Last month, the US was reminded of the risks to its cybersecurity infrastructure when hackers attacked Colonial Pipeline, the largest fuel pipeline in the country. Holding its equipment hostage effectively halted fuel transport from the Gulf Coast throughout the eastern seaboard, igniting higher fuel prices and causing outages across the region. In the wake of the attack, we are seeing almost the same impact play out againstJBS, the nation’s largest meat distribution company.
This has prompted a litany of administrative responses from the government on cybersecurity oversight required for industries serving critical. infrastructure, including an Executive Order from the White House. All of these calls to action ignores perhaps the biggest threat: people. No technology solution can be implemented, no network can be hardened, and no threat information can be shared without a qualified workforce to put the controls in place and maintain them.
The Biden EO focuses on sharing threat information via service providers that do cyber work for the government,modernizing federal infrastructure, imposing new software security standards,creating incident response and reporting playbooks,improving vulnerability detections, and enhancing logging and analysis of incidents. Each of these has some perfunctory requirement “to ensure that agencies have adequate resources to comply with the requirements.” But those resources are not clearly defined and not even referred to as “people.”
As one 2020 study on the cybersecurity workforce showed, the 2.8 million professionals estimated to be part of the cybersecurity workforce need to more than double in order to close the current gap within the industry. Of those interviewed for the study, only 37% were 35 or younger, and only 5% identified as members of Gen-Z, 25 years old or younger. Only 42% said they began their career within the cybersecurity industry, meaning more than half moved from other professional fields.
When I worked in the Department of Defense fifteen years ago, we often had no choice but to identify unique pools of candidates and grow our own cyber talent internally because it was such a nascent and niche field at the time. Some of my most successful cyber analysts came from backgrounds in law, journalism, history and even biology. Today, CyberVista is helping clients like Palo Alto Networks hire more junior talent as system engineers by training them as part of their onboarding.
In the face of the growing gap between the cybersecurity industry’s needs and its current human capital, the report a outlines four primary strategies to attract, recruit, and retain a broader pool of talent:
- Highlighting opportunities such as training and career development that grant members of the cybersecurity workforce more opportunities for advancement;
- Increasing measures to routinely attract a larger amount of potentially qualified candidates into the cybersecurity industry;
- Scouting candidates such as recent college graduates with degrees pertaining to cybersecurity, and generate avenues that allow seasoned professionals like contractors and consultants to transition into full-time cybersecurity roles; and
- Developing and cross-training existing employees within IT, and other cybersecurity professionals with transferable skill sets, to boost the industry workforce from within.
The cases of Colonial Pipeline and JBL may be just the beginning of major companies being the target of major ransomware attacks. Their responses to pay the ransoms, however, paint a troubling picture and a more troubling precedent. If your first thought is to ‘pay the ransom’ you either have a clear response plan against investment (a cost benefit analysis) or, more likely, your organization didn’t have mature enough controls in place leveraged by departmental leaders and its workforce. Ultimately, those effective controls need to be determined and implemented by an organization’s cybersecurity people.
History has shown that regulation can be a powerful tool to change behavior, and in many cases, strengthen critical infrastructure. But, if these regulations don’t have more explicit and robust criteria that require companies, agencies, or organizations to have a measurably sufficient, competent, and proficient workforce, then they may as well be dead in the water. Unfortunately, regulations that help harden our infrastructure and support better monitoring or logging technologies will ultimately fail without a dedicated and highly trained workforce in support – to implement, evaluate, and keep up the work.
Simone Petrella is founder and CEO of CyberVista, a cybersecurity training company that focuses on providing a metrics driven approach that actually develops a qualified workforce.