Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/6/2019
09:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

To Improve Security, We Must Focus on Its People

New technology can help cybersecurity bridge the talent gap, but tech won't do much without people to operate it.

RSA CONFERENCE 2019 – San Francisco –It's no secret cybersecurity has a people problem. Businesses struggle to find and retain talent, and they're competing to hire the most skilled professionals. Still, burnout puts them at risk of losing those valuable employees.

The industry will be short an estimated 3 million people within the next two years, said Ann Johnson, Microsoft corporate vice president of cybersecurity, in her RSA Conference keynote. Seventy percent of IT employers say they face a moderate to extreme shortage in IT experts.

What's more, she continued, work-related stress is causing 66% of IT professionals to seek employment elsewhere. Of those, 51% would take a pay cut in exchange for less stressful work. Technology can help solve these problems, but not if we don't improve the focus on people.

"We must come together as an industry to address the major gaps we have," said Johnson, noting how in addition to growing its talent pool, cybersecurity is challenged to diversify it as well. "If we do nothing to address these gaps, it will impact every single one of us in our everyday lives. We have the skills, we have the technology ... we must have the will."

Diversity and inclusivity go beyond gender, ethnicity, and race, she added, and security will benefit if we encourage additional ideas, capabilities, and backgrounds to help solve industrywide problems. "Educational background, social background, there's a lot of things that make up diversity," Johnson explained in an interview with Dark Reading.

We must focus on the power of people to improve security, she continued, pointing to initiatives inside and outside Microsoft to bring more people and skills into the industry. As part of the Security Advisor Alliance, for example, the company partners with junior-high and high-school students to educate them on security principles, capture-the-flag exercises, and employment.

Another example is the Microsoft Cybersecurity Professional Program, which teaches students 10 skills over 10 courses ranging from Enterprise Security Fundamentals, to PowerShell Security, to Microsoft Azure Security Services. Johnson also spoke about the Microsoft Academy for College Hires (MACH), which pairs undergrad and MBA students with employees to train them in various disciplines; Johnson noted some worked with her incident response team.

Working with students has taught valuable lessons in how future generations will learn, she said. In working with middle- and high-schoolers, for instance, experts found games helped engage students. "Gamification is important; making it fun is important," she added. Gen Z is "truly digital native" and prefer instant communication.

Johnson also emphasized the importance of bringing new skills into the industry. "Businesses have a fixed mindset around the type of people they want enrolled," she noted. Cybersecurity job descriptions demand a STEM degree, three years of coding, and other technical qualities.

"We're not going to solve for our talent shortage if we only hire the person who fits this tiny, tiny little profile," she said. "Businesses have to think differently about how they bring people in cyber."

Mental Health: It's Time to Talk About It
If security jobs remain unfilled, defenders will burn out, Johnson warned. "These folks are first responders, but we don't treat them like that." Security pros in different parts of an organization may be working around the clock when an event strikes or have to fly somewhere with little notice to help with incident response.

For CISOs and their teams, the stress level is always high, she added. If we want to empower people and amplify human capacity, we must consider the mental health of first-line defenders, she said. Mounting stress on defenders leads to more mistakes the longer an attack goes on.

Microsoft recently conducted its first "personal resilience training," a program designed to train people on how to handle stressful environments, which received a positive response among participants, she added. "We must protect the mental health of our cyber defenders," Johnson said.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/8/2019 | 1:58:34 PM
Recruiting through Education
I always think that High School courses just test aptitude and not really application. Due to this many of the courses being taught are antiquated and underutilized in the "real" world. Higher education has already started to implement technology and even information security focused curriculum but I think by that time it is already too late because youth have been enticed by other vocation potentials.

If instead we started in high school to teach about information technologies, how they function and how to secure them it might draw more interest to an impressionable mind. Also, with the benefits that these fields over based on the current landscape of low enrollment should definitely entice individuals to say that this is more than a viable option for pursuit.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2018-21018
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2019-16692
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.