Will 2018 Be a Year Addressing the Skills Gap and Cloud Security?

There are plenty of unknowns with regards to information security and one of the hard realities. Every Cybersecurity leader is seeking to protect everything but can only focus on what matters the most in their organization. These are some of the goals they seek:

  • Gain an understanding of the direction the industry is going and where their organization stands.
  • Need to balance risk and obtain a return on security investments with an emphasis on resiliency, costs, and usability.
  • Acquire more control over what matters, in particular, the cloud and mobile devices.
Predicting the future is an art of how we will address the unresolved current needs and those of the past. However, in a world of unknowns, one sure way to predict is looking at trends in the industry.

The Skills Gap

The coined term that I often dispute is that the industry has a zero-unemployment rate. This is a rubbish analogy as everyone knows there is no such thing in any industry whatsoever. Our current hiring practices do not go far enough to think out of the box as there is a multitude of qualified talent available. Organizations are now beginning to realize the phenomena of the gig economy, a vast experienced talent pool that can hit the ground running fitting into any culture. In other instances, hiring from the traditional sense involves identifying candidates who have the educational degree requirements and in many cases employers demanding masters or doctorate degrees. Moreover, they like to see that steady progression in their careers going up the corporate ladder. Employers also list a vast array of skills depicted in the job descriptions that anyone would have a hard time obtaining in their lifetime. My discussions with corporate recruiters tell me those skills are only wish lists yet my argument to them is this will drive otherwise qualified candidates away. This by no means is indicative of the job they are recruiting for and is usually a disconnect between the needs of the hiring manager.

At a family Christmas gathering, two young lads one a graduate with a master’s degree in cybersecurity from DePaul University in Chicago and his brother studying software engineering approached me. Both reflected their views on how hard it is to gain employment in the security industry. I asked what the University is doing to address helping them and began coaching on things to do. Listening to their challenges at hand and to best assist them I made them aware of an article I read concerning The Wall Street Journal, where approximately 1.9 million students who graduated in May 2017, only 15% of those graduates obtaining jobs or internships. Ninety-nine percent of those who enter cybersecurity programs are not aware of jobs in the profession, and a staggering 95% had never had any real-world work experience beforehand which is not surprising.

However, academia is actively involved and formed The Cybersecurity Workforce Alliance (CWA). This alliance is a regulatory community that has combined public-private partnership efforts that are proactive on cyber threats and has now successfully engaged academia, government, and corporations. Their primary focus is to address the weakest link in our cybersecurity defenses, the skills gap. They have reportedly involved over 600 enterprise members, representing major financial institutions, consulting firms, and Fortune 100 companies.

In today’s real-world hiring with the biased traditional manner is rapidly becoming obsolete as qualified candidates can obtain those skills by every possible means. It is true having a degree and certifications has never dictated success but what matters most is the individual’s persona, their passion, the will to continually learn, their heart and drive to succeed. Indeed, a vast and untapped resource that the industry must hire getting them into the fold.

Cloud Security is Priority

The maturity of cloud security has advanced considerably, and a well-financed determined adversary will wreak havoc with the most sophisticated defensive measures currently in use today. That is where the most resources are involved and is a movement to predictive incidences of knowing what is coming. There lie advancements in Artificial Intelligence, and its subset Machine Learning capabilities as these are on course to address a proactive stance being adopted in many organizations.
Adversaries that directly attack a target organization will never give up until they find a way. Many advanced bad actors possess incredible sophistication and have an arsenal of zero-day exploits that target the cloud providers and client subscription services. Organizations that are sophisticated in their security defenses is because they are using sound cybersecurity practices, had educated their employees not to fall victim to social engineering. Yet with increased Advanced Persistent Threat (APT) sophistication, they still are victimized as adversaries find a way around by attacking the supply chain. I foresee in 2018 a daunting increase in these types of attacks that are difficult to detect and mitigate. For example, attackers using Shadowpad succeeded in Trojanizing some packages from Netsarang that are widely used around the world particularly in banks, large enterprises, and other industry verticals.

Attackers have used popular cloud service platforms to conduct persistent attacks to log into corporate Office 365 accounts. These coordinated campaigns had a low-profile pattern of brute force attacks on high-value targets that included numerous failed Office 365 logins from various IP addresses and networks against some organizations.

During October 2017, a flaw was discovered in the cryptographic library used by Infineon. The library is used with their hardware chips for the generation of RSA primes. While the fault appeared to have been unintentional, it does leave the question open in regards to how secure are the underlying encryption technologies used in our cloud providers, from smart cards, wireless networks or encrypted web traffic. In 2018, I predict that more severe cryptographic vulnerabilities will be found in the standards themselves or the specific implementations.

Flaws with commercial-grade Unified Extensible Firmware Interface (UEFI) which prevents tampering with your OS from boot-loading malware and backdoors were discovered. Think of UEFI as a small operating system that sits on top of system board firmware. Exploits have been known since 2015 by researchers hacking UEFI modules. The ability to run custom executable modules makes it possible to create malware that would be launched by UEFI directly before any anti-malware solution, and even the operating system itself is dangerous. We will see the discovery of more damaging UEFI-based malware in 2018 and beyond.