Cybersecurity First

By Mike Pond

Still in recent memory is a year plagued with natural disasters, infectious diseases, and cyberattacks. This past May, an American oil pipeline was shutdown to contain a ransomware attack. For the uninitiated, ransomware is an increasingly common cyberattack that locks out the owner of a computer system typically until a ransom is paid to the attacker. The attack on Colonial Pipeline caused panic buying and fuel shortages. However, this isn’t the first time that a cyberattack has had a real-world impact. Hospitals and the healthcare industry are reeling from a significant rise in the number of targeted cyberattacks that have left some facilities unable to render care.

Although the threat of cyberattack to both public and private organizations is growing, it’s nothing new. Along with the formation of the newly minted Space Force, former President Donald Trump ushered in the creation of the Cybersecurity and Infrastructure Agency, or CISA in 2018. Many lauded the creation of the new agency housed under the Department of Homeland Security as a bet on the importance of nationally secure cyber operations in the years ahead. News last December of suspected state-sponsored Russian hackers’ intrusion into government and private information systems illustrate that the creation of CISA and good cybersecurity practices are not only necessary, they are imperative.

What’s more is that we are currently in the midst of a several years long cybersecurity talent drought with no immediate end in sight. There are over 500,000 open cybersecurity positions nationwide according to Cyber Seek – a job tracking database from the U.S. Commerce Department. So, what gives? If across the nation we are getting hammered by cybersecurity attacks, why aren’t people flocking to fill those jobs whose starting pay ranges anywhere from $60,000 to over $100,000?

The data suggests that people are flocking to fill the positions and in droves, but it’s still not enough to meet the demand. However, it’s a little more complicated than just filling the positions. Data gathered by Cyber Seek indicates filling an IT related roles takes 21% longer on average than filling non-IT related roles. One major roadblock that analysts are seeing is those that are tasked with making hiring decisions don’t understand the actual skillset that they are looking for. They don’t speak the language of cybersecurity and end up missing key details on resumes.

Another significant issue is lingering cultural attitudes surrounding the cybersecurity field. It is constantly changing and what might have been seen as a best practice last year might be outdated this year and leave information or organizations vulnerable. It takes time, resources, and ultimately money to hold the proverbial fort down. This often pits management against their information technology department colleagues. Too often, cybersecurity is viewed as a hindrance to operations or a thorn in the side of those attempting to fulfill the main goals of an organization. When the fact is, cybersecurity should be one of the top priorities and seen as an enabler of the main objectives of an organization. For example, Colonial Pipeline when affected with ransomware, could not distribute the necessary oil and fuel because operations were halted. We need many more than the current 500,000 open cybersecurity positions to fill the actual needs.

What's the Bottom-Line for the Average American?

    • If you are a business owner, put cybersecurity first. When considering business operations, build in security principles from the very start. It is very difficult to implement security after a security incident has occurred. Consider your risk tolerance, and make adjustments as necessary. In other words, most businesses don’t need the protections of Fort Knox, but they certainly need more than they currently have.
    • Not a business owner and looking for a new career? There literally could not be a better time to transition into cybersecurity or IT. Many open positions do not require a college degree. There are many certifications that open the door entry level job opportunities. The barrier to entry has never been lower with many free resources accessible via the internet. Local institutions such as Idaho State University offer courses and opportunities such as the NIATEC program (https://sfs.niatec.iri.isu.edu/)
    • Make cybersecurity a priority in your own life. Using different passwords for different accounts, making sure that your passwords are long, and enabling two-factor authentication can go a long way in preventing yourself from personally becoming a victim. Having a vigilant mindset is important. Spam is getting more advanced. It’s becoming harder to detect misinformation. Being initially skeptical of unexpected communications can help you protect yourself.

This article was written by Mike Pond as a part of a series for the month of October for National Cybersecurity Awareness Month. Mike Pond is a cybersecurity analyst at The National Information Assurance Training and Education Center at Idaho State University. Mike has worked in law enforcement, finance, insurance and broadcasting before working in cybersecurity.