Our friends at ISC^2 have competed their 2020 Cybersecurity Perception study. And if it teaches us anything, it’s that cybersecurity is a pretty darn great career path – just not one that most respondents would want to pursue themselves. 

It’s sort of the career equivalent of that rom-com trope — “I love you, but I’m not in love with you.” Generally speaking, people are happy to be “friends” with cybersecurity… but they’re just not looking for a relationship right now. Sigh.

This news actually lands somewhere between heartening and disheartening. After all, only 1% of the 2500 people surveyed described cybersecurity as a “bad” career path. Who wouldn’t want to be generally considered smart, technically skilled and as “good guys fighting cyber crime” — as the survey summary suggests? But, as great as it is on this side of the fence, 69% say that while it’s a good career path, it’s not one they’d be interested in taking on.

The study found that Generation Z (those currently younger than 24) have the most negative view on cybersecurity as a career path. This is troubling, as the job market is flooding with more “Zoomers” each year (as the Boomers make their way to the Social Security office). 

So where’s that leave us? With an ever-growing 3 million (million!!) open jobs in cybersecurity across the globe, the study is a good reminder that we need to leave the door open for younger generations to pour in.

ISC^2 agrees, a widening the appeal of cybersecurity to include non-technical components and a variety of different roles, increasing educational opportunities, and developing a more focused effort in recruiting. 

At the New Orleans & Little Rock Cybersecurity Summit on Sept. 24, Michael Osterman of Osterman Research discussed the widening skills gap in the industry. In fact, he cited that his research found that three in five organizations found that the skills shortage is either “serious” or “very bad.”

The biggest issue is in filling positions related to proactive threat hunting and threat intelligence. Staffing issues on these topics presents a major issue within organizations — nearly a third of organizations reported that the lack of professionals skilled in proactive threat hunting presented a serious or extremely serious problem.

The Dire Consequences of the Cybersecurity …

Hot Topics in Cybersecurity Posted by Jen Greco on Sep 23, 2020

Kenrick 3.0 is on his way.

After a long stint setting up a full-scale data security architecture at a major bank in Bermuda, followed by a few major career changes that landed him perfectly in law enforcement — Detective Constable Kenrick Bagnall of the Toronto Police Service has had his fair share of learning experiences.

His life on the island as an IT pro? That is Kenrick 1.0.

His life as a cyber crime-fighter? That’s Kenrick 2.0.

With that experience, comes some great advice. After the Data Connectors team sat down with the Detective Constable at the TPS C3 (that’s Coordinated Cyber Centre), he certainly wasn’t short on insights for everyday Canadians, business owners, and anyone looking to enter law enforcement in the future. 

FROM THE IT DEPARTMENT TO THE FRONT LINES

After coming back to Toronto after spending many years in Bermuda as the Vice President of Information Technology at a major bank, he set his goal to be a consultant — but the work just wasn’t what he’d wanted it to be.

Heading back into the private sector wasn’t a right fit either after he’d been met with the “Overqualified” label time and time again. 

It wasn’t until a family friend showed him a clear path into the Toronto Police Service — specifically the tech crime unit that was fairly new in the mid-2000s. Long story short, he took the test, got hired and was in training inside of a month. But at the start, he was on the front lines. 

“I was a 42-year-old rookie. “The Rookie” show on TV — that was me,” Bagnall said. 

After he’d had his fair share of physical altercations during arrests, chases, and more. Despite dipping his toe in tech crime, he realized it wasn’t the perfect fit after all. But with that, he took a more investigative track. That led him into fraud investigation, followed by the cyber division in 2015. 

“The rest, as they say, is history… as far as Kenrick 2.0 is concerned.”

Now, his focus is on helping the community stay informed about some of the threats that they face. 

“I truly enjoy what I do, I’m like a kid in a candy store. When I come to work, I get ‘play’ with technology, I work with smart people, and advocate for victims and bring criminals to justice.”

BECOMING INFORMED ON CURRENT ISSUES

One of the greatest challenges we all face in this age of information overload is trying to figure out who to trust, and from where to get information. Bagnall offered his thoughts on where he gets his news, plus how to ensure the truth in what you’re reading. 

The first step? Be sure to verify everything you read. 

“Triangulate your sources,” Bagnall said. “Where else is that coming from? Is anybody else saying the same thing? And if not, why?”

He said he leans heavily on his fellow law enforcement agencies for first-hand confirmation of the things he hears. 

“My first trusted source is in my own community,” he said.  “If one of my fellow law enforcement officers on the West Coast says to me, I saw this last week — that’s going to be a trusted source for me.”

There are a few organizations in the cybersecurity space where that’s their core competence. Also, use some of the law firms that use cybersecurity best practices within their agency. Also using information from trusted sources within the community — including solutions providers, litigators, and community partners. 

SUCCESS FAVORS THE PREPARED

When a breach happens, your success in overcoming it depends on how prepared you were, according to Bagnall.

Calling on his experience as an IT professional before heading into law enforcement, Bagnall sympathizes with business owners who need to manage the goals of the organization — and he said he can understand where the recommendations of law enforcement might not always work well with a business.

“We always say not to pay because it’s a form of extortion, and that’s something as an agency that you can’t support, but at the end of the day, that’s a law enforcement recommendation. It’s a business decision — do we pay?”

Good preparation includes having a cyber incident response plan. Having awareness training within their team. But, those things don’t always happen — and sometimes, the best way to react is through taking a step back when a ransomware issue comes up and doing what’s best for the organization. 

“If I were giving advice to a CEO, I’d say, forget about looking at backup and recovery, and the latest whiz-bang solution that’s going to help you recover from ransomware,” Bagnall said. “Look at your business and look at what you really need to do to continue the business in the face of something like this.”

The first thing they should do is to get some expertise. Get some boots-on-the-ground to manage this. The value of engaging a breach coach is huge, Bagnall suggested. In fact, Digital Guardian published in 2018 that on average, a company in the US that was breached is out about $8 million. A breach in Canada will run the company about $4.4 million (USD). 

While you’re managing the breach on a professional level, don’t forget to reach out to law enforcement. 

“Historically, law enforcement isn’t the first call. But hopefully if they’re doing things the way I would like to see them fit us in there at some point,” Bagnall said.

THE STATE OF CYBER CRIME

For Bagnall, the biggest threat is ransomware and business email compromise. 

“I think the biggest hurdle is still ignorance. A lack of understanding and a lack of awareness, both individually and in organizations as to what threats are and how we can best combat them,’ he warned. “Trust no one.”

“We are not making cybercrime watercooler conversation. It should be part of the everyday vernacular. Around the watercooler. To our kids, to our parents,” he said. “I think it’s only when we start having that dialogue, we’ll start making headway.

So what’s next? Bagnall’s next project is something he’s calling “Cyber Cop 2030.” 

“It’s really what cyber investigations may look like, in my opinion, ten years from now. And what it should look to become more efficient. Because it’s not today.”

We’ll be keeping our eyes peeled for Kenrick 3.0 as he progresses this effort.

Interview: Det. Cons. Brings IT Experience …

Interviews Posted by Jen Greco on Sep 20, 2020

We’re all hunkered down in quarantine, so major trade shows have been cancelled. Virtual events will get us through this patch – but what comes next?

It is said that in times of crisis, we adapt.  We modify our behavior and we persevere.  And when the immediate crisis has subsided, we look at what worked, and often adapt much of it into our lives as we move forward.

We’re obviously in a crisis now, and among the many changes we have had to make is one that impacts our professional lives.  For years, we’ve regarded major conferences and trade shows as an integral part of our technical learning curve…and yes, as a major part of our social interaction with our industry peers.

That’s all changing before our very eyes, and the COVID crisis is only one element.  To be sure, the restrictions placed on our travel and ability to assemble have directly impacted the conference industry.  A recent article places the loss at more than a billion dollars, and that number has only increased since then.   O’Reilly’s decision to shutter its physical conference business also hit the industry like a bombshell.  But our ability to adapt and change presents us with other opportunities.  O’Reilly’s CEO acknowledged as much, saying, “With large technology vendors moving their events completely on-line, we believe the stage is set for a new normal moving forward when it comes to in-person events.”

The past few years have seen accelerated growth in smaller regional conferences, along with a greater emphasis on virtual conferences.  The shift has already begun, and we believe it will continue long after we are back to “business as usual,” which we believe will NOT be “business as usual.”

For openers, CFOs and others responsible for the bottom line will be more active in questioning the value of spending significant sums of money on a conference in Las Vegas or elsewhere, especially in lieu of the cancellation of conferences this spring.  What, they will ask, is the ROI for going to these large get-togethers? Can the money be more efficiently and effectively spent to attract and retain prospects and customers?  Are there smaller, regional alternatives that cost less and pose fewer risks?

Conference attendees ask the same: Can I spend less money and achieve similar results closer to home? Would I prefer to be among a smaller public gathering? Can I simply attend an online forum of some sort?

Regional and virtual summits will meet those needs on both counts; in fact, they have already begun doing so.  A recent Los Angeles-based physical conference that had signed up 300 participants quickly pivoted to an online Virtual Summit when the “stay at home” order was issued; in the process, the event more than doubled its registrations.  Even when things get back to normal, companies may well see regional conferences as delivering the same educational and business benefits as the large mega-conventions.  They will be treading lightly, with even less inclination than before to attend and spend at the bigger shows.

I’m not suggesting that all of the big conferences will shrivel up and fade away.  Those sponsored by major vendors, like RSA, Microsoft, Tableau and Gartner, will still be held and will still be successful.  But the COVID crisis has forced companies, big and small, to take a more focused look at the conventions they may have previously taken for granted.  (And it’s not only in the tech sector, of course; events like hardware shows, auto shows, even PizzaExpo, have been delayed or cancelled.)

Our current crisis has forced us to adapt and to alter our thinking in any number of areas.  The purpose of the conferences we attend to learn and interact with our peers are, and will be, no different than in the past.  Their physical nature, however…where and how they are held…will.  The change has already begun.

Business Conferences Amid the COVID Crisis: …

Virtual Events Posted by Michael Hiskey on Apr 10, 2020