Multi-pronged approach to tackle cyber skills gap
Conference hears no one measure will be successful in addressing the skills gap, as security skills initiative launched
9 October 2018 | 0
The cyber skills gap is not an IT issue, but a business one. Furthermore, it is a numbers issue that requires not just the encouragement of new entrants, but the cross and upskilling of existing IT professionals.
These were key themes addressed at the Technology Ireland ICT Skillnet conference entitled “Filling the Cybersecurity Skills Gap” at the IMI, Dublin.
“You are not unique in having a skills gap, you are unique in having a government addressing it and putting money behind the policy,” James B Alvilhiera, IBM
Paul Healy, CEO, Skillnet Ireland, referenced a University of Wales study that identified some 1,500 digital skills that ranged from using productivity tools up to cyber security, under the context of building digital intelligence and developing capabilities across the board. He said this broad awareness was necessary to recognise and develop the skills base to allow more specialisation as demanded by industry megatrends such as the pace of technological change, the development of global value networks, changing consumption patterns, shifting economic and political power structures and changing demographics.
Carmel Somers, organisational psychologist and talent manager, IBM, and chair of the Cybersecurity Skills Initiative (CSI), described how that initiative will target 5,000 people to be trained in cyber security skills, with a further 1,500 having skills certified. A thousand companies will be targeted for an awareness programme with 4,000 the target for skills development in the 2019-21 timeframe.
Road to Excellence
Somers referred to a ‘Road to Excellence’ framework involving five steps in a pyramid. At its base was the establishment of a cyber security skills pathway to build knowledge, skills and expertise. Alongside that was organic growth whereby the skills base is broadened with internal mobility. Atop these were the buy-in from the business with acknowledgement that a cyber skills gap, particularly in cyber security, is a business issue, not an IT one. Opposite was the need for new entrants to take up the discipline, and recognition that not all entrants to the cyber security field should have a primary degree. Finally, this was all topped with the theme of continuous professional development to ensure that skills are updated and developed to provide not just currency but also the chance to develop as careers progress.
Una Fitzpatrick, director, Technology Ireland, highlighted that CSI strategy recognises that it is not just a skills issue, but also a numbers issue. We need to encourage those with the interest and the aptitude to cross skill and upskill to bring new entrants to the industry, she said.
Sean Kyne TD, minister for digital development, praised the CSI for its scope and ambition. He said it was his great hope that through such initiatives, as well as those in among the general public, would mean that eventually, cyber hygiene would be ingrained as the rules of the road.
Security guru Brian Honan described the current threat landscape, and although he highlighted the increasing sophistication of attackers and their methodologies, he warned against using such terminology inappropriately.
“If you are hit by an attack, please don’t use the phrase ‘it was a sophisticated attack’ because the most common causes are these simple things,” he warned.
Citing various sources, from the Verizon data breach report to the IRISS CERT data, he said that root causes are often all too prosaic.
He listed common causes of breaches as the likes of poor passwords in web-based attacks, missing patches, vulnerabilities in web platforms and out of date software. Antivirus applications that had not been updated, missing patches and a general lack of monitoring are still behind many data breaches he reported.
Honan warned that the blackhats are developing their capabilities too and foresees ransomware attacks becoming automated. Internet of Things (IoT) devices will continue to be a challenge to secure, and social engineering will become an ever more common element to cyber attacks.
There was hope though, as Honan gave advice on how to protect organisations. He advised the use of existing frameworks, such as ISO 27001, the NIST framework and the Center for Internet Security Cyber security framework. These frameworks can then be combined with a risk-based approach that identifies the key areas that require the most effort and resource. Security awareness training is also vital, as Honan said that one of the most important aspects of cybersecurity is that all the technology in the world alone will not keep us secure — people will keep us secure.
Finally, he said information sharing is key, as by sharing experiences and information, people know what to expect and will be better prepared to detect threats and protect each other.
Detective Super Intendent Michael Gubbins of the Garda National Cyber Crime Bureau (GNCCB) talked about the bureau’s work and what was and wasn’t within its remit, differentiating between cyber-enabled and cyber-dependent crime.
DSI Gubbins highlighted a key aspect of their work was what was needed form organisation to facilitate Garda investigations. He said they need to speak to people with specific knowledge of the systems involved, and those with the right access to facilitate evidence gathering. He said log files are key to understand what happened, and in what context.
Another point he made was to address a common misconception. He said when investigating cyber attacks, GNCCB will not interrogate your system. We work with you and your team to help you give us what we need, he said. It is a cooperative effort, he reassured, we are not going to hack you again.
James B Alvilhiera, world-wide sales leader and cyber security expert, IBM Watson Talent, talked about creative approaches to addressing future cyber skills needs, and outlined frameworks for new as well as internally mobile training and development.
He put the Irish situation in context, based on his work internationally.
“You are not unique in having a skills gap, you are unique in having a government addressing it and putting money behind the policy,” he said.
However, he said that universities in particular must change to cope with the speed of change in the industry and turn the usual 4 years into something more like 16 weeks to begin to produce people with immediately applicable skills.
He also decried the requirement by some HR departments for a primary degree as a base level qualification for entry into some organisations for cyber security professionals. This he described as an eighteenth century approach to a twenty-first century problem.
AI and cyber security
Exploring the topic of artificial intelligence as the future of cyber security, a panel comprised of Robert McArdle, senior threat researcher, Trend Micro, Patrick Bayle, principal systems engineer, Cylance, Matt Walmsley, EMEA director, Vectra, and Dermot Williams, managing director, Threatscape, discussed where the technologies are best used.
Trend’s McArdle said AI is not a silver bullet, and despite marketers’ efforts to apply it to everything they can, sometimes there is a much simpler solution that already exists.
“For any solid security set-up you have, yes will it have some machine learning in there, and some signatures, behavioural detections, IDS and everything else. In a good security set-up machine learning is just a feature, it is not the be all and end all. It is one of many — because there are ways to defeat it.”
Vectra’s Walmsley pointed out the average life of a security tool is two years.
“Over time, enterprise has built technologies and bolted them on, and there is a way that you can remove the layers with AI, because it is a big data analysis — taking what all of these various components are doing as part of the evolution and really bringing it back into one product,” said Walmsley. “I think there are some opportunities to automate not only your detections but also remediations for anything that is time critical. You can automate all of that.”
Threatscape’s Williams argued that we are only at the very start of the curve for AI and automation, but that the pace of iteration is such that it will come sooner rather than later. However, he warned that first generations of technology are always going to be imperfect. It will learn and get better, he said, so initially, it should be used cautiously initially and where it is best suited to the task.
When asked if there were examples of threat actors using AI, Walmsley posed an important question in return: how would one know?
McArdle put some context on criminal use and development of AI technologies.
“It’s all a game of cat and mouse, and this is just the current round.”
He pointed out that hackers lack the data necessary, in terms of volume and quality, to train AI as the technology currently stands. Also, the profit motive means they are unlikely to spend their own time developing such things and instead will likely continue, in the main, to target the more easily attained.
McArdle said that even though they have not observed hackers leveraging AI in attacks just yet, they are themselves using what he termed ‘adversarial methodologies’ to test tools, breaking them and learning from the failures to implement better, more robust solutions.
Cylance’s Bayle cited a study from the US Defence Advanced Research Projects Agency (DARPA) that found in training AI and ML, the old adage of more data is better has been adjusted to the right data produce better results.
Walmsley then advised that a good test of any vendor in selling tools that claim to leverage AI is about the data used to train that AI. Where did the data come from, how was it curated, cleansed and deployed? This would provide a better basis for judging AI claims in the cyber security context.