At the (ISC)2 Security Congress this year, (ISC)2 CEO Clar Rosso discussed how the non-profit organisation focused on training and certifications for cybersecurity professionals continues to help create a more secure cyber world. She said even governments are now thinking about the ecosystem, including obligations for the board of directors, the absence of cybersecurity expertise on boards, and the minimum that people need to know about cybersecurity.
The dearth of cybersecurity professionals is a perennial problem, Rosso said. "Ninety-eight point five percent of all small businesses around the globe have no cybersecurity professionals," she said. "If they are at risk, we all are at risk and that is making people sit up and pay attention."
"Two out of three cybersecurity professionals say they don’t have enough staff. The bigger the gaps on their team, the bigger the risk to their organisation," she continued.
She pointed out that addressing the problem in the traditional way - poaching talent from IT departments - is like "filling a swimming pool with a shot glass". "Our traditional ways of recruiting cybersecurity professionals are no longer able to scale to meet our needs...we need a new way of thinking," she said.
"We need to start recruiting non-traditional applicants and start investing in their development. We need to look inside and outside our organisations for career changers. We need to build our teams from the ground up from the entry level to the CISO. When we talk to you and your peers and we ask you to tell us what’s the single most important thing you can do to shrink the workforce gap this is what you tell us, invest and retain existing staff.. we need each and every one of you," she stated.
The thorny issue has led to (ISC)² offering free Certified in Cybersecurity (CC) Online Self-Paced Training and exams to 1 million people, Rosso shared. (ISC)² will also work closely with partners as part of this programme to reach populations underrepresented in cybersecurity. Rosso said that the pilot was launched in January 2022, engaging 60,000 people. Another 50,000 connected since the initiative was formally launched six weeks after launch. At the time of the keynote, 20,000 had signed up for exams, and 7,000 had taken the exams.
Ann Dunkin, CIO for the US Department of Energy, spoke at the keynote about the concept of collective defense. She explained that traditionally, the belief is that if an organisation is a difficult target, criminals will attack someone else. "We recognise now that we can’t take that attitude that we’re all in it for ourselves," she said. Similarly, it is not enough to be compliance based; a risk-based approach is better, she said.
Collective defense "flips the script" and requires clearly-defined goals for cyber efforts, as well as clearly defined roles and responsibilities for each player within the collective defense. The right technology, the right people, and the right use of tools are all essential, she said.
"Make sure it’s ongoing and effective," she said.
SCYTHE Founder and CEO Bryson Bort discussed possibly-overlooked vulnerabilities during the keynote. For example, a virtual private network (VPN) should not be able to connect into a corporate network that has access to everything, and employees should only be using corporate assets for work, he said. Cloud and the Internet of Things (IoT) can be high-risk as well, with one well-known breach at a US casino occurring through a connected fish tank, he pointed out.
Details
Join the One Million Certified in Cybersecurity programme.
No comments:
Post a Comment