Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

09:15 PM
Connect Directly

To Improve Security, We Must Focus on Its People

New technology can help cybersecurity bridge the talent gap, but tech won't do much without people to operate it.

RSA CONFERENCE 2019 – San Francisco –It's no secret cybersecurity has a people problem. Businesses struggle to find and retain talent, and they're competing to hire the most skilled professionals. Still, burnout puts them at risk of losing those valuable employees.

The industry will be short an estimated 3 million people within the next two years, said Ann Johnson, Microsoft corporate vice president of cybersecurity, in her RSA Conference keynote. Seventy percent of IT employers say they face a moderate to extreme shortage in IT experts.

What's more, she continued, work-related stress is causing 66% of IT professionals to seek employment elsewhere. Of those, 51% would take a pay cut in exchange for less stressful work. Technology can help solve these problems, but not if we don't improve the focus on people.

"We must come together as an industry to address the major gaps we have," said Johnson, noting how in addition to growing its talent pool, cybersecurity is challenged to diversify it as well. "If we do nothing to address these gaps, it will impact every single one of us in our everyday lives. We have the skills, we have the technology ... we must have the will."

Diversity and inclusivity go beyond gender, ethnicity, and race, she added, and security will benefit if we encourage additional ideas, capabilities, and backgrounds to help solve industrywide problems. "Educational background, social background, there's a lot of things that make up diversity," Johnson explained in an interview with Dark Reading.

We must focus on the power of people to improve security, she continued, pointing to initiatives inside and outside Microsoft to bring more people and skills into the industry. As part of the Security Advisor Alliance, for example, the company partners with junior-high and high-school students to educate them on security principles, capture-the-flag exercises, and employment.

Another example is the Microsoft Cybersecurity Professional Program, which teaches students 10 skills over 10 courses ranging from Enterprise Security Fundamentals, to PowerShell Security, to Microsoft Azure Security Services. Johnson also spoke about the Microsoft Academy for College Hires (MACH), which pairs undergrad and MBA students with employees to train them in various disciplines; Johnson noted some worked with her incident response team.

Working with students has taught valuable lessons in how future generations will learn, she said. In working with middle- and high-schoolers, for instance, experts found games helped engage students. "Gamification is important; making it fun is important," she added. Gen Z is "truly digital native" and prefer instant communication.

Johnson also emphasized the importance of bringing new skills into the industry. "Businesses have a fixed mindset around the type of people they want enrolled," she noted. Cybersecurity job descriptions demand a STEM degree, three years of coding, and other technical qualities.

"We're not going to solve for our talent shortage if we only hire the person who fits this tiny, tiny little profile," she said. "Businesses have to think differently about how they bring people in cyber."

Mental Health: It's Time to Talk About It
If security jobs remain unfilled, defenders will burn out, Johnson warned. "These folks are first responders, but we don't treat them like that." Security pros in different parts of an organization may be working around the clock when an event strikes or have to fly somewhere with little notice to help with incident response.

For CISOs and their teams, the stress level is always high, she added. If we want to empower people and amplify human capacity, we must consider the mental health of first-line defenders, she said. Mounting stress on defenders leads to more mistakes the longer an attack goes on.

Microsoft recently conducted its first "personal resilience training," a program designed to train people on how to handle stressful environments, which received a positive response among participants, she added. "We must protect the mental health of our cyber defenders," Johnson said.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
3/8/2019 | 1:58:34 PM
Recruiting through Education
I always think that High School courses just test aptitude and not really application. Due to this many of the courses being taught are antiquated and underutilized in the "real" world. Higher education has already started to implement technology and even information security focused curriculum but I think by that time it is already too late because youth have been enticed by other vocation potentials.

If instead we started in high school to teach about information technologies, how they function and how to secure them it might draw more interest to an impressionable mind. Also, with the benefits that these fields over based on the current landscape of low enrollment should definitely entice individuals to say that this is more than a viable option for pursuit.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).