so on.  My background is - professionally, at least - in software as a build and release, and test engineer.  While I'm currently a security lead embedded in an app development team, even now security isn't my primary role.  In fact, I've had opportunities to get out of my software dev role and focus on security but the pay and benefits didn't outweigh those of my current gig. 

Now, I'm sure it's surprising to some I work with to learn I have pentesting skills, can build Tor servers and nodes, have a deep practical understanding of cryptocurrency and have researched everything from undetectable honeypots to a distributed computing-driven traceroute infrastructure for generating realtime network topology snapshots.  But none of this is interesting when you consider 50 hours of my work week is focused on everyday development lifecycles for standard app features.  My preference would be to put my technical skills toward something I love and find endlessly fascinating, but when you compare the InfoSec work week to its pay scale (and I mean practical engineers who program tools on the fly, track intrusion realtime and patch in response to exploits) you often find a huge gap.

One of the things that keeps me in my current role is the combination of industry competitive pay, benefits and the regular opportunity to get certified on the company's tab.  Working somewhere that gets the value you bring, understands the hours needed to do quality work and provides opportunities for work/life balance is hard to measure.  And for many of the smaller InfoSec groups that have reached out, this just didn't seem to be the case.  Frankly, I suspect a large number of hiring managers don't understand the day-to-day activities of an InfoSec tech. The 24/7 availability requirement is only one aspect of this reality.  There needs to be a resource balance to allow relaxation, but also flexibility to allow techs with families to work after hours when needed, the tools to pull out a mobile device and work when in line at Disneyland on the weekend, and the pay scale to make all of it attractive.

Until the pay is more competitive, the tools provided the best they can get to provide maximum computing power and mobility, and access to company-sponsored certifications becomes the norm, I don't think as many with the skills companies really want to hire are going to be lining up.  This may be just a small factor in the equation, but for me it was the primary one.  And I work alongside lots of far more talented hackers who also settled for the next-best role for the same reasons.  Maybe it's good, though.  That means embedded InfoSec junkies like me can help add a layer of security responsibility that might not have been there before since... well, since companies aren't hiring teams of us.

 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
6/8/2017 | 9:08:12 PM
Cybersecurity: A guarantee of lifetime employment?
Many more cybersecurity workers are needed and they will probably find lifetime employment somewhere. But I suspect we won't make any real headway when it comes to protection until automated systems learn enough to start doing some of the work for us.
imispgh
100%
0%
imispgh,
User Rank: Strategist
6/8/2017 | 11:14:26 AM
Smoke Screen - Covering for massive lack of best practice use
While some folks are needed msot of this is to cover for massive use of best practices.  it takes a lot of people to patch avoidable holes in the dyke.

Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity.  Why isn't it being addressed?  Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It's the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don't help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don't specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line.

My Background – 15 Years - Systems Engineer, Program Manager and Engineering Manager for Lockheed Martin – Aircraft Simulation, NORAD and the Aegis Weapon System. Commercial IT Project Manager for 11 years. Including cybersecurity.  Also post 9/11 DoD/DHS whistleblower and IEEE Barus Ethics Award recipient 
tcritchley07
100%
0%
tcritchley07,
User Rank: Strategist
6/8/2017 | 10:06:18 AM
Re: Supply or demand? Cybersecurity
This issue has at least 2 sides; the vendors' and the customers'. There may be a shortage of cyber skills but on which side? Today, there is an unfair load placed on he customer when it should be borne mostly by the vendor. The vendor sells products and services in a basically open (insecure) environment, the internet and should shoulder most of the responsibility, along with WWW and other authorities for safety with some responsibility resting on the customer (user). When I fly, I am not expected to provide my own life jacket and oxygen. It is the airlines' job to make sure aircraft are fundamentally safe and that flying in them safe too. I will, of course, do my bit when instructed by the crew.

What is needed is a security ARCHITECTURE for crucial internet access, It will involve changes to the hardware and software components, at especially the attack points (DNS, SNMP, email etc, etc,), Windows and associated hardware would have to provide new, critical information about 'mal-users' and support a new authentication and authorisation sub-architecture.  Who should do this? It should be initiated at government level, using appropriate standards bodies and specialists to specify this architecture. In the old (70s/80s) days, IT vendors usually had to comply at level C2 of the US Orange books specs; there were higher, more secure levels too. The rules were simple: no comply, no business. Anyone using the net who isn't identifiable via this new architecture, or non-compliant,  should be visible, trackable and excluded or prosecuted.

An equivalent Orange book and 'C2'-type mandate is needed for the net. I have tried to get various cyber security gurus and major figures who recognise this and to support such an initiative, to no avail. It is a case which parallels Mark Twain's famous whinge: 'Everybody is talking about the weather, nobody is doing anything about it'.

The malware hits so far in 2017 exceed the total for 2016 and when it hits the roof by end 2017, I will probably name and shame the people who have voiced concern (usually for personal gain) and done nothing. It's going to be a fun year. The onus must be lifted from the users' shoulders and maybe the need for millions of cyber security people will reduce considerably when protection is mainly automated via this architecture and SW/HW changes.

There are government and other initiatives around now but with little or no cooperation and all chasing in different directions, a sure recipe for a dog's breakfast solution if they ever get one).
tadwhitaker
50%
50%
tadwhitaker,
User Rank: Author
6/8/2017 | 9:36:23 AM
Dollars Behind This?
Agreed with the other poster above. It's an interesting snap shot, but it would be interesting to provide more context related to actual, dedicated resources and money at companies that is currently earmarked for security and going unspent due to a lack of employees.
DavidW723
50%
50%
DavidW723,
User Rank: Apprentice
6/8/2017 | 4:02:25 AM
Supply or demand?
We've seen these headline figures for a few years now, but what's unclear is who is actually providing the numbers. It seems to me that in many cases it is 'IS professionals' saying we need more people to man the barricades because there is more to be done than we can currently cope with. But that sentiment can be found in everything from law enforcement, through nursing to teaching and beyond. Everyone has too much to do and not enough resources to deliver. 

The two questions that I've not seen answered are "how many unfilled vacancies are there" (ie companies want to recruit but can't) and "how many people want to enter the industry but are unable to" (ie they have the skills or want to gain them but there are no jobs to apply for).

The former tells us we need to develop more people (demand over supply), the latter probably suggests the supply is there but there is no demand.

 


To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.