HIRING A CYBERSECURITY WORKER? HERE’S WHAT YOU NEED TO KNOW

Even though 85% of cybersecurity professionals would consider new job opportunities, it’s getting harder for employers to attract and retain qualified candidates. There just aren’t enough experienced cybersecurity workers to hire, and those already employed are constantly being wooed by recruiters.

Only 15% of currently employed cybersecurity workers are planning to stay put, according to recently completed (ISC)research. Among the rest, 14% are actively looking for a new job and 75% are open to opportunities. This means we will likely see a hubbub of activity in the cybersecurity job market throughout 2018.

Employers face an uphill battle. You not only have to try to find skilled candidates in a very limited pool, but also do whatever you can within reason to retain your current cybersecurity workers. Success on both fronts requires a deep understanding of what’s important to cybersecurity workers. What are they looking for in an employer? And what does it take to keep them happy?

What They Value

The study offers valuable clues about what matters to cybersecurity professionals. It’s clear they aren’t motivated by salary, but then they don’t need to be. Since demand for their services is so high, attractive compensation is a given. But what they really value comes through loud and clear in the research:

  • They want to be heard, with 68% of respondents saying they want the C-suite to take their security views seriously.
  • 62% prefer a company with well-defined ownership of cybersecurity responsibilities.
  • 59% view employee cybersecurity training and investments in emerging security technologies as priorities.

Cybersecurity professionals also don’t want to be evaluated by managers on whether they stop a breach. Rather, they believe these criteria are more relevant:

  1. How quickly they respond to a breach
  2. How efficiently they handle remediation
  3. Employee awareness levels

Daily Contacts

Understanding the mindset of cybersecurity workers is critical to the success of any recruiting effort. Cybersecurity pros are very attuned to the needs and demands of their work, and they look for clues in job descriptions about whether the employer understands cybersecurity. Descriptions that are too vague or demand too much get a pass.

Employers need to get this right because recruiters contact these folks constantly. Almost half (46%) of them are contacted weekly by recruiters, even if they aren’t looking for a job. Nearly a third (31%) of those in an active job search are contacted weekly.

For many, overtures from recruiters happen daily; one out of five (21%) study participants receive at least one recruiting contact daily. And 38% of those actively seeking new employment are contacted multiple times each day.

Be Upfront

Despite the huge challenge employers face, there is a silver lining: More than half of cybersecurity jobseekers (54%) are willing to work where a breach has already occurred – an indication they’re confident in their ability to help organizations improve their security.

That’s good for employers to know. Just remember to be upfront about your security situation and show you’re willing to listen to new ideas. Get this right, and the likelihood of attracting a skilled, experienced cybersecurity professional is much higher.

[(ISC)² Blog]

The Case for a KYC/AML Blockchain

Early in my career, I had the opportunity to work with big retailers and non-profit organizations around the promised land of EDI protocol (Electronic Data Interchange, for those too young to have seen this acronym). The expectation in the industry was that, thanks to a common set of industry layouts adopted by both manufacturers and retailers, all transactions like purchase orders, confirmation of shipments, acknowledgment of receipt of merchandise, and payment of invoices, would be streamlined and automated.

When we see the outcome in retrospect, we understand that the aim for a perfect set of common layouts for flat files that would be sent from one computer to other, over dedicated communication channels, to be fed into a translator that would, eventually, create the purchase order or shipment notice in the recipient’s mainframe, required long negotiations between powerful stakeholders. As a result, new technologies totally bypassed this effort that had been running for more than 30 years, without becoming a mainstream protocol in the e-commerce era.

I mention this example of a too-late definition of standards because of recent efforts triggered by the Central Bank of Mexico to create a common database of all fund transfers in foreign currency performed by banks in the country. The aim seems to be a central repository built by all participant banks, feeding their own funds transfer transactions, to eventually allow those banks to query this database in order to understand the risk profile of any particular client that has performed funds transfers in any other bank.

This goal is ambitious and logistically complex. Being a regulator of the banking system in the country, the Central Bank of Mexico can define the rules as needed and then require all banks to comply with these definitions. But the analogy I provided in relation to EDI protocol comes immediately to mind, and I foresee the following issues:

  1. The central bank has defined a standard layout based on the data elements that would be relevant to create the initial repository for its own regulatory purposes.
  2. The banks will have to build interfaces from their existing funds transfer systems with this new platform.
  3. The central bank may require additional fields in the future; if so, all banks will have to rush to adjust their existing interface, and then run additional processes to fill the missing data in the central repository.
  4. There is no incentive for the banks to implement the required applications and infrastructure.
  5. When rules are established around types of relevant queries needed to determine a risk profile, some large banks may then identify additional information that would make sense to add to the repository, impacting all other participant banks.
  6. The storage and computing power needed to track all funds transfer transactions across the entire banking system will overwhelm the central bank’s computing capacity, leading to delays in the queries. This would eventually require more taxpayer money to buy or rent additional infrastructure.

This seems to be a perfect use case for a Know-Your-Customer (KYC)/Anti-Money Laundering (AML) blockchain project. Of course, most of you understand that blockchain technology is the foundation of bitcoin and other cryptocurrencies. Instead of focusing on the idea of actual payments made with cryptocurrencies, I’d like to highlight the fact that blockchain technology can provide the perfect tool to develop a distributed ledger of funds transfers, spread across the computing power of participant banks in the system.

Here are the incentives for all:

  1. Banks’ computing power is larger. Spreading the calculation of crypto-tokens representing the funds transfers across the system can be spread over the computing power of all banks that want to participate in the system.
  2. Crypto-tokens would be simple. We are not talking here about creating money but “crypto-tokens” that represent real funds transfer transactions occurring in the system, linked to a different type of crypto-token that represents the client performing the transactions.
  3. Banks have incentive for participation. Every time that a bank converts a funds transfer transaction into a crypto-transaction linked to a crypto-client, using its own computing power, it will receive a “crypto-token” as payment. These crypto-tokens will be the key for the banks to perform queries to the database (see below).
  4. Queries to the common database will be paid with crypto-tokens. Every time a bank wants to perform a query to determine what kind of transactions a particular client has performed in the system, it will pay using the crypto-tokens received as payment for linking crypto-transactions to crypto-clients.
  5. Bank privacy is preserved. Do I need to say more?

As regulators start creating laws to put some ground rules on the table for digital transformation, they could be participants in initiatives like the one I’m putting on the table today.

Author’s note: Jose Angel Arias has started and led several technology and business consulting companies over his 30-year career. In addition of having been an angel investor himself, as head of Grupo Consult he participated in TechBA’s business acceleration programs in Austin and Madrid. He transitioned his career to lead the Global Innovation Group in Softtek for four years. He is currently Technology Audit Director with a global financial services company. He has been a member of ISACA and a Certified Information Systems Auditor (CISA) since 2003.

Jose Angel Arias, CISA, Technology Audit Director

[ISACA Now Blog]

Perimeters Aren’t Dead – They’re Valuable

Since I first began building internet firewalls in the late 1980s, I have periodically encountered claims that “the perimeter is dead” or “firewalls don’t work.” These claims are rather obviously wrong: your firewall or perimeter are simply a way of separating things so you can organize them better. An internet firewall is an organizing principle between “stuff that’s not your problem” (the internet) and “stuff that’s your problem” (your network).

At a finer level of detail, you might apply other organizing principles such as “my data center” and “the unmanaged cloud of desktops” or “our PCI cloud.” If you think of firewalls or perimeters as a way of organizing the various entities you deal with, you’ll be able to better understand your strategic objectives for where data moves, how it moves and where it sits. Without that type of organization, the idea of a network that is “yours” is purely imaginary.

If you think about firewalls and perimeters as an organizing principle, you’ll be able to see how single servers can be a “cloud of one” whether they’re on premise or off, and you can think about the trust relationships between remote servers and internal services. It’s a valuable mental tool, in other words.

We (or rather management) also can make mistakes by forgetting there is a persistent management cost for design. Organizing your computers and thinking about where data moves and how it is stored is expensive. It takes understanding and thought to design this stuff, and if it’s not done right, you wind up with a mess. A typical mess might be: “everything can talk to everything,” which is certainly easy to set up, requires no ongoing management, and is – for all intents and purposes – impossible to secure. It seems to me that a lot of executives expect tremendous cost-savings from moving to the cloud, but they don’t realize that you still need good systems people (to manage the cloud systems using the cloud providers’ interfaces) and governance/analysis (to think about where your data is moving and why). In other words, the thinking is the hard part.

Beyond security, it’s important to think about performance and reliability. If you figure out where your most important servers and data are, you can optimize your network architecture to guarantee best performance where it needs to be. Otherwise, in an “everything can talk to everything” network, your only option for performance tuning is to make everything faster. That’s an important distinction to keep in mind as we collectively move to software-defined networks. The organizing principle that leads to securing your data is also the organizing principle that allows you to optimize your data paths.

A senior IT person at a large enterprise told me, “We have web services all over the place. We use a vulnerability scanner to identify systems that are offering up data on port 80, then we track them down and analyze them.” Think about that for a second! If the organization has a purely reactive governance model like this, how will that enterprise move to a high-performance software-defined network? To map out your performance requirements, you need to know where the data is going to flow. You cannot do that if you’re permanently reverse-engineering your design using what I call “forensic network architecture.”

When we talk about disaster recovery or data backups, the same reasoning applies: you can’t back up your data if you don’t know where it is (organizing principle: data perimeter), and you can’t identify which systems need to be recoverable/reliable if you don’t know which they are (organizing principle: data center perimeter). None of this is a new problem, but, unfortunately, a lot of organizations are going to keep kicking the can down the road, so they can preserve their hard-won ignorance about what’s going on inside their perimeter.

Editor’s note: For more of Marcus Ranum’s insights on this topic, download The Vaguely Defined Perimeter.

Marcus J. Ranum, Security Consultant

[ISACA Now Blog]

Combating the Rising Threat of Malicious AI Uses: A Strategic Imperative

A group of academics and researchers from leading universities and thinktanks – including Oxford, Yale, Cambridge and Open AI – recently published a chilling report titled, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation. The report raised alarm bells about the rising possibilities that rogue states, criminals, terrorists and other malefactors could soon exploit AI capabilities to cause wide spread harm. These risks are weighty and disturbing, albeit not surprising. Several politicians and humanitarians have repeatedly advocated for the need to regulate AI, with some calling it humanity’s most plausible existential threat.

For instance, back in 2016, Barack Obama, then President of the United States, publicly admitted his fears that an AI algorithm could be unleashed against US nuclear weapons. “There could be an algorithm that said, ‘Go penetrate the nuclear codes and figure out how to launch some missiles,’” Obama cautioned.  A year later, in August 2017, the charismatic Tesla and SpaceX CEO, Elon Musk, teamed up with 116 executives and scholars to sign an open letter to the UN, urging the world governing body to urgently enact statutes to ban the global use of lethal autonomous weapons or so-called “killer robots.”

I wrote a 2017 ISACA Journal article to underscore that, while AI’s ability to boost fraud detection and cyber defense is unquestionable, this vital role could soon prove to be a zero-sum game. The same technology could be exploited by malefactors to develop superior and elusive AI programs that will unleash advanced persistent threats against critical systems, manipulate stock markets, perpetrate high-value fraud or steal intellectual property.

What makes this new report particularly significant is its emphasis on the immediacy of the threat. It predicts that widespread use of AI for malicious purposes – such as repurposed autonomous weapons, automated hacking, target impersonation, highly tuned phishing attacks, etc. – could all eventuate as early as the next decade.

So, why has this malicious AI threat escalated from Hollywood fantasy to potential reality far more rapidly than many pundits anticipated? There are three primary drivers:

  • First, cyber-threat actors are increasingly agile and inventive, spurred by the growing base of financial resources and absence of regulation – factors that often stifle innovation for legitimate enterprises.
  • Secondly and perhaps most important, the rapid intersection between cybercrime and politics, combined with deep suspicions that adversarial nations are using advanced programs to manipulate elections, spy on military programs or debilitate critical infrastructure, have further dented prospects of meaningful international cooperation.
  • Thirdly, advanced AI-based programs developed by nation-states may inadvertently fall into wrong hands. An unsettling example is the 2016 incident, in which a ghostly group of hackers, going by the moniker “The Shadow Brokers,” reportedly infiltrated the US National Security Agency (NSA) and stole advanced cyber weapons that were allegedly used to unleash the WannaCry ransomware in May 2017. As these weapons become more powerful and autonomous, the associated risks will invariably grow. The prospect of an autonomous drone equipped with hellfire missiles falling into wrong hands, for instance, would be disconcerting to us all.

It’s clear that addressing this grave threat will be complex and pricey, but the task is pressing. As report co-author Dr. Seán Ó hÉigeartaigh stressed, “We live in a world that could become fraught with day-to-day hazards from the misuse of AI and we need to take ownership of the problems – because the risks are real.” Several strategic measures are required, but the following two are urgent:

  • There is need for deeper, transparent and well-intentioned collaboration between academics, professional associations, the private sector, regulators and world governing bodies. This threat transcends the periphery of any single enterprise or nation. Strategic collaboration will be more impactful than unilateral responses.
  • As the report highlighted, we can learn from disciplines such as cybersecurity that have a credible history in developing best practices to handle dual-use risks. Again, while this is an important step, much more is required. As Musk and his co-collaborators wrote to the UN, addressing this risk requires binding international laws. After all, regulations and standards are only as good as their enforcement.

This is an old story; history is repeating itself. As Craig Timberg wrote in The Threatened Net: How the Web Became a Perilous Place, “When they [internet designers] thought about security, they foresaw the need to protect the network against potential intruders and military threats, but they didn’t anticipate that the internet’s own users would someday use the internet to attack one another.”

The internet’s rapid transformation from a safe collaboration tool to a dangerous place provides an important lesson. If we discount this adjacent threat, AI’s capabilities – which hold so much promise – will similarly be exploited by those with bad intentions. Absent a coherent international response, the same technology that is being used to derive deep customer insights, tackle complex and chronic ailments, alleviate poverty and advance human development could be misappropriated and lead to grave consequences.

Author’s note: Phil Zongo is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the 2016-17 winner of the ISACA’s Michael Cangemi Best Book/Article Award, a global award that recognizes individuals for major contributions to publications in the field of IS audit, control and/or security.

In 2016, Zongo won ISACA Sydney’s first Best Governance of the Year award, a recognition for the thought leadership he contributes to the cybersecurity profession. Over the last 14 years, Zongo has advised several business leaders on how to cost-effectively manage business risk in complex transformation programs. Zongo regularly speaks at conferences on disruptive trends, such as cyber resilience, blockchain, artificial intelligence and cloud computing.

Phil Zongo, Head of Cybersecurity, Author and Public Speaker

[ISACA Now Blog]

Five Questions on Board-Level Cybersecurity Considerations with Dottie Schindlinger

Editor’s note: Dottie Schindlinger, VP/Governance Technology Evangelist with Diligent and a panelist on the importance of tech-savvy leadership at ISACA’s CSX North America conference last October, recently told Forbes that cybercriminals target organizations perceived to be low-hanging fruit. Schindlinger visited with ISACA Now to discuss how organizations can avoid falling into that category and other key board-level cybersecurity considerations. The following is an edited transcript:

ISACA Now: How do board directors and executive leaders go about ensuring hackers don’t consider their organizations to be low-hanging fruit?
Board members and executive leaders of organizations are ultimately responsible for ensuring the long-term health of their organizations – and this responsibility extends to mitigating cyber risk. That doesn’t mean they have to be deeply involved in the day-to-day operations of cybersecurity programs, but they can’t be complacent.

The simplest thing directors can do to mitigate cyber risk is to ask questions and hold themselves to a higher standard. First, boards should ensure their organizations are providing the right set of tools to ensure the board’s communications are kept secure – for example, moving away from email in favor of a more holistic “Enterprise Governance Management” solution.

Additionally, boards should receive a quarterly high-level summary from the organization’s IT/data security team explaining the main components of the organization’s cybersecurity program. This should include a review of the current threats and thwarted hacking attempts, and a review of the training and education taking place across the organization. The CIO or CISO should be present at every board meeting to deliver the report, answer questions, highlight concerns and discuss ongoing investments in cybersecurity.

Furthermore, board members and senior executives should be required – along with anyone granted access to the organization’s sensitive data – to receive cybersecurity training and support. Far too often, senior leaders are prime targets for hackers because they have access to highly sensitive data with little IT oversight.

ISACA Now: Are boards becoming more sophisticated about providing cybersecurity leadership?
Yes and no. When asked, most directors voice strong concerns about data security – they are clearly worried about the stories they hear about in the news. But that concern doesn’t necessarily lead to action. For example, far too few directors are required to receive cybersecurity training on a regular basis. Our last survey – conducted in 2017 – showed that fewer than one-third of directors receive regular cybersecurity training and, even then, it’s most likely to be conducted very infrequently.

We also learned how heavily directors rely heavily on email for communication. More than two-thirds use email as their primary form of communication about board business. This is worrisome in light of the explosion of ransomware and malware attacks targeted at high-ranking individuals throughout 2017. If directors are using unsecured, unencrypted email to share sensitive data, the directors themselves become sources of cyber risk, rather than stewards of cybersecurity.

I believe the needle is finally beginning to move in a positive direction. Fear is a strong motivator, but so is the potential for revenue growth that comes when an organization’s leaders are more tech-minded.

ISACA Now: Given the growing understanding of the importance of cybersecurity, why are many organizations still reluctant to invest in training, both for board members and for their staffs?
Partly I think this has to do with a lack of understanding of the immediacy and severity of the threat. Considering that it typically takes a few months for a breach to even be detected, it’s highly likely more organizations have been breached than we know. I think many organizations want to believe they aren’t as vulnerable as they really are. In my conversations with directors, I’ve heard the phrase, “Our IT team is top-notch and we have cyber risk insurance.” Those two statements might be absolutely true – but neither one can prevent an organization from being hacked 100% of the time.

I think it’s fair to say that some complacency is born from a lack of familiarity. The vast majority of directors and senior leaders are not digital natives. The average age of directors is still north of 50, meaning senior leaders are much more likely to have grown up using typewriters than mobile devices. This means that technology can feel like a foreign topic (and a sore subject) for many directors, causing them a good deal of discomfort. I think that when CISOs approach technology discussions from the perspective of enterprise risk and business growth – and don’t stray too deep into the technology “weeds” in their reports – they will find directors and senior leaders are much more open to engaging deeply in the issues.

ISACA Now: What role should CISOs play in working with the board to elevate an organization’s security protocols?
Ideally, the CISO or other data security leader collaborates with the board and other senior leaders in the following ways:

  • Ensure the board and senior leaders have secure communication tools available and know how to use them appropriately;
  • Provide an update at each board meeting on the current state of cybersecurity programs, changes in the threat landscape, updates on cybersecurity investments, and highlight of any technology developments worth the board’s attention;
  • Answer the board’s questions and provide support on cybersecurity questions;
  • Work with the general counsel or audit committee to develop secure communication policies for the board, and brief the board on these policies – and any recommended changes – at least annually;
  • Arrange for cybersecurity training for directors and senior executives – ideally conducted at least annually (but more frequent is better);
  • Coordinate an annual tabletop exercise for the board, simulating a cyber event and testing the board on their response prowess;
  • Conduct a periodic review of the board and senior leadership’s communication methods and norms – to ensure adherence to policies and reduce reliance on any unsecured communication channels.

ISACA Now: For C-suite leaders who might be frustrated by their board’s lack of urgency when it comes to providing strong cybersecurity and risk management oversight, what are some ways they can deliver a wakeup call?
If a director has had personal exposure to a cyber event, he/she suddenly has a much greater level of awareness about the risk and a greater desire to learn how to ensure security. I don’t believe this “personal experience” has to be an actual cyber-attack – rather, a good simulation exercise, deep discussion at the board table, or a guest speaker who can share some “horror stories” should be enough to spur greater action. I’d recommend any activity that gets leaders asking questions like: Do we know which branch of law enforcement to call, and who is our main point of contact? What sort of cyber risk coverage do we have, and what services will our insurance carrier provide to help us during the breach notification period? What is our level of personal legal liability in this case? Do I need to wipe any of my own personal devices or drives and change any of my passwords?

At the same time, many CISOs do themselves a disservice by not focusing on the right issues in their reports to senior leaders. The CISO’s report should remain high-level and jargon-free (or with easy-to-comprehend explanations). Keep the focus on the enterprise risk and business growth side of cyber risk, not on the nitty-gritty of the CISO’s day job.

Bottom line, if a board doesn’t seem to have much motivation to discuss these serious issues, then the C-suite team should find a way to provide that motivation. The stakes are far too high to just hope for the best.

[ISACA Now Blog]

English
Exit mobile version