RSA 2018: In the Golden Age of Cyber Crime we have a People Problem
Reading the title above your first thought might be a cyber-attack resulting from a deliberate insider or an unintentional, well-meaning employee. After all, people are the problem, right? However, our people issue today in the cyber industry is simple: lack of qualified human capital. It is estimated by Ponemon Institute that by 2020, we will have 1.8 million cyber jobs left unfilled. It is bad enough we are living in the Golden Age of Cyber Crime, where deterrence is lacking, the threat surface is expanding exponentially, and the technical talent to hire is way too limited. Unfortunately, this confluence of events is a cyber criminal’s perfect storm.
Our industry has to change how it hires, and what it expects from an employee prospect pool that is diversified in age, experience, race, religion and gender. Speaking of gender, at RSA 2018 McAfee presented a session titled, Building the Cybersecurity Innovation Pipeline, where Chief Human Resources Officer, Chatelle Lynch, pointed out a shocking statistic: “In 1990 32% of the IT workforce was women, and in 2017 is was 25%! This during a time when the industry growth exceeded 338%. The Good Old Boys Club is alive and well in technology circles.
Mc Afee CISO, Grant Bourzikas, part of the same RSA session, profiled the differences between a prospective employees based on age and diversity, from the experienced, highly paid and short term 50 something male, to the inexperienced “slightly career direction challenged” millennial. Additional research was very interesting based on recent college interns and graduates that had various non-technical education backgrounds but could be placed into technology roles and taught cybersecurity. CISO Bourzekas being a good example, as a college graduate with an accounting degree that found his way into high tech. Hint: the same attention to accounting details pays off in the cyber governance and regulatory environment businesses find themselves in today. The take away message was that the industry answer to this shortage lies in talent efficiency. McAfee provided an innovative and unconventional way to view and address the cybersecurity talent gap problem.
I was reminded of a conversation I had in 2014 with Lynn Dugle, then President of Raytheon’s Intelligence & Information Services Division, upon their $420 million purchase of cyber start up Blackbird, who provided surveillance and secure communications to spy agencies. Lynn mentioned that one particular individual, a developer/hacker with exceptional skills, was a self-taught gamer with a high school equivalency degree. This education background, together with the body piercings, tattoos, and hair to mid back, made his chances for a traditional interview path with Raytheon non-existent. Suffice it to say, this gentleman quickly established himself as an elite cyber warrior within the entire company, not just IIS. She told me with that lesson she realized just how much Raytheon had to change the way they not only hired, but managed, the highly skilled and unique cyber resources they would need in the future. Old stereotypes on employee profiles, and standard performance review models, needed to be shattered.
McAfee has the right formula, stress the “Gamification of Cyber”. Bourzikas cited research that “More than half (54 percent) of respondents who are extremely satisfied in their roles say they use “capture the flag” gaming once or more a year, compared to just 14 percent of those employees who are dissatisfied in their roles. (At McAfee, they run table-top exercises every two weeks, and red team exercises monthly.) Given the fact the cyber challenge has been described as sports strategy (basketball / football / soccer), a game of chess, and even war, this gamification focus resonates.
One theme at RSA 2018 was that our industry suffers from a lack of cyber talent today, and into the foreseeable future. We need more thoughtful innovation in hiring if we are to meet this challenge during the “Golden Age of Cyber Crime”.