From a historical perspective, technology is advancing at an unprecedented pace: its ubiquitous presence is changing how we live, work and play. This storm of technological changes is unfortunately accompanied by a host of continually emerging new threats; along with a technology’s use comes its abuse. In the realm of information technology, we are presented with the dual challenge of predicting future threats and preparing to defend against those threats, as well as the ones we already know.
How we prepare cybersecurity professionals for the future, as well as the present, requires constant vigilance and attention. We must provide them with the knowledge, technical skills, operational savvy and adaptability to mitigate the risks of a changing threat landscape.
But it isn’t just the cybersecurity workforce that we need to prepare … it’s everyone.
What does the future hold?
No one knows for sure, but there is little doubt technology will remain center stage in everyone’s lives, especially at work. The workplace is growing increasingly connected and complex, and that interconnectivity will continue to grow. Enterprises have robust online environments that link customers to critical business applications and create a brand experience that drives customer perceptions of value, credibility and reliability. Those perceptions are something that most enterprises hold near and dear when considering how to engage with customers and users.
Our employee profile has also changed. The emerging workforce has grown up online with expectations of mobility and interconnectivity, often without the wariness that comes with robust security risk and threat awareness. When I was 5, I was my Dad’s remote control. He would tell me to change the channel and I would get up and go turn the dial. Now there are few 5 year olds who are not already familiar with the operation of a smartphone; what stories will they tell their children of, “when I was a kid?”
Why is this a problem?
Moore’s Law, the idea that processor speed and power doubles every two years, also applies to the experience of our workforce and the growth of technologies’ impact on our lives. And this pace of change provides adversaries the opportunity to take advantage of new technologies to exploit vulnerabilities inherent within, all while we seek to mitigate and secure those same vulnerabilities. Unfortunately, adversaries only have to get it right once to cause serious harm, which increases the pressure on enterprises to get it right all the time. And cyber threats continue to multiply, both in volume and capability. The attack surfaces are growing larger, and the attacks are often sophisticated and innovative, which increases the challenge of mitigating and predicting threats.
As is often the case with IT, the problem can be categorized by people, process and technology:
- People: Humans are built to identify immediate threats, not the future threat of problems that grow slowly over time. It’s the boiling frog analogy – if you drop a frog in hot water it will immediately perceive the threat and jump out, but place the same frog in cool water and slowly bring it to a boil and it will not perceive the threat until it is too late;
- Process: We continue to prioritize functionality over security. We build systems first to meet business needs and functionality, and then we bolt on security later. This seems silly, but think about your own life. Most of us signed on to social media sites many years ago to connect with friends and family. It was much later that many started to wonder about the security implications of posting personal information for the entire world to see. It took even longer for various social media sites to start supporting stronger security protections; and
- Technology: Similarly, technology had been built with security as an afterthought and we have tended to secure the IT stack (infrastructure, applications, databases, etc.) later, or once vulnerabilities were identified. Again, we can look to our personal lives for a relevant example: most people have ditched their landline phones in favor of their mobile smartphones. We know mobile smartphones do not have high voice quality or reliability, and they come with some notable security weaknesses, but we prefer them because they are convenient. Rather than worry about the risk of leveraging mobile applications for voice and data, we go back later and add security to applications and infrastructure once vulnerabilities are exploited publicly.
What should we do?
Preparing every current and potential worker for a seemingly unknown future environment is no small task, but there are some steps we are already taking, and some new ones to explore, that can help us progress towards better protection:
- Children: Our children are likely going to be the most prepared, as they are growing up in this increasingly digital world and are already receiving an education on how to thrive in it with greater safety. But we need to continue to engage them early and often. STEM education is the building block for cyber readiness. Children receive training on fire dangers starting in kindergarten. The same should be true for cyber threats. Our children need to understand the trouble they can get themselves into online. A STEM-based education can help them do that;
- Current workers: There are few jobs that exist today that do not involve some form of computing. Big data touches everything from banking to waste management. Enterprises should have policies in place to dictate how employees interact with information and its systems, and there should be an ongoing training program in place depending on the type and amount of information employees access. This is especially important for government agencies due to the sensitive nature of the citizen information they steward. We are starting to see more organizations acknowledge publicly their stewardship responsibilities and that focus should continue;
- Cyber professionals: We are not generating the number of trained cybersecurity professionals that we need from universities. One of the most critical skills is response to attacks, which is both an art and a science. This requires hands-on training and experience beyond school. Organizations should prepare for that as they welcome new workers;
- Government workers: Government agencies face an additional challenge when it comes to human resources. They are losing younger workers, particularly in tech-related jobs. The first step in cyber-readying their future workforce is attracting the best and brightest talent. Since they often cannot compete with the private sector on the technology they employ, they should leverage the scope and importance of their mission to attract the best workers. Then they can worry about readying them for the future cyber environment.
Who is responsible?
Firefighters have a responsibility for putting out fires so it is in their best interest to do everything in their power to prevent fires. There is not a direct correlation for cybersecurity. It permeates all of our lives and thus the responsibility is shared. Certainly law enforcement agencies and the Department of Homeland Security have a responsibility and are taking steps to cyber-ready us all, but parents, schools, companies and organizations all have a responsibility to educate in a way that builds awareness as well.
There is no equilibrium, no room to claim that along with increased threats we have appropriately increased cyber-hygiene and mitigation response. On the contrary, cybersecurity is a moving target, and it will remain so. Technology will continue to expand, threats will continue to increase and there are no doubt other elements, unknown to us now, that will further influence our security future.
The sky is definitely not falling, but we need to continue to take steps to prevent threats, to prioritize security risk mitigation and to train everyone on how to operate within this environment with the best possible cyber-hygiene.
Fran Trentley is Vice President Global Security & Government Services, Akamai Technologies.