August 30, 2016

Nicholas Borton

The Future of Cybersecurity

Human Capital Landscape

2PROPRIETARY AND CONFIDENTIAL

Security Threatscape

• Criminal Organizations

• Credit Card Theft

• Identity Theft

• /Bots and Bots/ of Bots!

• Ransomware

• Hacktivists

• Denial of Service

• Reputational Damage

• Nation States

• Intellectual Property

• Cyber Warfare

• Malicious Hackers

• Website Defacements

• Worms

• Spammers

• Ad Revenue

• Crime Rings

• Carding

• Phreaking

Past Present

3PROPRIETARY AND CONFIDENTIAL

Evolution of Threats - Past

1. Solutions were Technology Centric

• Point solutions (IDS, Firewall, AV) were good enough

2. Cyber Security Lacked Visibility Outside of IT

3. Security Breaches Seen as “Cred” Driven and Not Motivated By Profit

4. Set the Stage for Compliance as Security

• Made for an easier sell to leadership at a long term cost

5. Security Architectures Hinged on Inside Trust

• Protect against the outside with hardened perimeter

4PROPRIETARY AND CONFIDENTIAL

Evolution of Threats - Present

1. Solutions Must be Information Centric

• Share Signatures and meta-data of attacks

2. High Visibility Outside of IT for Cyber Security

• Attacks are in the news – constantly

• Clients and Consumers are demanding their information be protected

3. Compliance Drive Security Programs – Bare Minimums

• Can miss the obvious in pursuit of reduced compliance scope

• Health Insurance Portability and Accountability Act (HIPAA)

• Payment Card Industry (PCI)

4. Security Architectures Require Multi-Layered Approaches

• Inside Assets are compromised and provide external access.

• No one technology or process can be 100% effective

5PROPRIETARY AND CONFIDENTIAL

Changing Environments

• Software Defined Network

• Continued Virtualization

• Internet of Things

• Mobile Devices and Applications

– Android lacks robust patching (Carrier Dependent)

– Nexus is different

– Apple is getting faster at releasing security updates

• Cloud

– For many Cloud will improve baseline security

– Attractive turn-key solutions

– Economies of scale for security spending

– Reputational Risk and Liability is not Transferable!

6PROPRIETARY AND CONFIDENTIAL

Abundance of Jobs

• Improving Cybersecurity is the third most

important enterprise objective for CIOs.

• Security Jobs are currently in demand and

currently makeup >12% of all IT jobs

• Over half of surveyed Managers expect to raise

head count.

7PROPRIETARY AND CONFIDENTIAL

Our current landscape is one where we have

an increased need for individuals to secure a

larger and more complex environment against

an ever-evolving adversary.

8PROPRIETARY AND CONFIDENTIAL

Talent Black Hole

• Information Security has an observable unemployment rate of near zero.

• Almost 90% of Security Professionals are satisfied with their

compensation and job security – 2016 State of the CIO

Existing talent is not likely to migrate to other opportunities on their

own, and will need to be incentivized.

• Applicants are consistently leading with certifications instead of

accomplishments.

• Learning methodologies have been largely formulaic

• Seasoned security staff are burning out!

9PROPRIETARY AND CONFIDENTIAL

What’s old is new

• 2010 – “A Human Capital Crisis in Cyber Security” – CSIS Commission

on Cybersecurity.

“There are about 1,000 security people in the US who have the

specialized security skills to operate effectively in cyberspace. We

need 10,000 to 30,000” – Jim Gosler, Sandia Fellow, NSA Visiting

Scientist, and the founding Director of the CIA’s Clandestine

Information Technology Office

• 2014 Cisco Annual Security Report predicted that the talent gap would

be over 1 Million EEs.

10PROPRIETARY AND CONFIDENTIAL

Our current landscape is one where we have

an increased need for [a finite pool of

individuals] to secure a larger and more

complex environment against an ever-evolving

adversary.

11PROPRIETARY AND CONFIDENTIAL

Character Traits

• Security professionals must:

– be knowledgeable across all domains.

– be business centric

– stay abreast of new technologies AND new threats

– be able to meet increasingly higher expectations.

Security professionals can:

– Be experts in one discipline (Audits, Reverse Engineering, SOC

Analyst, etc.)

12PROPRIETARY AND CONFIDENTIAL

Character Traits

– Hire for ability not knowledge

– Hire someone who attacks problems differently

– Hire someone that understands the business from within:

• Bring developers in to application security

• Bring system/network engineers in to architecture

• Bring administrators in to manage the plethora of security products

– Hire the person that asks questions instead of tacitly agreeing.

– Hire the person that says, “I don’t know”

13PROPRIETARY AND CONFIDENTIAL

Where to look?

New Talent

– BSides : A community driven framework for building the Information

Security Community

– Reddit : https://www.reddit.com/r/netsecstudents

– Local Hacker Spaces

– Local Colleges

Seasoned Talent

– Network!

– Reddit : https://www.reddit.com/r/netsec

– LinkedIn

14PROPRIETARY AND CONFIDENTIAL

What can I offer?

– Compensation

– Flexibility

– Tele-Commute

– Innovative Work Environment

– Positive Work Environment

– Training!

– Conferences!

According to IDC Security Survey in 2015, new talent individuals can be

found within a few months, but positions requiring 10+ years have a time

to fill rate of over a year.

15PROPRIETARY AND CONFIDENTIAL

Thank you!

For questions please feel free to contact:

Nicholas Borton

Nic.Borton/at/ptpinc.com