Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/6/2019
09:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

To Improve Security, We Must Focus on Its People

New technology can help cybersecurity bridge the talent gap, but tech won't do much without people to operate it.

RSA CONFERENCE 2019 – San Francisco –It's no secret cybersecurity has a people problem. Businesses struggle to find and retain talent, and they're competing to hire the most skilled professionals. Still, burnout puts them at risk of losing those valuable employees.

The industry will be short an estimated 3 million people within the next two years, said Ann Johnson, Microsoft corporate vice president of cybersecurity, in her RSA Conference keynote. Seventy percent of IT employers say they face a moderate to extreme shortage in IT experts.

What's more, she continued, work-related stress is causing 66% of IT professionals to seek employment elsewhere. Of those, 51% would take a pay cut in exchange for less stressful work. Technology can help solve these problems, but not if we don't improve the focus on people.

"We must come together as an industry to address the major gaps we have," said Johnson, noting how in addition to growing its talent pool, cybersecurity is challenged to diversify it as well. "If we do nothing to address these gaps, it will impact every single one of us in our everyday lives. We have the skills, we have the technology ... we must have the will."

Diversity and inclusivity go beyond gender, ethnicity, and race, she added, and security will benefit if we encourage additional ideas, capabilities, and backgrounds to help solve industrywide problems. "Educational background, social background, there's a lot of things that make up diversity," Johnson explained in an interview with Dark Reading.

We must focus on the power of people to improve security, she continued, pointing to initiatives inside and outside Microsoft to bring more people and skills into the industry. As part of the Security Advisor Alliance, for example, the company partners with junior-high and high-school students to educate them on security principles, capture-the-flag exercises, and employment.

Another example is the Microsoft Cybersecurity Professional Program, which teaches students 10 skills over 10 courses ranging from Enterprise Security Fundamentals, to PowerShell Security, to Microsoft Azure Security Services. Johnson also spoke about the Microsoft Academy for College Hires (MACH), which pairs undergrad and MBA students with employees to train them in various disciplines; Johnson noted some worked with her incident response team.

Working with students has taught valuable lessons in how future generations will learn, she said. In working with middle- and high-schoolers, for instance, experts found games helped engage students. "Gamification is important; making it fun is important," she added. Gen Z is "truly digital native" and prefer instant communication.

Johnson also emphasized the importance of bringing new skills into the industry. "Businesses have a fixed mindset around the type of people they want enrolled," she noted. Cybersecurity job descriptions demand a STEM degree, three years of coding, and other technical qualities.

"We're not going to solve for our talent shortage if we only hire the person who fits this tiny, tiny little profile," she said. "Businesses have to think differently about how they bring people in cyber."

Mental Health: It's Time to Talk About It
If security jobs remain unfilled, defenders will burn out, Johnson warned. "These folks are first responders, but we don't treat them like that." Security pros in different parts of an organization may be working around the clock when an event strikes or have to fly somewhere with little notice to help with incident response.

For CISOs and their teams, the stress level is always high, she added. If we want to empower people and amplify human capacity, we must consider the mental health of first-line defenders, she said. Mounting stress on defenders leads to more mistakes the longer an attack goes on.

Microsoft recently conducted its first "personal resilience training," a program designed to train people on how to handle stressful environments, which received a positive response among participants, she added. "We must protect the mental health of our cyber defenders," Johnson said.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/8/2019 | 1:58:34 PM
Recruiting through Education
I always think that High School courses just test aptitude and not really application. Due to this many of the courses being taught are antiquated and underutilized in the "real" world. Higher education has already started to implement technology and even information security focused curriculum but I think by that time it is already too late because youth have been enticed by other vocation potentials.

If instead we started in high school to teach about information technologies, how they function and how to secure them it might draw more interest to an impressionable mind. Also, with the benefits that these fields over based on the current landscape of low enrollment should definitely entice individuals to say that this is more than a viable option for pursuit.
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...