(Special thanks to Cyber Security Chicago for complimentary access to the conference and its attendees. For an overview of Cyber Security Chicago, please check out yesterday's preview with David Juniper, Director of Events)
As a teenager in his basement in Bensenville, Marcin Klecynski was looking for a way to remove malware from his family's shared computer. After looking through a variety of message boards with volunteer "superheroes", he found plenty of antiviral programs but little resources for malware. Teaching himself how to program, he developed software that was initially geared towards consumers, but then also leaned towards enterprise solutions. Those efforts grew into the Chicago-based company Malwarebytes, focusing on half consumer and half enterprise solutions.
Later this morning, Marcin Kleczynski will present at Cyber Security Chicago. His presentation, titled Is the New Cybercriminal Mafia Winning? Recruitment, Retention and the Hire, focuses on a hiring gap around cybersecurity. As the event description states:
“... cybercriminals are taking notice and capitalizing on white hat shortcomings…(and) it’s becoming increasingly hard to hire the right people with the acumen, training and know-how to protect today’s enterprises from security threats”
As Marcin explained to me, there is a scarcity of "white hat" professionals since universities are not graduating enough trained talent. Many larger business organizations are poaching talent from smaller organizations resulting in some security tasks being outsourced. This scarcity of trained professionals is becoming a growing threat and many larger companies (like Amazon) will pay double for such talent. An ethical dilemma also arises: if someone can earn greater income working as a "black hat" professional, why not?
Without "white hat" professionals, data breaches have a negative impact on both the reputation of companies with their customers as well as compromising customer data. Although customers are impacted through possible identity theft, we are trending quickly towards potential infrastructure attacks such as airlines and nuclear power. (To paraphrase Marcin Kleczynski, the first death due to a cybersecurity issue is near). This gap in cybersecurity hiring is more difficult for nonprofits and social enterprise organizations since they are challenged to invest in hiring talent. Smaller businesses have a more difficult challenge in attracting and retaining such talent.
But for job seekers or people seeking to transition, there are a great number of resources and approaches. Various certifications, programs, and books can aid those already working in information technology. For those who are looking to enter the field as a potential "white hat", having IT and engineering skills are important, but communication is also critical. (We'll talk more about that tomorrow). Potential cybersecurity issues are not only a technical issue but a communication issue, and the ability to communicate and manage change can enhance a professional's status as a "security organism".
However, finding the right "white hat" professional is also a challenge for many organizations because they may not know what they need. Many organizations usually react rather than proact, and may not invest in data security until it impacts them directly. In order to determine their needs, Marcin suggested that organizations take on a philosophy of "defensive pessimism". One of the examples Marcin Kleczynski sited was a large company that took proactive steps in preparing for a data breach which included
- Creating a wide variety of "what if" scenarios that could occur;
- Scoping out the cost and impact of these scenarios on their organizations;
- Running these scenarios and determining how the company would respond; and
- Implementing appropriate changes
Many organizations can take simple measures to avoid breaches even without planning. These include
- Downloading and installing appropriate software patches;
- Regularly using antivirus software;
- Never reusing passwords; and
- Regularly backing up data
Despite the hiring gap, there are various measures which job seekers and organizations can adopt simple cybersecurity measures. One skill, however, has been highlighted for "white hat" IT professionals - communication.
Tomorrow's Cyber Security Chicago post will focus on how organizations can communicate data security issues more effectively.
Until then, please feel free to leave comments below. You are also more than welcome to join the conversation on our Facebook page. If you wish to contact me directly, please do so via this online form.
And thanks for reading!