Skip navigation

Sophisticated organizations defend themselves against cyber attacks with tools, products, services, and perhaps most importantly highly capable security professionals.  But it is becoming very difficult to attract and retain good talent.  The pool of qualified available resources has run dry and it is now up to the academic institutions to replenish the workforce population.  It won’t be easy, but higher education must save cybersecurity!

Cybersecurity may be fought with technology.jpgThe demand for security professionals is at an all-time high, but the labor pool is largely barren of qualified candidates.  Various data sources paint a similar picture with estimates hovering around ~70% of security organizations are understaffed, ~40% of junior-level jobs are vacant and senior-level roles are unfilled ~50% of the time.  A lack of security talent, especially in leadership roles, is a severe impediment to organizations in desperate need of staffing in-house teams. 

Hiring a quality cybersecurity professional is not as easy as you might think.  Universities are trying urgently to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel.  Some experts have described cybersecurity as a “zero-unemployment” field.  In fact, the gap is widening, with 2020 predictions expecting the shortfall to reach 1.5 million workers.  Adding to the challenge, with demand high and supply low, security technology salaries are going up fast and are far outpacing their IT counterparts.  Specialty positions show strong double digit growth in salary over last year’s figures.  Leadership roles are in great demand as well, with compensation rising to match.  Relief of this situation will only come about by balancing the supply side of the equation.

Barriers to resolution

Higher education institutions and governing bodies are working feverishly to fill the tremendous demand with significant numbers of new security graduates, but serious barriers stand in the way.  Academic structures are not well aligned to the needs of the industry, there is a lack of consistent degree and curriculum standards, and educating students with relevant content, in a rapidly changing field, is proving difficult with traditional practices.

Positions within the industry are constantly evolving, with new roles and responsibilities emerging at a rapid pace.  The titles are changing as are the expectations for education and experience.  A recent inventory of federal job responsibilities showed more than 100 occupation-series which include a significant amount of cybersecurity work, representing ~1.6 million employees or roughly 4% of the workforce.  Adding to the mix are new industry jobs emerging around privacy, big data, internet-of-things, policy, customer protection, product design, testing, audit, investigation, and legal aspects of security.  Education institutions are having a difficult time in aligning the skillsets of graduates with the shifting landscape of what employers truly need at any given moment.

Ponemon Report - 2014 Best Schools for Cybersecurity.jpgConsistency across different higher education institutions is a separate problem which must be addressed.  A nationally recognized degree in cybersecurity does not exist.  Instead, most programs are customized and can have a vastly different emphasis and graduation requirements depending upon the host university.  There is not even a consensus on which departments such programs should reside. A 2014 Ponemon report showed a variety of academic departments where cybersecurity is situated, ranging from engineering, computer science, library, military, business, and legal studies.  The result are clusters of graduates entering the workforce possessing vastly different sets of educational knowledge and security skills.  This is problematic for both potential employers trying to fill a position and prospective applicants desiring to show competitive aptitude.

Teaching cybersecurity is difficult in of itself.  The technology, threats, and attack methods rapidly shift.  It seems every eight to twelve months, the industry swings to an entirely new focus.  A fellow security professional stated “if they are learning from a book, it is already outdated”.  Traditional rote teaching styles are insufficient to train professionals as they rely heavily on static material.  More dynamic sources of information, and processes to integrate them into the classroom, are needed.  Cybersecuirty instruction must be agile and stay very close to the pulse of what is happening in the real world. 

Expectations are not being realized by both recent hires into the field as well as companies who are investing in college graduates.  Students told me it was the last six months of schooling which was most relevant.  Before that, most describe the knowledge as an interesting history lesson, but not very practical.  Learning the fundaments are always required to understand the landscape and establish base skills, but the real value is in the pragmatic application of knowledge to supporting risk mitigation.  I have seen frustration with many companies who have hired graduates, only to discover they are not prepared for day-one.  They are glad to have them as part of the team, but the organization must start near square-one to teach them the current challenges and methods to be successful.  Simply put, both sides expect more.

With the vast differences in programs, teaching backgrounds, and content interpretation, sometimes even the basics are overlooked.  Many graduates don’t understand the practical distinction between obstacles versus opposition.  I have found that most, with the exception of those with a statistical background, don’t adequately grasp the relational difference between vulnerability and risk-of-loss.  Most concerning is how many students have a very narrow viewpoint and overlook how cybersecurity is both a technology and behavioral based discipline.  Far too many technical graduates see security as solely an engineering problem, where the right hardware, software, or configuration will achieve the goal and forever solve the puzzle.  This is just not realistic.  Cybersecurity weaves both technology and human elements together in a symbiotic way.  Only addressing one aspect may improve the situation, but will ultimately fail as an isolated stratagem.  These are fundamental constructs every security professional should be fluent in before entering the labor force.   

The solution is apparent

Higher Education Asks.jpgThe solution will arrive in three parts.  First, partnerships between higher education and the industry will need to attract more talent into cyber sciences, including women and underrepresented minorities.  The current numbers of students are just not enough to satisfy demand and expanding diversity adds fresh perspectives to creatively tackle difficult problems.

Second, students must be trained with relevant aspects and materials that take into account the highly dynamic subject-matter and environment.  Optimally, this should extend to post-graduates as part of continual learning programs.  The professionals of today also have a role to play.  They must contribute to the growth and security of tomorrow by advising and mentoring students, assisting educators, and contributing to the development of curriculums.  In a recent presentation to educators and academia administrators at the NSF Cybersecurity Summit, I recommended both an expansion of traditional topics and engaging industry practitioners to help provide timely insights and discussions for students.  Teamwork across academia and the private sector is mutually beneficial and will help raise the effectiveness of graduates as they enter the workforce.

Third, the curriculums must be designed to align to the security roles in the market.  An adequate level of consistency across teaching institutions, attesting to a completion of applicable studies is required.  In short, a recognized degree program for cyber sciences must be established.

Progress toward the goal

The shortfall in talent is no surprise as the industry has seen this coming for some time and a number of groups have been working diligently to change the academic system which supports cybersecurity professionals.  The US National Initiative for Cybersecurity Education (NICE) is a strategic organization tying together education, government and the private sectors to address cybersecurity education and workforce development.  The Association for Computing Machinery (ACM) is an international society for computing working to develop uniformed knowledge content for cybersecurity roles.

Working independently, many higher education institutions are taking the initiative to bring in experts to help teach and advise students to deliver more relevant education and better prepare them for the jobs they will be seeking.  They are reaching out to industry professionals to help staff and students stay current on latest trends, research, and best-practices. 

The Cyber Education Project (CEP) Industry Advisory Board is leading a national academic accreditation program effort to formally establish a Cyber Science degree and necessary certification criteria.  Institutionally, we should see a formal Cyber Science degree be approved in 2016 to establish consistent guidelines for graduates across the landscape of higher education.

Cybersec for HR.jpgIn the meantime however, businesses must adapt to the challenging employment environment.  Hiring of technical and leadership cybersecurity staff will continue to be difficult for the foreseeable future.  Human Resource (HR) departments can play a crucial role in planning and addressing problems.  In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can facilitate practices to both hold on to good talent already in place and plan accordingly to hire qualified candidates.

HR team must staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent in the face of headhunters who are currently circling like sharks, hungry for any opportunity to harvest security professionals.  HR representatives should also be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role.  In some cases, outsourcing may be the best option which should be up for consideration.

Must save cybersecurity

The industry is in trouble as a huge deficit of available professionals continues to grow.  Without well trained personnel, most organizations cannot establish or maintain a sufficient cybersecurity posture.  Academia is the gateway to prepare the next generation of professionals and universities are working purposefully to fill the gaps but are having difficulty in delivering the needed knowledgeable and experienced personnel.  Progress is slow, but inroads are being made by the best of academia.  Cybersecurity may be fought with technology, but it is people who triumph.  We must invest in the future generations of professionals who will carry-on the fight.  Higher education must save cybersecurity.

Industry colleagues, I will be speaking at a CIO roundtable luncheon in San Francisco CA on September 10th, discussing how in pursuit of a balanced security posture, organizations need capabilities which deliver smarter and not necessarily more security.

I will be joined by a number of other roundtable members from Apple, Oracle, Zappos, Guidepoint, Freddie Mac, and Barclays.  It should be an informative discussion covering a number of different topics and viewpoints for CSO, CISO, and other executives that set security strategy and architectures.

The event is hosted by Prelert and seating is very limited.  Registration page:

Prelert Luncheon.jpg

sandbox.jpgMalware is working hard to undermine and punish those who employ security sandboxes.  Security innovators are working hard to stay one step ahead.

Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers.  Suspicious files can be placed in a digital sandbox where security can watch, look, and listen to determine what the code does, who it communicates with, and if it plays nice as expected.  This helps determine if file is benign or malicious.  The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory which is reinforced to allow malicious files to execute but not cause any real damage.  It is all under the control and watchful eye of the security toolset.  After analysis is complete, the entire digital sandbox is deleted, with whatever potentially harmful activities and changes disappearing with it.  

Many security vendors incorporate this technology to conduct analysis of downloads, executables, and even software updates to prosecute the malicious or allow good files to flow.  Similar tools are employed by forensic experts to dissect malware and unravel the inner workings.  The stratagem has proven worthwhile at confidently detecting dangerous code.  So much so, malware writers began embedding features into their software to detect when they have been put in a sandbox.  In order to remain elusive, upon detection the code either goes silent, temporarily acts innocent, or takes the preemptive measure of deleting itself, in hopes of avoiding being scrutinized by security researchers. 

Security has responded by making sandboxes stealthier to avoiding detection and allow malware to show its true nature, in a safe environment.  This hide-and-seek game has escalated, with new features being employed on both sides to remain undetected while attempting to discover their counterpart. 

In most instances it is passive contest.  That is, until Rombertik.  Given the adversarial nature of the industry, nothing stays secure forever, even security tools.  Rombertik takes a different approach and goes on the offensive to cause harm, incurring a discouraging cost on those employing security tools. 


Our security colleagues at Cisco have done a great job highlighting the anti-sandbox advances of the Rombertik malware in the Cisco 2015 Midyear Security Report.  They show how the creators of Rombertik have taken a divergent path from their more docile predecessors.  Instead of being passive and self-deleting or remaining quiet, it lashes out at the very systems attempting to analyze it.  It contains a number of mechanisms to undermine, overflow, and detect sandboxes.  Once it believes it is under the microscope, it attacks.  It attempts to overwrite the machine’s Master Boot Record (MBR) or destroy all files in the user’s home folder, with the goal of making the system inoperable after reboot.  

The Cisco report states “Rombertik may be a harbinger of what’s to come in the malware world, because malware authors are quick to adopt their colleagues’ successful tactics”.  It is an insightful report and I strongly recommend reading it. 

The idea of a safe area to test suspicious code is not new.  The original instantiation was simply an extra PC, which could be isolated and completely wiped after the analysis.  But that was not a very scalable or terribly efficient practice.  The revolution really came when software could create virtual sandboxes as needed.  Such environments are quick to create, easy to configure, and simple to delete and start anew.  Dozens or even hundreds could be created and be running simultaneously, each testing for malware.  But software has some inherent security limitations.  Malware can sometimes ‘jail break’ and escape the protected sandbox to cause real harm.  Additionally, the most sophisticated attackers can actually turn the tables to get under the virtual environment so the security environment is running in a sandbox managed by the attacker!

This maneuvering gets more complex over time as both sides escalate their tactics through innovation.  How much longer can software created sandboxes remain one step ahead?  Nobody is sure. 

What is needed is a more robust means of building improved sandboxes.  Beneath software resides the hardware, which has the advantage of being the lowest part of the stack.  You cannot get ‘under’ the hardware and it is much more difficult to compromise than operating systems, applications, and data which run above.  Hardware advances may revolutionize the game with better sandboxes, more difficult to detect and undermine.  I think time will tell, but it seems to be where the battle is heading.  What cannot be foretold is if changes in hardware will be the winning salvo or just a new battlefield for the attackers and defenders to continue to maneuver in the game of cybersecurity.


Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


Security Napkin.jpgRecently I was asked for advice from a passionate professional who is establishing a security company. They asked for strategic insights to help guide their organization. With a quick pen to cocktail napkin, I produced three nuggets of wisdom.

I want to share with the community my thoughts and more importantly hear from others what your advice for this emerging leader of security practices. Share your knowledge and insights.

My three pieces of advice:

  1. The measure of success for a security company is how you can make a meaningful impact on your customers ability for them to manage their security posture
  2. In security, customers must balance three aspects: Risk, Cost, and Usability. Risk mitigation is obvious, as it directly ties to the purpose and benefit of security. Cost must be a consideration as no customer has an unlimited budget. They must seek a level of cost, both initial and sustaining, which is appropriate for the level of risk they want to maintain. Thirdly, usability factors are important as they can impede business and make for a poor end-customer experience. For enterprises, it can also lower employee productivity, create worker frustration, and place greater demands on the IT infrastructure. For consumer facing organizations, security demands can cause customers to dislike products or services, which is greatly detrimental for business. Help customers determine and achieve the right balance for their business objectives.
  3. Risk is about risk of loss. This could be loss of assets, reputation, customers, IP, system uptime, litigation fees, regulatory barriers, etc. Tie the value of what you provide to the real/actual potential losses your customer is currently or will likely experience. Don’t use fear, uncertainty, and doubt, but be realistic to build trust with your customers. In the end, providing security is about trust. Be trustworthy.

Do you agree with my advice. Did I miss the mark?

Be bold and share your cocktail napkin of wisdom!