Setting the scene
Before I talk about my recent trip to Infosecurity Europe (Infosec), Europe’s largest and most comprehensive conference with over 400 exhibitors and attended by more than 19,500 information security professionals, I want to first take a little trip down memory lane. Rewind three years to 2015, the year Caitlyn Jenner came onto the scene, and Donald Trump was running for President. Back then I wrote about how the digital skills gap was threatening UK cybersecurity and drew attention to the European Commission’s prediction of a shortfall of about 900,000 skilled IT workers by 2020.
2020 is now only two years away, and unfortunately, it looks like that prediction is completely spot on! While I like to be proven right, this figure is alarming and demands our attention.
Criminal cyber-attacks on UK businesses are on the rise with threats from ransomware, data breaches and weakness in the supply chain being the areas of most concern. One attack on a well-known Internet Service Provider cost £60m and a loss of 95,000 customers, illustrating how it is in an organisation’s best interest to ensure every measure is taken to protect against such activity.
Then we had the ‘NotPetya’ attack which cost hundreds of millions in damages per company and is considered nastier than WannaCry since the target companies were not small players with inferior security teams/systems. The full extent of damage from ‘NotPetya’ is not yet known but is projected to impact this year’s revenues. The Financial Times reports that the overall cost of cyber-security is increasing by 22.7% to compete with a breach increase up by 27.4% year-on-year.
Who is responsible for cybersecurity?
Typically, cybersecurity professionals work away in the background, rarely seen or heard. That is until there is a breach. While management may want to place the blame on IT, they often look to the top for someone to hold accountable. Remember this little reminder to CEOs and management?
Despite the message, most IT professionals believe that cybersecurity is still not considered a strategic priority among senior leadership.
What are the latest tech trends from Infosec?
I spoke with lots of different vendors, and while there were many themes repeated throughout the day event, three stood out in particular.
- Automation via AI/machine-learning
- Advanced end-point hosted by cloud to avoid slow run-time
- Story-based technologies to help Infosec teams work backward to spot the anomaly
This got me thinking. Does the chief information security officer (CISO) community possess the skillsets to tackle and reduce the amount of time that a threat actor (an entity that is partially or wholly responsible for an incident) goes undetected in an environment? I’m not sure. One report calculated that it takes almost six months or 175 days to detect a threat, up from 99 days in 2016.
Technology alone will not help
Towards the end of the day, I attend RANT. This fantastic cybersecurity extravaganza happens on the last Wednesday of every month and is an opportunity for security experts to put heads (and beers) together for, as the name suggests, a RANT around a certain heated, controversial topic. The topic of the event I attended, “After the hype, what became of last year’s buzzwords?,” focused on machine learning. One voice stood out, that of Dr. Mike Lloyd from Red Seal who ranted that even if we take away the day-to-day data to try and spot the anomalies, we are still left with noise and the conclusion is that we have mountains of data but not enough mountaineers to master it. Dr. Lloyd went on to say that we need to be better at the basics from the people side and operate automation with human-minded processes. If we don’t do this, we will be caught out by the bad guys who are no longer investing in expensive tech and instead automating the basics.
Is the weakest link our strongest ally?
Curiosity supposedly killed the cat. Is social engineering a modern equivalent of curiosity? Cybersecurity expert and founder of Cyber UK, Dr. Jessica Barker argues that the psychological design of phishing attacks is what makes them so incredibly effective for a human audience. Curiosity is our greatest weakness and without effective communication, collaboration and training, we are vulnerable to a perfectly executed attack that aims at triggering that irrational part of our human nature. The temptation of last week’s photos, another friend request or the USB stick with salary comparisons is ripe for exploitation and leaves every individual and organisation at risk.
People as our strongest ally
As I reflected upon Infosec and all the latest news from the vendors, as well as what I heard at RANT, I realised a couple of things regarding how we might improve the way your organisation looks at cybersecurity.
- What’s the specific result you want from the automated security solutions in place?
- Can you pinpoint an anomaly from these automated systems without confusion?
- Are the basics in place?
- Did you involve the executive team?
- Do you conduct regular meetings with both the business executives and broader IT team?
- Are you promoting the right security culture?
As security professionals, we need to ask ourselves, what more can we do? Are we collaborating with other areas of the organisation? Is everyone aware that this is an organisational responsibility?
Overall it is clear that visibility, detection & incident response are the main areas affected by the current skills gap and the demand for skilled cybersecurity personnel continues to outpace supply rapidly.
Want to be part of the solution? Skillsoft Bootcamp offers learners access to invaluable instruction and real-world insights from leading experts. Why not check out our upcoming class and course schedule?
Christopher Sly is a Solution Principal, IT & Digital at Skillsoft EMEA.