The New Crisis in Cybersecurity
By Mark Egan
There is a new crisis in Cybersecurity. A recent article highlights the current lack of trained Information Security professionals and ties this lack to the digital revolution and other technology advances, leading to “mega-breaches on an unprecedented scale.” Stealing IP has become a billion dollar business; couple that with the fact that it is also much easier to break into a system than protect it. All the criminal needs to do is to find one hole in your environment and they can slip in. Why there is a dearth in Cyber Security professionals and what can be done about it I have outlined briefly in a few key points here.
One of the biggest reasons why there are fewer trained security professionals is due to the fact that the Office of the CISO is still a relatively new organization, compared to that of the CIO, which role has been around for significantly longer. CIO titles started in the 80’s when Information Technology became a critical component of daily business operations. The CISO title is more recent and in 2006 only 43% of large organizations had a CISO. This has changed over the past 10 years and now most larger organization now have a formal security function and overall leader.
However, companies show a trend of being focused on hiring very experienced security staff externally, as opposed to developing and training individuals internally. It would be more effective to take existing staff and train them, or hire in trained entry level professionals who you can develop.
The solution to Information Security is that companies have to develop their existing staff and then cultivate a mindset where everybody is “mindful” – like a Neighborhood Watch, where everyone is involved in the program. Most attacks still originate from phishing email – someone clicks on an email, and that email comprises that machine. And once they compromise that machine, they move laterally within the environment to elevate to a privileged level of access. So if you have Neighborhood Watch, everybody is on alert. When they see the suspicious email, they notify someone, and through this behavior you can build and grow and perpetuate a more “security aware” program.
Ultimately security is a people issue. To this effect we created the Merritt College Information Security program as a fully accredited A.S. degree with majors in Applications and Infrastructure Security. The program has been two years in the making and serves the San Francisco Bay Area East Bay School districts, which include students from less advantaged backgrounds. It results from the partnership with the CISE CIO organization, Merritt College, and CIO’s / CISO’s from leading San Francisco Bay Area companies. The program provides trained, entry level security professionals from which an organization can then expand on and develop other existing staff internally.
They are currently for hire; please contact me for more info.