What a year 2017 has been. From Shadow Brokers, WannaCry and Petya to the constant and consistent discussion about diversity in cybersecurity and tech, 2017 has been a whirlwind of changes.
Overall, 2017 seemed to stay consistent as far as cyber-attacks are concerned, it was the media portrayal of ransomware as the biggest threat to our systems and while the consequences of ransomware are huge, the actual issue at hand is how the attackers got into the systems to begin with.
Unpatched systems: this is one of five vectors of getting initial access to a system; the others include social engineering, insider threat, misconfigurations and weak passwords. Patch management has always been an issue for organizations. Trying to keep up with various patches from various vendors can be a full time job that a majority of organizations just do not have the resources to maintain, as in the case of Equifax.
One area that I have seen baby steps forward in is educational opportunities to learn and grow in a cybersecurity career. I recently went to the SANS Institute website to check out the Cyber Security Certificates they offer. A year ago, there were 3, in 2017 they added another one and also increased the required trainings needed to get the certificate. This is one organization adjusting their training to fit the needs of this changing environment.
A number of certifying companies have also appeared to help professionals pass the baseline certifications that organizations are looking for. Colleges and universities are also stepping up their game to ensure they provide adequate training and knowledge to those wanting to enter the field. These institutions are using skilled professionals to help build out these programs to include hands-on activities, labs, and interpersonal skills necessary to be successful.
The problem here is that organizations need skilled workers now. Getting into a degree program (associates, bachelors, masters, etc) and finishing can take two years depending on where you go. This doesn’t actually help with the skills gap now, but does help build the pipeline.
From the Women’s Society of CyberJutsu perspective, we would like to see more organizations working towards partnering with non-profits to help build content for training that can be supplemental to degree programs. Working with organizations to provide internships to help get people into roles that may not be filled.
These internships not only help with filling a skills gap, but will also bring a fresh perspective to the business. We would also like to see more diversity in content delivery; meaning more women and minorities given the opportunity to present on topics at various conferences and events. By showing a diverse industry, it allows those coming up the ranks to visually see themselves in the field, thus aiding in the filling the pipeline.
All in all, 2017 saw a number of events that thrusted the need for cybersecurity into the national spotlight. So this in itself is a good thing that came out of the unpatched systems of various organizations and phishing emails used to gain access.
As we move into 2018 and beyond, organizations need to understand the threats that affect them and ensure they have the talent necessary to detect and fight against those threats. While we have made strides to educate consumers and organizations about threats that affect them, we still have a way to go to ensure our cyber workforce is properly trained to defend and pass the torch to the next generation.