Studies suggest we’re on the verge of a severe cyber security talent shortage that will leave individuals and organizations unable to protect themselves. But earlier this week, cyber security experts at a kick-off event for a new cyber security MOOC discussed how these studies assume the way forward is creating more jobs for cyber security specialists, which might not be the solution companies need.
“We are at a crossroads,” Antti Vähä-Sipilä, Principal Security Consultant, F-Secure, told the audience. “If we continue as now and continue to mop up things, well plausibly, there could be a need for 2 million cyber janitors that actually clean up stuff from the floors and ceilings when things go bad. The problem is…nobody is going to shell out that amount of money.”
“Scenario B, which I hope will be the one that will prevail, happens when the cost of security gets internalized and rolled into the cost of software or products. The more plausible way for this to happen is for companies to understand that it will be cheaper to do secure software development or secure product development than insecure product development.”
Antti is touching on secure by design. In a nutshell, this is the idea that software should be designed securely (as opposed to treating it like an afterthought). But sadly, the vulnerable consumer routers, webcams and other internet-connected devices sold on the market today indicate that this idea isn’t as popular as everyone might like.
Speaking at the event, F-Secure Cyber Security Advisor Erka Koivunen told the audience that nobody starts off as a purebred cyber security expert. “Security is always a feature of something…so you have to learn other tradecraft before you call yourself a security expert,” says Erka. “You have to learn how to debug before you can be a cyber security expert in a software development field. If you’re a sys admin, it’s only natural that you learn security tradecraft. Otherwise, you would not be a good sys admin.”
So having a more widespread understanding of security practices – particularly by those working within IT roles – can be a tremendous benefit to employers, companies, and their customers. Essentially, it would allow them to be secure by design. They would know how to design secure products for customers. They would know how to keep your company systems secure. That doesn’t mean they’ll never have another security incident. But they’ll certainly be more prepared to deal with it. And opportunistic attackers will always go after the low hanging fruits first.
However, in spite of the value of cyber security, it doesn’t seem to be prioritized as a core IT competency by educators. But there are solutions available to companies looking to make improvements to security through personnel.
Cyber Security Base is a security training course designed to teach people the skills they need for entry level cyber security jobs, making it a good resource for people with knowledge/experience in other IT fields. Plus, it’s free and accessible to people all over the world. Webinars, ebooks, and other resources can also be useful in drawing attention to specific issues or threats.
But whatever you do, it’s important to remember that company employees are often overlooked as security resources. Spending a bit of time in teaching them how to prevent security incidents could save you a small fortune in post cyber attack clean up bills.