Day: April 22, 2017

The prospects of autonomous self-driving vehicles becoming a pervasive presence on our roadways seems more likely everyday. From the big automakers to Tesla to Google to Uber, a wide range of companies are investing a tremendous amount of money to create a world without carbon-based drivers. The motivation for a big payday abounds, but the hope is that this will be a huge boon to vehicle safety, and I believe it ultimately will be. As we have learned at hacker conferences, there are a lot of security concerns about self-driving cars that we need to solve, but that is not what I want to talk about here.

What I would like to do here is steal the term from the automotive industry and apply “Self Driving” to Information Security. What is Self-Driving Information Security? For me, this is an initiative to apply the ever growing power of computing to solve complex and fast changing information security problems dynamically and without human intervention. Do I believe we can eliminate humans from the information security industry? No, I don’t believe that is possible or desirable, and it certainly would make BlackHat a lot less fun. However, I think we need to rapidly take steps to push the envelope on where we can take the person out of the loop, simply because we are not going to have enough humans to go around and insert into every potential security problem space. In a world where we will soon have thousands of Internet connected devices for every person on Earth, it’s highly unlikely we will have enough information security professionals to go around to solve all of the resultant problems.

Automation is a very old idea that is present in every industry. In information technology, we seek to automate every repetitive task we can. But like in other industries, the explosion in compute power is causing us to explore automating ever more sophisticated tasks. It is no longer just assembly line robots, but advances in computing are taking on white collar jobs and in many cases doing a great job. Computers are diagnosing diseases more accurately than doctors. Computers are doing journalism and even taking on the legal profession.

Are you a skeptic in regards to computer encroachment on sophisticated and complex professions? One of the most seminal moments in computing history that impacted me was the chess contest between Garry Kasparov and IBM Deep Blue. Personally, I was rooting for the human until the bitter end. When Deep Blue ultimately defeated the world’s greatest chessmaster, I was in mourning for days. That was 20 years ago.

To be clear, Self-Driving Information Security will not be bereft of humans. Humans are the biggest part of information security today by any measure – clearly by the budgetary metric. I think we will continue to grow the overall number of people employed in the profession for the foreseeable future. The unpredictability of information security and its adversarial, logic-defying nature will require humans. But Self-Driving Information Security will gobble up the jobs we are doing today, and I am not quite sure what jobs we will be doing in the future. What I do know is, if we do not implement Self-Driving Information Security, we are going to drown in information and incidents.

What are some of the building blocks of Self-Driving Information Security? It is actually many things we are working on today, they just need to gain maturity:

DevSecOps. This idea of merging DevOps with Security Operations, enabled by cloud, is gaining in popularity with very diverse security teams. The ability to tear down and instantiate new computing systems, using “serverless” capabilities and applying some imagination is leading to automation of security process that can seem like magic to an old security guy like me.

Autonomics. The ability for computers be self-managing, self-healing, self-optimizing – self-EVERYTHING is important. A big part of how the Internet works today is through some levels of hierarchy and “command and control” systems. Clearly this model is going to break. I think about the apartment of the future with thousands of computers. Then I think about the bad guy that attacks the upstream link or servers. Or perhaps malware is injected into one of the apartment’s devices. In both cases, the nodes must not only be resilient and independent, but may need to collaborate and attack the infected device.

Blockchain. The distributed, immutable ledger technology that underpins Bitcoin is a favorite of VCs and the finance industry. I believe we are going to find a lot of applications for Bitcoin in information security. An authoritative, tamper-proof log of transactions which can be either public or private has fascinating implications. We can record any change in a very granular manner. I think about IT audit and having a record of all security control implementations, it can really change how that job is done.

Analytics. Data Science. The answers are in the data. If the data sets are large enough, if the quality is good enough and if the algorithms are well designed and speedy, we will find the security answers we are looking for. I believe our massive and inexpensive compute infrastructure is going to excel in finding the right answer to a new security problem

Artificial Intelligence. AI is certainly controversial, even trying to define it can cause fights. Many are terrified by AI and its potential threat to mankind. Some security solutions claim to use AI, others say that the current products are really employing machine learning. Closely related to analytics, having access to quality data is going to enable AI to make security decisions and take action before a human can blink.

In addition to all of these areas of focus, it is safe to assume that computing is going to get faster, cheaper and bigger at an ever-increasing pace. Quantum computing may be years away, but there are already serious efforts in government and industry to make a massive leap in computational speed. It’s also safe to assume that the bad guys will want to harness or exploit all of these trends for themselves.

The building blocks above will soon be assembled together into Self-Driving Information Security. It will be quite necessary for this to happen to manage our rapidly increasing compute universe. The jobs we know today will go away. I am convinced new jobs will replace them in greater numbers, but it may be messy. The paradox of automation is that humans will operate in a world with more layers of complex technical abstraction. We aren’t as intimately involved, but when we are needed, it is for more critical reasons.

At Cloud Security Alliance, we think it is important to be considering these trends now to be true to our mantra of “solving tomorrow’s problems today”. That’s why we have research in all of these areas happening in 2017. As always, our research is your research and we encourage you to join us.

Jim Reavis, Co-founder and CEO, Cloud Security Alliance

[Cloud Security Alliance Blog]

In a recent blog post, I encouraged our U.S. government members to think short-term and be cautious to draw conclusions within the first 90 days of the Trump Administration. I also mentioned that one of (ISC)²’s immediate goals was to deliver a set of recommendations to the presidential team.

In advance of the new administration’s 100^th day in office next week, the following list of recommendations was delivered to White House Chief of Staff Reince Priebus and others on the Trump team as well as to the Subcommittee on Information Technology during a congressional hearing on April 4. With this and future efforts to advocate for the cyber workforce, we want to emphasize the need for the new administration to prioritize workforce development – in the pending cybersecurity executive order and beyond.

• Time Is of The Essence. The widespread and damaging effects of cyber threats are revealed on a daily basis. At the same time, the demand for skilled cybersecurity workers is rapidly increasing. The 2017 (ISC)² Global Information Security Workforce Study reveals a projected workforce gap of 1.8 million information security workers by 2022.
• Consider the Progress Already Made. Cybersecurity is a bi-partisan issue. Critical work has been done over the last 8 years to advance the cybersecurity workforce. (ISC)² was a strong advocate of the Cybersecurity National Action Plan (CNAP) which led to the creation of the first federal CISO position under the previous administration. That is why we recommend the reinstatement of both the federal Chief Information Officer (CIO) and CISO positions, but with greater authority. The next federal CIO and CISO must have the ability to positively affect change, have a depth of experience in both the technical and managerial aspects of cybersecurity, and must be advocates for effective, holistic cybersecurity solutions that include people, process and technology as equally essential components.
• Harden the Workforce. Everyone must learn cybersecurity. We have to break the commodity focus of simply buying technology and stopping there, without focusing on training all users. From the intern to the CEO, the mindset needs to be, “Cybersecurity is everyone’s job.” To achieve this, we need to encourage cybersecurity cross-training to promote cyber literacy across all departments within federal agencies.
• Incentivize Hiring and Retention. In today’s world, a sense of mission doesn’t always override good pay — incentives work. For example, following the cybersecurity hiring authorities passed by Congress in 2014, the Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) provided pay incentives at 20-25% above an employee’s annual pay to motivate new cybersecurity hires. The practice of incentive pay needs to be replicated throughout the federal government in order to attract experts from the private sector. This perk also plays a key role in retaining cybersecurity talent. According to the Pew Research Center, millennials recently surpassed Generation X as the largest generation in the U.S. workforce. The 2017 (ISC)² Global Information Security Workforce Study found that paying for professional memberships and training are key drivers in job satisfaction with this demographic.
• Prioritize investment in Acquisition, Legal and Human Resources (HR) Personnel. Acquisition, legal and HR professionals are essential players within the federal cybersecurity ecosystem. They need to be educated on both the needs of the customer and the nuances of the cyber workforce in order to develop accurate Requests for Proposals (RFPs) and job descriptions that will result in quality hires and the procurement of secure products and systems.
• Prevent Getting Lost in Translation. The government needs effective communicators who can translate technical risk to business leaders in order to improve communications between cyber personnel and the boardroom. Effectiveness of the CISO role in the future will depend upon a “translation” layer of personnel that must be established and trained. The government realized this in changes made to OMB Circular A-123, which now calls for a chief risk officer at each agency. Efforts to align technology risk with mission and business strategies should leverage this OMB initiative.
• Civil Service Reform. The civil service system is broken and does not meet the government’s needs. In our best effort to attract and retain top cyber talent, we are handicapped by the government’s antiquated general schedule (GS) classification and pay system that makes it difficult to promote high-achievers and re-position non-achievers. One such reform effort should be considered – the “cyber national guard” concept – which would allow the federal government to repay student loans of STEM graduates who agree to work for a number of years in a federal agency before returning to the private sector. This will serve as a natural extension to the existing Scholarship for Service (SFS) program and will help to expand the broader workforce development initiative.
• Compliance Does Not Equal Security — Embrace Risk Management. According to NIST, the definition of resilience is “the ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a timeframe consistent with mission needs.” In the government’s quest for cyber resiliency, a risk management perspective will be essential.
• A Standard Cyber Workforce Lexicon. In November 2016, NIST released draft NIST Special Publication 800-181, titled “NICE Cybersecurity Workforce Framework (NCWF),” and is currently reviewing public comments. (ISC)² is working to align our certifications with this new Framework which represents years of collaboration across government, industry and academia. According to NIST, the “NCWF provides a fundamental reference resource for describing and sharing information about cybersecurity work roles, the discrete tasks performed by staff within those roles, and the knowledge, skills, and abilities (KSAs) needed to complete the tasks successfully.” Once finalized, this Framework should provide an excellent resource for workforce development, planning, training and education.

As I mentioned in the previous blog, now more than ever, our collective voice needs to be heard. I would like to thank members of the (ISC)² U.S. Government Advisory Council (USGAC), former Federal CISO Gregory Touhill and the other federal agency CISOs and executives who participated in discussions surrounding these critical considerations. Conversation is key to progress.

Dan Waddell, CISSP, CAP, PMP
Regional Managing Director, North America Region, (ISC)²

[(ISC)² Blog]