By Mary Frantz, Founder & Managing Partner, Enterprise Knowledge Partners, LLC
May 21, 2020
The cybersecurity industry has continued on a steady migration from being reactive to proactive, enhanced by mobile and cloud, and moving from a known threat-based prevention model to an artificial intelligence (AI) predictive and resilience model. At the same time, the threat actors have become more sophisticated, better-funded, and have formed global collaborative specialized groups. They have the ability to mine stolen and legally scraped social intelligence, and store large, historically aggregated blobs of PII, resulting in sophisticated behavior-based and social engineering exploits.
Technology continues to expand in exciting new areas within quantum physics and computing, LiFi, hyper-automation, human augmentation, integrated sensors, liquid CPUs, photonics, satellite hacking, AI/AR, and so much more. All of these new technologies stress the limited supply of qualified cyber professionals while dramatically increasing threat vectors.
Throughout this evolution, two challenges remain constant: not enough qualified cyber professionals and too much isolation of the profession within the enterprise.
We all know the threats are real. Yet complex systems, devices and mobile applications are still regularly validated for security after development is almost complete, or even after they’re released into production. For many organizations, risk management and security testing are just a box to check to pass an audit with the minimum effort necessary. Much of our new technology being released remains inherently insecure from early stage development through production.
Recently, an incredibly talented, 30-year veteran AI developer and patent-holder from one of the largest companies in the world lamented, “Security prevents me from creating new systems, developing and meeting my deadlines.” Right now, they have threatened to quit if information security is allowed to see, let alone test, what they are doing before their work moves into production. Such a caustic environment puts everyone at risk.
When the parts of that ecosystem are fragmented by walls, roles and turf wars, nothing works efficiently and even the best cyber tools and the best cybersecurity experts cannot prevent the inevitable, and often very public, compromise. That environment results in less stability, more vulnerability, and is ultimately unsustainable.
Additionally, to keep up with the pace of change, the cybersecurity industry is taking current skills sets and trying to apply them to specialized vectors, with limited success. The lack of qualified cyber professionals, together with the lure of higher income, has created a boom of those seeking security certification. Cyber bootcamps have sprung up to fast-track certifications on firewalls, web application scanning tools, cloud security certifications and other specialized niche roles. However, much of the profession is still operating in a vacuum. Those becoming certified on firewalls don’t understand networks, those who are becoming certified in web app and code scanning tools do not understand cloud-based application development and microservices. As hyper-specialization increases, we are losing the ability to integrate across the enterprise.
The future of cybersecurity is not increased specialization and isolation, but rather the adoption of in-depth defense and cyber resilience throughout the entire lifecycle. If we are to be secure and not impede the progression of science and technology, cybersecurity must become integrated into an information and engineering ecosystem that is fluid and integrated, with those skills and knowledge embeddedinto all roles and occupations.
Just as all professions are now incorporating information technology as a critical skill, cybersecurity knowledge and skills must evolve as a specialty within various fields – not as a field unto itself.
Mary Frantz is Founder & Managing Partner, Enterprise Knowledge Partners, LLC. She has performed and led advanced ethical hacking (red teams), security assessments, managed multiple incident investigations for companies. She was the primary technical cyber expert in the Equifax, Yahoo and many other high profile breaches and security incidents … full bio