NVTC is inviting members to serve as guest bloggers, sharing insights and information on trends or business issues relevant to other members. Kathy Stershic of member company Dialog Research & Communications shares her insights below.
While the policy panel discussion at the summer’s Silicon Valley Cyber Security Summit pointed out the many challenges of governments trying to deal with the cyber threat, the second ‘Next Generation’ panel was all about the shortage of qualified talent to deal with the problem.
The good news – cyber presents a great career opportunity! As in, the industry needs lots of help. Now. The not so good news is that 40 percent of open IT security jobs in 2015 will be vacant. There simply aren’t enough qualified people to fill them. Technologies such as new threat intelligence and attack remediation products will continue to advance. That will help automate intervention, but there is still a need for people to skillfully apply them, and for others to create them in the first place in the face of a never-ending game of new threats. One speaker said that, as of only a couple of years ago, a new malware was detected every 15 seconds. Now two new malwares are detected every one second! The speakers expected that pace to accelerate exponentially.
There are a growing number of formal university programs in this area, but I was very surprised to hear that only 12 percent of computer science majors are female, and that population has been steadily shrinking for two decades. A marginal percent of those study cyber. So we’ve got a challenge with public engagement in the issue, an inadequate talent pool, and almost half of the student population not thinking about the problem.
Of course not all software learning is in the classroom and talented hackers do emerge. That is why General Keith Alexander [former head of U.S. CyberCommand] went to least year’s Black Hat Conference – while unconventional, he knew this is a place to find badly needed talent. There are also several incubator initiatives like Virginia’s Mach37, and many startups are trying to get off the ground.
Another challenge is that CEOs don’t fundamentally understand the complex cyber problem, so they delegate the task to the CIO. [This reminds me of similar dispositions toward Disaster Readiness and Business Continuity Planning pre-9/11]. Cyber threat is another form of business risk and should be planned for as such. One speaker mentioned that there is expert consensus, even from VCs who are scrupulous about how money is spent, that for a $100 million IT budget, 5-15 percent should be spent on security. While panelists noted cyber threat is a top discussion point for many corporate boards, there is uncertainty about what to actually do to prepare.
This is a tough issue all the way around. One speaker suggested repositioning the brand message to what regular folk will respond to – protecting our national treasures, homes and quality of life, critical infrastructure and national security. Nick Shevelyov, Chief Security Officer of Silicon Valley Bank, summarized the issue: ‘the technology that empowers us also imperils us.” I’m hoping more of us come to understand that and step up.
Contributed by Kathy Stershic, Principal Consultant, Dialog Research & Communications