The internet has at times been compared to the Wild West, a place where lawlessness abounds. From frequent new reports about data breaches, hackers, malware, ransomware, and any number of other nefarious acts perpetrated by cyber criminals, the analogy sometimes doesn’t seem too far off.
As a result, cybersecurity jobs are in high demand. ISACA, a nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management, and governance, predicts a global shortage of 2 million security professionals by as soon as 2019.
The demand for cybersecurity professionals remains strong across Wisconsin, as well, according to new data from CyberSeek, a free workforce and career resource developed jointly by technology industry association CompTIA and labor market analytics firm Burning Glass Technologies.
Wisconsin employers posted 2,656 cybersecurity job openings during the 12-month period that ended in September 2017, according to CyberSeek’s Cybersecurity Supply/Demand Heat Map. That’s in addition to the estimated 8,900 cybersecurity workers employed in the state as of the end of 2016.
Wisconsin’s cybersecurity workforce supply and demand ratio of 3.4 is above the national average of 2.6 for cybersecurity workers. The national average for all jobs is 5.6, which means the cybersecurity talent pool would need to more than double overnight to align with the market average.
“The demand for skilled and certified cybersecurity professionals is surging from coast to coast and border to border,” says Matthew Sigelman, chief executive officer at Burning Glass Technologies. “In many states, including Wisconsin, the demand for cybersecurity talent outstrips the supply of available workers.”
CyberSeek, in alignment with the National Institute of Standards and Technology’s NICE Cybersecurity Workforce Framework, reveals that the categories of Operate and Maintain, Securely Provision, Protect and Demand, and Analyze account for the bulk of the job postings.
“The range of job roles cited in CyberSeek reflects the multi-faceted approach that’s required to defend against an ever-expanding cybersecurity threat landscape,” Todd Thibodeaux, CompTIA president and CEO, notes. “The reality is that everyone needs some level of cybersecurity knowledge and skills, whether they have ‘security’ in their job title or not.”
The Identity Theft Resource Center estimates that 8,037 data breaches that compromised personal identifying information records occurred between Jan. 1, 2005 and Nov. 1, 2017. That’s 16 times more data breaches than companies listed on the Fortune 500.
The average cost for each lost or stolen record containing sensitive and confidential information is $141, according to the Ponemon Institute’s “2017 Cost of Data Breach Study.” That cost jumps for businesses in financial services ($245) and health care ($380). Those dollar amounts do not include the cost of notifying affected parties, nor do they account for damage to a company’s reputation.
“One of the largest security threats facing organizations today is the human element,” says Jack Koziol, president and founder of InfoSec Institute, which since 1998 has trained over 50,000 security professionals on topics like ethical hacking, application security, vulnerability scanning, and more from its Madison and Chicago-area offices. “Just one mistake or irresponsible action is enough to cause a catastrophic security incident. Malicious insiders and endpoint threats like phishing attacks and malware can target unsuspecting users and give hackers access to systems. With the right credentials, it’s possible to access nearly any system and leak sensitive data.”
Security training for IT professionals must constantly adapt to the shifting security threatscape, notes Koziol. IT professionals today must learn more tools and understand more threats than ever before, but perhaps the largest shift in the training industry has happened in the non-technical, workforce training sector.
For non-technical people, general security awareness training is now required by many state and federal regulations, Koziol explains. This type of training must be role-based (for managers, developers, IT staff, etc.), plus relevant and rigorously updated.
“Security threats change rapidly; the one-size-fits-all, one-off training approach is no longer enough to help keep systems secure,” says Koziol. “Today’s information security professional must recognize both ongoing, external attacks, as well as malicious insider activity. This requires an in-depth knowledge of network traffic patterns, threat intelligence, intrusion detection, incident response, and computer forensics. Since many attacks start with a vulnerable endpoint, understanding of mobile device, cloud, and internet of things security threats is essential.”
(Continued)
Hacking in the early ’90s was often done “for sport,” or as hacktivism, notes Koziol. Sensitive data was largely stored offline, so the rewards of a successful hack were much lower. We also had far fewer news sources in the ‘90s, he says. Today, large volumes of sensitive data are stored online and there are many more news sites reporting these incidents. “While we are certainly hearing about more breaches today, it’s likely just as many breaches are undetected (or unreported).”
Koziol explains large-scale breaches usually occur due to three factors: malicious or criminal attacks (47%), system glitches (25%), and human error (28%). While most large companies have strong security protocols in place, the challenge lies in fighting the ever-evolving security threatscape. “With new malware emerging every 4.2 seconds, it’s essential companies regularly audit and update their defenses. We also recommend workforce security awareness training to help educate staff on how to avoid security threats like phishing and malware.”
One of the best things we can do to protect our information is to stay educated about security threats, adds Koziol. “This may sound overly simple, but 28% of security breaches result from human actions like clicking a link or downloading malware. Hackers know it’s much easier to hack a human than a network — this is why 60% of hackers list phishing as their preferred hacking method. Organizations should also prepare to be hacked. IT professionals should keep sensitive data encrypted, backed up, and have a good business continuity program in place in the event of a breach.”
Beyond security awareness education, machine learning is emerging as one of the most promising upcoming security defense tools, notes Koziol. Computers can analyze an overwhelming amount of user behavioral data in real time. They can look for trends and spot deviations to identify intruders. They can also register and scan for new or evolved threats instantly to keep networks secure. Still, computers aren’t a replacement for warm bodies.
“Like in any other industry, the tech industry needs qualified candidates for a variety of positions — not just the help desk and networking roles we are all familiar with,” says Koziol. “Information security is a top concern for even C-level management, so both hard and soft skills are needed to not only implement security protocols, but also communicate ramifications of security breaches and mitigate security risks.”
Koziol also notes the increased participation of law enforcement agencies in combatting cyber issues from a criminal standpoint. “As cybercrime continues to increase, we can expect to see more involvement from law enforcement. One of local law enforcement’s greatest challenges is that cybercrime often crosses jurisdictional lines. This means that a local official may generate the report, but the investigation will be under the jurisdiction of a national organization (FBI). We can expect to see growing cooperation between local and national agencies to help combat cybercrime.
“The information security industry has developed certification and training programs focused on aiding cybercrime investigations,” Koziol adds. “The IACRB Certified Computer Forensics Examiner and IACRB Certified Mobile Forensics Examiner are two relatively new certifications designed to teach professionals how to investigate cybercrime. The challenge is that cybercrime is a moving target, so educational methods must be nimble to keep up the cyber threatscape.”
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.
