Black Hat 2017, held in Las Vegas from July 22 to 27, 2017, is one of the major cyber-security industry conferences of the year. This year’s conference highlighted the expected new cybersecurity threats, vulnerabilities and exploits. But the conference also highlighted a growing need to reexamine the enterprise’s workforce strategy when it comes to cybersecurity.
The focus of the Black Hat conference is digital vulnerabilities, flaws, exploits and threats. This year’s conference held several team competitions for cyber-break-ins, more than 80 sessions covering tools and demonstrations, more than 100 juried presentations, more than 40 sponsored research presentations and a show-floor with almost 400 providers of security products and services. The range of experience among attendees is quite variable, with some people who’ve been in cybersecurity for three years at one end of the spectrum, and others with more than 30 years at the other end of the spectrum. And as usual, the famous Pwnie awards for the best bugs, attacks, backdoors, and security research were announced.
The core themes throughout this year’s conference include:
- Attacker surprises are still ahead of most enterprise defenders;
- New hacks, exploit tools and techniques are becoming more serious threats;
- New approaches are in the market to deflect, identify and contain attacks; and
- Perhaps upwards of 20 percent of providers may not make it in three years.
One important event discussion topic on top of these is a growing perception of a coming cybersecurity labor shortage. So far, though, this is still a discussion topic and potential fear, and not (yet) a factually-grounded expectation. It is hard to tell today where all the skills shortage numbers come from and exactly which skills are or will be missing in the market. Obvious – but flawed – sources for these include job boards and company review websites. Another are reports from the Center for Cyber Safety and Education, which claim close to two million cybersecurity jobs will go wanting by 2020, but without demonstrating the basis for the claim.
Meanwhile, less than one-tenth that number – a little more than 121,000 people – are reported as being certified as qualified cybersecurity leaders or practitioners by the ISC2, one of the major certification bodies for the industry. Recent numbers from its most recent financial report indicate more than 25,000 people are taking its cybersecurity certifications annually. Assuming an 80 percent pass rate, this would fill about 180,000 positions with qualified personnel by 2020. If the shortage of 2 million personal is to be believed, it will require enterprise leaders to use new innovations for cybersecurity in the nearer-term.
Innovations underway now will help enterprises to right-size the workforce strategy for cybersecurity. For too long enterprise hiring managers sought narrowly focused technology skills such as router, firewall and security incident and event management (SIEM) jockeys. These and other skills are going away, to be replaced by robotic process automation bots, machine learning systems, advanced analytics and data analytics of all sorts. Tomorrow’s cybersecurity ninjas will have to be data analysts first and foremost, and many if not most operational, “turn-the-crank” tedious task roles may in fact go away, replaced by bots. Beyond the change in roles and skills, the future of self-service for “Security-as-a-service” will need new and robust processes to support self-service integration, acquisition and management (SIAM) provider / vendor security service catalog management. Moreover, rock-solid business risk management processes and metrics that drill into security operations will be needed to operate cybersecurity for agile, digital enterprises. However, these will not be the only changes.
Some of the innovations include new digital deceptions that will replace the need for people to conduct threat hunting that will eliminate the need to hire harder-to-find and highly-skilled labor to hunt for needles in proverbial haystacks. The difficult arts of analyzing reams of seemingly senseless and unrelated threat data will be more accurate, faster, and operate 24 by 7 by 365 without vacations and much lower expense than by hiring people.
If the looming cybersecurity talent shortage is real – and many say it is – then enterprise leaders will have to revisit and reevaluate the skills and hiring profiles for this sector of their workforce, the security service catalogs, and the operating models for cybersecurity. All of this will have to be done after determining what the “to be” state is, what the “as is” state is, and putting in place change management processes to mature the cybersecurity operating model to industrialize and risk-size it. Cyberattacks are not going away and neither is cybersecurity.
ISG will continue to deliver research on these and related cybersecurity trends to assist clients with making informed planning decisions. When Black Hat comes around again in 2018, the industry will be talking about new exploits, new attack vectors, and new vulnerabilities. Perhaps by then – 2018 – the workforce strategy and talent shortage issues will recede, but we doubt it.
NOTE: this Lens360 blog post was originally published online by ISG at http://insights.isg-one.com.
#: to be supplied in the editorial process