The pandemic has given rise to an increase in the threat landscape with cyberattacks spiking during the first half of 2020.
According to the FBI, attackers have found new ways to exploit the conditions brought on by widespread lockdowns: as of May 28, 2020, the FBI’s Internet Crime Complaint Center received nearly the same amount of complaints in 2020 as they had for the entirety of 2019. They also cited evidence that criminals were launching new fraud efforts aimed at diverting Paycheck Protection Program funds, economic stimulus checks, and unemployment checks into their own pockets. Moreover, a survey conducted by security vendor CrowdStrike found a 100X increase in COVID-19-themed malicious files from February to April 2020.
Info/cybersecurity was a hot career path before the pandemic. Now, it’s downright incendiary.
This is good news both for people who aspire to work in the security field and those already there.
Of course, global cybercrime costs have been growing for years, projected to be $6 trillion in 2021 with cumulative global spending of cybersec products and services to combat cybercrime reaching $1 trillion for the five years ending 2021. Now we have a pandemic that will push those numbers even higher. But demand for cybersecurity workers has not met supply for many years: this gap has been highly publicized to be at least a 6 million shortfall.
What can and should employers do to fight back against the newer, more vicious cyberthreat tide? Where should employees focus themselves to capitalize on job and career opportunities?
The pandemic has given rise to an increase in the threat landscape with cyberattacks spiking during the first half of 2020.
According to the FBI, attackers have found new ways to exploit the conditions brought on by widespread lockdowns: as of May 28, 2020, the FBI’s Internet Crime Complaint Center received nearly the same amount of complaints in 2020 as they had for the entirety of 2019. They also cited evidence that criminals were launching new fraud efforts aimed at diverting Paycheck Protection Program funds, economic stimulus checks, and unemployment checks into their own pockets. Moreover, a survey conducted by security vendor CrowdStrike found a 100X increase in COVID-19-themed malicious files from February to April 2020.
Info/cybersecurity was a hot career path before the pandemic. Now, it’s downright incendiary.
This is good news both for people who aspire to work in the security field and those already there.
Of course, global cybercrime costs have been growing for years, projected to be $6 trillion in 2021 according to Cybersecurity Ventures, which also has also projected cumulative global spending of cybersec products and services to combat cybercrime reaching $1 trillion for the five years ending 2021. Now we have a pandemic that will push those numbers even higher. But demand for cybersecurity workers has not met supply for many years: this gap has been highly publicized to be at least a 6 million shortfall.
What can and should employers do to fight back against the newer, more vicious cyberthreat tide? Where should employees focus themselves to capitalize on job and career opportunities?
First, it’s pretty clear that more employers will need to internally develop next-gen cyber experts who can develop and drive interconnected real-time systems. New professions and domain expertise are evolving, in particular the focus on hiring and supporting a team of machine learning experts to build custom cybersecurity solutions using existing hybrid tools and embedded Artificial Intelligence (A.I.) tech in human-operated products. There has been greater reliance on A.I. smart tools in the pandemic to handle the bulk of event monitoring and incident response. A new generation of firewalls, for example, will have machine learning technology built into them, allowing the software to recognize patterns in web requests and automatically block those that could be a threat.
A.I./cybersecurity staffing connection
To cope with the shortfall in seasoned cybersecurity professionals, and those with AI/ML expertise in particular, we believe CSOs, CISOs and other security leadership have their work cut out for them in both governance and staffing.
To begin with, how can they possibly deliver long-term improvements, and do so transparently and ethically, without first installing effective governance for A.I. in cybersecurity? There’s a good reason why security architecture placed #2 in my last column on hot tech skills getting hotter. That governance structure has to address many objectives in a security architecture:
- Defining roles and responsibilities for cyber staff
- Monitoring AI algorithm output by cyber analysts before any action is taken
- Implementing a mechanism to monitor AI algorithms’ output logic and upgrades
- Creating control processes to monitor if an AI algorithm is behaving abnormally
- Identifying the risk tolerance for the output generated by AI algorithms
- Instituting a ‘plan B’ if AI algorithms fail or are tampered with
- Implementing key performance indicators to measure success
In defining roles and responsibilities for an A.I.-ready cyber staff, a few critical security management capability requirements need to be met in the team they already have and new hires they recruit:
- Capable of improving the logic underpinning A.I. algorithms
- Capable of building algorithms that suggest and store complex passwords
- Process expertise
- Upskilling workers with organizational knowledge of ‘how things work’ at their company
- Create interfaces for cyber analysts to interact with A.I. tools and incident alerts
With employers spending $173 billion globally on info/cybersecurity in 2020, an increasing amount of the cybersecurity spending is focusing on Artificial Intelligence/Machine Learning (AI/ML)—and so should tech professionals target this in their career planning.
Here are the most common AI supported use cases as a guide for how managers and workers might want to target recruitment and job searches, respectively. I would put special emphasis on the first seven.
- Augmentation of human security analysts and SOC workflows
- New attack recognition
- Behavioral analytics and risk scoring
- User-based threat detections
- On-device detection across the endpoint kill chain
- Proactive security in disconnected environments
- Big data query generation and analysis
- Threat proliferation and spread detection analysis
- Autonomous response
- Threat blocking automation
- Malware detection and classification
- Agent consolidation and deployment across other security tools
- Attack classification (unknown, insider, persistent)
- False positive reduction
- Product self-healing
- Machine data comprehension
- Encrypted traffic analysis
- Policy compliance analysis
- Cyber-risk insurance
- Cyber-risk due diligence augmentation (pre-mergers and acquisitions)
Hot info/cybersecurity jobs in 2020-21
Our research indicates the following info/cybersecurity jobs and domains are best bets over the next two years for tech and business professionals looking to burnish their info/cybersec career job prospects.
- A.I. / Machine Learning
- Access/identity management
- Advanced malware prevention
- Analytics and intelligence
- Application security development
- Audit and compliance
- Automation
- Cloud computing/virtualization
- Cloud security
- Cyber Threat Intelligence
- Cybersecurity
- Data Security
- DevSecOps
- Firewall/IDS/IPS
- Incident handling and response
- Intrusion prevention/detection systems
- Mobile security
- Network access control/Identity mgt sys.
- Network security management
- PenTesting (Apps, System Security)
- Risk analytics/assessment
- Risk management
- Security Architecture & Privacy
- SIEM management
- Web services security
- Wireless security
In-demand info/cybersecurity certifications in 2020-21
Pay premium data and growth vectors recorded in our long-running IT Skills and Certifications Pay IndexTM (data reported by more than 3,600 employers) point to the following security-related certifications as smart bets for increasing pay or visibility over the next two years. Not all of them are strictly classified as security certifications which speaks to the pandemic’s effect on a broader overall security threat landscape.
- Certified Cloud Security Professional (CCSP)
- Certified Cyber Forensics Professional
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Certified Scrum Product Owner
- Certified Secure Software Lifecycle Professional (CSSLP)
- Cisco Certified Network Professional – Security
- Citrix Certified Expert – Networking
- CompTIA Advanced Security Practitioner
- CompTIA Cybersecurity Analyst+
- Cybersecurity Forensic Analyst
- EC-Council Certified Ethical Hacker (CEH)
- EC-Council Computer Hacking Forensic Investigator
- EC-Council Certified Encryption Specialist (ECES)
- GIAC Certified Forensics Examiner
- GIAC Certified Incident Handler
- GIAC Certified Penetration Tester
- GIAC Enterprise Defender
- GIAC Exploit Researcher and Advanced Penetration Tester
- GIAC Systems and Network Auditor (GSNA)
- SAS Certified Data Integration Developer for SAS 9
- Six Sigma certifications
Diversifying the security team
Our vast network of employer/research partners tell us that info/cyber teams benefit from workers with different backgrounds, approaches and personalities who approach cybersec situations from completely different angles. Degrees in psychology and law and those who have a criminal justice background have proven to be effective hires as are people who can “think like a criminal”.
In addition to considering people with nontraditional backgrounds to combat diverse threats, we suggest targeting cyber potential within IT organizations. IT-skilled people working in networking, software development, systems engineering, financial and risk analysis are smart choices according to our findings. Feeder skills include system administration, firewalls, routers, Linux or iOS OS, VMware, and virtual machines open source software.
Soft skills have cash value
There has been a consensus among the CSOs and CISOs we’ve interviewed about the value of soft skills and a business orientation in recruiting and training individuals in their info/cybersecurity organizations. Specifically, they’re looking for these abilities and knowledge:
- Ability to translate technology risk to business risk
- Thinking business and learning business speak
- Understanding the industry
- Being open-minded and thinking outside the box (being strategic and not just tactical)
- Willing to develop ‘people skills’ and work at being trustworthy
- Ability to write and present high-level concepts coherently and succinctly, keeping in mind the language of business (or any audience)
The overall danger in developing a career in cybersecurity may be to overemphasize technical skills in your overall talent mix. Being multidimensionally skilled is good not only in multiple technical areas and threat vectors but also in non-technical areas.
Business-side people may not share the security pros’ zeal for pure security. Their role is to develop new business lines and keep existing lines profitable. Security must be presented with the bottom line in mind and used as a project business enhancement rather than hindrance.
Security professionals who are adept at translating security concepts and objectives into language that can be digested by the people who control their funding and resources is highly prized. Understanding basic business concepts such as shareholder value, profit margins, cash flow, and supplier diversity helps here. Presenting security where possible as a value-add, security upgrades in terms of Total Cost of Ownership for reducing overhead/management of existing security, and being regarded as an enabler not a disable is key. Security leadership looks for candidates who are sensitive about perceptions about security professionals and who can educate others in this regard.
Understanding your employer’s business model will help you explain how security supports business objectives. It may help to join industry associations to improve your skills sets and network, not just security-focused professional groups.
Being able to write and present high-level concepts coherently and succinctly, keeping in mind the language of business, is something we heard often in our interviews. Quantitative analysis and skillful presentation of data are must-haves for anyone wanting to move beyond entry-level security jobs in particular. Capitalizing on conference speaking opportunities, blogging, and writing articles are excellent options for developing communication and presentation skills.
