Part 1 of this article described the cybersecurity labor shortage and the unknown unknowns that threaten public and private networks alike. Part 2 will discuss how our nation's critical infrastructure is put at risk by this talent shortfall, as well as four essential skills that every cybersecurity employee should have.
We've heard a lot lately about attacks within the financial services and health care industries, and for good reason. These industries hold sensitive, personal data that attackers want access to. While these industries are bearing the brunt of current attacks, research shows this will soon change. Fortinet's recent Cyber Threat Assessment Program (CTAP) report showed that manufacturing is likely to be the next industry specifically targeted by ransomware. Manufacturing's quest is greater efficiency, often achieved through greater automation. Automation, however, brings greater exposure to cyber compromise. This same concern extends to the supply systems supporting these manufacturing developments, such as transportation.
For example, automation of the manufacturing floors substantially increases targets for attack because the manufacturing sector's success is built upon hitting delivery timetables; it cannot afford the massive, negative effects of a disruptive attack. Transportation systems supporting manufacturing, commuting or leisure travel operate in a similar fashion. Most are controlled by computers with the assistance of humans. Successful attacks on any part of these systems have cascading, not isolated, consequences. System defenses must address the known attack methods but also anticipate the unknown, including the when and the how.
These concerns are not limited to the private sector. When we take a look at government agencies' needs, there is not a single agency that does not require a more robust cybersecurity workforce. Government agencies are responsible for various systems and infrastructures that support the critical infrastructures mentioned above. Homeland security therefore always incorporates the risks to our critical infrastructures — from roadways to transportation systems to manufacturing and beyond. Incapacitation or destruction of any of these homeland segments would have a debilitating effect on security, public safety and the economy. Technology alone can't protect these systems because the threat is not just technical. In order to fully protect these critical infrastructures, we need skilled cybersecurity professionals in a wide array of competencies to protect against the known and the unknown.
Knowing the known to uncover the unknown
While the workforce shortfall is one we cannot ignore, the question becomes: How do those entering the cybersecurity field know what tools and skill sets are needed to be successful? Here are four key areas that those entering the cybersecurity field should have in their knowledge toolbox:
-- Understanding: A basic level of understanding how IT messaging works is foundational in any cybersecurity position. Having the knowledge of how programs exchange messages and what data or information is included in those messages is paramount for cybersecurity professionals.
-- Human nature: The common misconception within IT is that you only need to know how technology works. This is contrary to the world in which we live. Sure, understanding how technology works is necessary, but what is more important is having an understanding of the people using the technology. Knowing human nature and the characteristics of those using the technology will provide a better understanding of how preventable breaches such as email phishing attacks infiltrate networks.
-- Lock and key: When you think of how much of our personal information resides in digital form, cyberthreats become more personal. From banking to health care to our tax returns, all are for the most part done online or in digital form. These are the known knowns. We know the type of data and we know it is at risk, but without groomed professionals prepared to fight the cybercrimes of tomorrow and keep this data protected, all of our online information can be compromised and held hostage. We must apply the key learnings from these knowns to future unknown threats so they can be anticipated and mitigated earlier, or blocked altogether.
-- Education is power: Through the National Initiative for Cybersecurity Education (NICE) program, the federal government is taking steps to establish an ecosystem of cybersecurity education, training and workforce development across the public and private sectors. Keeping up to date with NICE's recommendations will give a leg up on the competition.
Threats are increasing daily across every industry worldwide. If actions are not taken to bridge the cybersecurity workforce gap, particularly within government agencies, society will become paralyzed. Solving the known unknowns and the unknown unknowns of tomorrow requires educating, building and reinforcing our cybersecurity talent pool and workforce. This involves training the people using technology that transmits data to understand what information is held within the data, as well as creating more of the professionals working behind the scenes to protect it moving forward.
Ensuring the secure future of our society and global economies depends on security technology innovation, but it also depends on the people who operate our global cyber businesses. While there are many unknowns on the horizon, what we do know is that cybersecurity will continue to remain a hot topic. We need an expanded, skilled cybersecurity workforce today to protect against the unknown threats of tomorrow.
Steve Kirk is a cybersecurity professional with 17 years of experience, 11 of them with Fortinet. Prior to Fortinet, he worked for network security company Secure Computing, 3Com and Foundry. Kirk has 26 years of experience supporting the U.S. federal sector. He is a graduate of Radford University.