 |
| From left: Dr Hugh Thompson, RSA Conference Program Chair, RSA Conference, and CTO, Symantec (moderator), Magda Lilia Chelly, MD, CISO As A Service, Narelle Devine, Chief Information Security Officer (CISO), Australian Government Department of Human Services, and Dr Zulfikar (Zuli) Ramzan, CTO, RSA. |
A media roundtable on Emerging Threats and Challenges of a Digital Asia, held during the RSA Conference in Singapore, provided fresh answers to perennial issues in the field. One key topic revolved around the shortage of suitable talent.
Dr Zulfikar (Zuli) Ramzan, CTO, RSA, said that the skillsets which are needed are evolving, and that the ideal candidate is a “unicorn”. “Folks who are technical are needing, more and more, to be able to explain what they do to normal human beings,” he said.
Narelle Devine, Chief Information
Security Officer (CISO), Australian Government Department of Human
Services, noted that cybersecurity skills do not equate to IT skills. “(We're) looking for
IT professionals, (but we also need) some people who look at logs and
understand how to reverse-engineer malware; we need lawyers,
marketing people, comms people,” she said.
Magda Lilia Chelly, MD, CISO As A Service, noted that the cyber skills gap is a global one. As a business owner in the cyber space, she faces challenges in creating job descriptions when cybersecurity can encompass so much in addition to the need for legal and psychological skills, which would be needed to tackle cyberattacks that occur through social engeineering. “People, technology and process, you always need to have those in mind,” she said.
Her advice is not to look for someone who already fits the bill, but
to help people acquire the skills instead. “Instead of finding
someone with 10 years' experience, lots of security
certifications...instead of doing that, find people who are
passionate and build the right skills, then retain them after that,”
she said.
Dr Zulfikar added that truck drivers are particularly suited to
cybersecurity jobs as they have excellent spatial skills, and are
able to stay focused for hours, which helps with the pattern recognition required for identifying cyberattacks.
“We can take people and retrain them,” he said.
Dr Hugh Thompson, RSA Conference Program Chair, RSA Conference, and CTO, Symantec, agreed. “Sometimes you take a chance with someone
with an aptitude for security, send them to certification courses,”
he said, noting that the market value of such individuals increases
dramatically as a result.
Devine said the key to retaining talent is partly about engaging them
with “interesting work”, possibly about money, but also about
investing in them. “If you invest in (technical people), they feel
like they should stay,” she said.
She also believes in taking a long-term view, or an “insurance
policy”. In addition to helping to fix the cybersecurity skills
shortage investing in people, and providing a great work environment,
she said that talent could retain an understanding of their current
business plus return with additional experience and a valuable
network of relationships.
“Those relationships are what will get
you through, when you reach out,” she said.
Dr Thompson added that he is seeing companies move to where they see the
skills are. “One trend I’ve seen in the past couple of years and really accelerating, is taking the point of view, given the skillset shortage that we have, (that people are) moving company locations to those skillsets, (they) set up remote offices in a physical geography where they know they can get those skillsets.
"Look at how many multinationals have moved to Israel in the last 18 months and set up some kind of operation there because they see a steady supply of people coming out of military – some go into startups – but they realise that there is also a massive talent base that they can pull from,” he observed.
"Look at how many multinationals have moved to Israel in the last 18 months and set up some kind of operation there because they see a steady supply of people coming out of military – some go into startups – but they realise that there is also a massive talent base that they can pull from,” he observed.
Chelly noted however that while the Singapore Business Federation offers a lot of
cybersecurity-related training, it is a matter of bringing the horse
to water but being unable to get that horse to drink if they do not want to. “There is no way to force (SME owners) to go into the
training room,” she said.
 |
| RSA has an academic alliance programme. |
RSA is trying to change things by providing the right kind of skills training to students. The company works in Singapore with the Temasek and Republic Polytechnics, for example.
Devine suggested automation as a partial answer to the problem as well. She said, “You need to automate. Leave work for humans
that computers can't do, if we don't have enough people, then
automate where it makes sense. What are the important things? I
always tell my staff that it's going to be a person at the other end
of
the kb that's coming back at you. We think of cybersecurity as
technical-to-technical, it is human-to-human with a technical layer
in between, you need those technical layers, but people and process
need to be on top to be successful.”
In a threat orientation, he said, a scenario where 3,000 PCs have to be patched means that all of them have to be patched in no particular order. In a risk orientation, the PCs
which have critical business implications, and which have
vulnerabilities get priority for patching.
“I've identified the likelihood and
the impact,” he said.
Conversations with CEOs and boards must
revolve around the language of risk rather than the language of
technology, he said. Stating 'there's a 93% chance we will lose US$2
million in the next month' is language that CEOs and boards can fully
understand and act on, he explained. “I believe that if we are to
have any chance of (changing things) you have to have those types of
conversations,” he said. “Don't get so caught up in the advanced
stuff. Focus on the basics and have those conversations.”
Dr Zulfikar pointed out that business professionals have a different approach to risk. “People in business have a more refined and nuanced definition of what risk is. It's not (about) how likely, but about the overall impact, primary and secondary impact...until we start to tie business value to what we do, we won't be able to... help them achieve (better cybersecurity).”
As to whether things are worse today, Dr Zulfikar said that according to RSA data, 80% of cyberattacks are “still vanilla”, using more sophisticated, renegade toolkits. Nation state attacks comprise 8-9% of the total, which while a higher number than before, could be due to better detection methods, he said. The remainder is about insider threats.
Devine
said that things will continue to go wrong. “I don't
necessarily think that we're getting more (attacks), or that we're
getting worse at security,” she said. “I think we're more able to
detect these things.”
And while we typically talk about a generic threat landscape affecting everyone, the approach is impractical, Dr Zulfikar said. “The reality is that there is no one threat landscape,” he said. “There is a landscape of threats that matter to each organisation indiviually. We have take a step back, (and figure out) who is trying to attack me, what are their goals, and use that to decide what the appropriate conversations are.”
Drilling down to what matters for an individual organisation is more
important, Dr Zulfikar said. “(Determine) what are the overall goals and what
matters to an organisation, and work your way from there,” he
advised.
Hashtag: #RSAC
No comments:
Post a Comment