Browsing category


Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

Academia, Chief Information Security Officer (CISO), CISO, Education, Security Leaders, Security Services, Skills Gap, women leaders,

4 Ways to Overcome the Cyber Workforce Shortage

As 2018 draws to a close, the state of the cyber workforce can be summed up in two words: “Help Wanted!”

The numbers prove it: In November, the National Institute of Standards and Technology (NIST) released updated workforce numbers through its CyberSeek security jobs heat map. According to NIST, there were over 313,000 job openings from September 2017 to September 2018, not including the security professionals currently employed.

Just a month earlier, the International Information System Security Certification Consortium (ISC2) released its yearly “Cybersecurity Workforce Study,” in which it estimated that there were nearly half a million open jobs in North America. According to the report, 63 percent of respondents deal with challenges related to a shortage of dedicated cybersecurity staff. Nearly six in 10 organizations reported that this talent shortage puts them at moderate-to-extreme risk.

If your organization is looking to hire cybersecurity professionals, it’s likely to meet fierce competition for the limited talent supply. That’s why hiring managers need to get creative to get ahead. Here are four out-of-the-box strategies to help your organization bridge the skills gap and hire top-tier cybersecurity talent in 2019.

1. Explore Scholarship Offerings

If you have entry-level cybersecurity positions available, you can find nascent talent in the many regional colleges and universities that dot the landscape. A booth at the career fair might help plant a few seeds, but it won’t necessarily bring qualified students in droves. There’s a lot of competition for students’ attention these days, and unless you’re a thoroughly established household brand, you’re going to have to roll up your sleeves a bit and find ways to make a connection.

As many students struggle with increasing student loan debt, one way to get their attention is through by offering scholarships. Most institutions will be happy to work with you to select students that meet your criteria. Not only will your contributions expand the emerging cybersecurity talent pool, but as students approach graduation, they’ll remember those scholarships and, more importantly, your company.

2. Initiate Academic Partnerships

If money for scholarships isn’t available, you can make an indelible mark on young minds by developing educational partnerships with instructors. Most college professors recognize the incredible value external speakers bring to the classroom to infuse the curriculum with real-world projects and issues. A great benefit of regular interactions with relevant courses and students is early access to talent; you can get to potential job candidates well before your competition sits across the table at the next career fair.

Sustaining regular interactions with courses creates a solid knowledge base, but most students want or are required to work an internship before graduation. Although summer internships are the norm, many schools have flexible programs that can span or extend into fall and spring semesters. To further diversify the talent pool, consider creating an apprenticeship program to select and grow your workforce.

Competition for talent is so strong that hiring managers often secure graduating seniors with solid job offers by September or October of the year preceding graduation. If your company isn’t ready to advertise, recruit, interview, select and make an offer nine months prior to the start date, you’ll risk being left with little in terms of quantity and quality. A long-term academic partnership can help you recognize and build relationships with rising talent well before graduation.

3. Open Up Your Cyber Workforce Talent Searches

Far too many companies overfilter the cybersecurity talent pool by asking for the moon in their job listings. The NIST data spelled out the talent supply situation clearly: While the national average supply/demand ratio for all jobs is about 5.8 workers per open position, the average in cybersecurity is only 2.3. Depending on the particular metro area, this supply ratio can even dip below 1.0.

In a fairly young industry, a long, fully developed resume is hard to come by. So unless you can offer sky-high salaries, you’ll have to readjust your expectations to meet the reality of the available talent pool. This means that few companies can afford to filter applications on all of their wish-list items; instead, you’ll have to take what you can get. For example, instead of placing an ad requiring a degree in cybersecurity plus certifications and 10 years of experience, pick one or two of these qualities to open the input filter and learn to evaluate potential and the right aptitude to step into a given job.

Similarly, companies sometimes paint themselves into a corner by limiting searches to particular geographic locations. Instead, seek talent across the entire country, and be willing to open up lines of negotiation around on-premises job requirements versus telecommuting. If telecommuting is a firm negative at your company, then consider your options: A study published in the Harvard Business Review (HBR) found that an extra $10,000 resulted in candidates being “about a half percentage point more likely to be applying to a job outside their home metro.”

4. Improve Your Talent Management and Workplace Culture

The HBR article also noted that workplace culture factors into candidates’ considerations around relocation. Good workplace culture includes solid leadership, strong core values reflected in the organization’s mission and fruitful professional development opportunities.

Companies should review their hiring approach to ensure a speedy human resources (HR) process that engages candidates soon after they apply, evaluates their qualifications via effective and inclusive processes, funnels them to the most appropriate teams and keeps them informed of where they stand through each step of the process.

But the work doesn’t end with hiring. Companies should also develop cyber talent management practices that create a positive environment for new recruits as well as seasoned employees. Organizations should also demonstrate how they value talent and knowledge sharing.

Whether your company is looking to fill entry-level positions or hire more seasoned security professionals, the limited supply of cybersecurity talent means that HR processes, expectations and recruiting tactics need to be more flexible than those in other fields. Your organization’s security depends on that flexibility.

The post 4 Ways to Overcome the Cyber Workforce Shortage appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

Academia, Cybersecurity Jobs, Data Breach, Education, IBM X-Force Command Center, Incident Response, Incident Response (IR), Security Awareness, Security Professionals, Security Training,

How Allison Ritter Puts Security Lessons Into Action With Her Flare for Drama

Allison Ritter excuses herself from the interview. She has already described her role as “dynamic,” and we’re about to see that firsthand as she makes a call. Allison is filling in for a colleague and needs to make a guest appearance in a simulation — a chance for her to get hands-on with the security lessons she creates for the state-of-the-art IBM X-Force Command Center.

Based in Cambridge, Massachusetts, the Cyber Range drops clients into interactive breach simulations inspired by real-world cybersecurity scenarios. The immersive nature of the simulations helps security teams develop critical incident response and crisis management skills that can’t be learned from playbooks or how-to guides.

To say Allison has a fast-moving job is an understatement. As the creative director at the X-Force Command Center, she’s responsible for the overall look and feel of the simulations and also plays an integral role in managing the multidisciplinary team that develops the interactive experiences for Cyber Range participants.

Injecting Drama, Storytelling and the Arts Into Security Lessons

Allison has been with the Command Center team since the beginning, back when they were “still in hard hats.” She started as a threat gamification engineer before moving into the creative director role.

“I had the opportunity to help build the Cyber Range from the ground up,” she said. “This was a completely new space, so we had a lot of opportunities to create completely new experiences. What are the scenarios that we want to put people through? Visually, how do we want it to look?”

By the time Allison graduated from the Rochester Institute of Technology she had already interned with U.S. Representative Eliot L. Engel, worked with luxury cruise line Cunard to print and manage daily news for shipwide distribution, and served as editor-in-chief for Rochester’s School of Media Sciences. Her gamification role at IBM was only her second post-collegiate job.

Allison is a self-proclaimed lover of drama, so it’s easy to see how she ended up with the Command Center. Her daily work brings the data breach simulations to life through her interactions with clients as they navigate through the scenarios.

“It’s a very active environment; I have to always be ready with something new to throw a curveball into an experience, depending on what’s going on with the client and how they react,” she explained. “We want you to experience and feel what it would be like if your company was under a cyberattack. What do you need to do in a time of crisis? There’s not a lot of time to react, and you have to learn to manage an incident process during a time of chaos.”

Choose Your Own Security Adventure

Allison likens her creative director role to developing a choose-your-own-adventure book: It’s all about interactive storytelling. Her editorial background serves her well at the Command Center. When she worked in news, she had to keep a close eye on current events while maintaining enough flexibility to meet the needs of multiple audiences. This dynamic creativity laid the foundation for what she does today.

“I really enjoy the excitement of the learning that we create here,” Allison said. “To be able to show something to people and say you’re not just taking away a piece of paper, you’re really gaining some sort of experience. You’re dealing with the same situations that you might have to deal with if your company did go through a breach. It’s real-time learning.”

To Allison, a textbook or how-to guide is no substitute for hands-on experience.

“Diving in, talking with your peers, collaboration among different teams — we have people coming in from human resources, public relations, legal, communications, marketing security — people are bringing all different experiences to the table,” she explained. “We have a dynamic environment that changes, which is a great learning area for individuals.”

Allison Ritter, Creative Director of the IBM X-Force Command Center

In Security, the Drama Never Ceases

This role isn’t a traditional 9-to-5 job; Allison is very involved and is often on call. She also continues her passion for the arts through music, theater and painting in her free time. In short, she is living proof that the arts and technology can work — indeed, thrive — together.

“I’m dedicated to the space and the work we do,” she said. “I have this love for drama and a passion for creating immersive spaces that are visually engaging for individuals to experience.”

Allison is showing us that working in security is not just about developing and writing code. There are opportunities for people of all backgrounds, passions and inclinations to succeed in this industry — especially if they enjoy a bit of drama.

Meet Cybersecurity Gamification Strategist John Clarke

The post How Allison Ritter Puts Security Lessons Into Action With Her Flare for Drama appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff

CISO, Cybersecurity Training, Education, Government, National Institute of Standards and Technology (NIST), Security Awareness, Skills Gap,

From Naughty to NICE: Best Practices for K–12 Cybersecurity Education

In an effort to raise cybersecurity awareness and help both school districts and teachers develop security-based curricula, the National Institute for Cybersecurity Education (NICE), part of the National Institute of Standards and Technology (NIST), hosted two consecutive conferences this fall.

These back-to-back conferences brought experts from industry and academia together to share creative strategies to help educators teach youngsters how to change their “naughty” online behaviors into good cyber hygiene.

The NICE Conference in Miami was held in November, followed by December’s NICE K12 Cybersecurity Education Conference in San Antonio, which introduced some innovative technologies as well as multiple trainings to help schools make students more aware of how to protect themselves online and the many career paths available to them in cybersecurity.

Let the Youth Lead Cybersecurity Education

I had the pleasure of speaking at the NICE K12 Cybersecurity Education conference on how to create a cyber-aware classroom, but my presentation was just one of many and paled in comparison to that of the keynote speaker, Kyla Guru, a 16-year-old high school junior from Illinois who is the founder and CEO of Bits ‘N Bytes Cybersecurity Education (BNBCE), a youth-built nonprofit that provides suggestions for day events and classroom discussions.

Also among Guru’s list of notable cybersecurity education resources are CommonSenseMedia, CodeHS Cybersecurity, Facebook Security Centre and (ISC)2.

In her work over the past few years, Guru has seen that students are increasingly encouraged to take at least one computer science course starting in middle school, and are subsequently guided to pursue the subject with a progression of courses in high school.

Implement Student-Created Curricula

What’s unique about the BNBCE curriculum is that it’s created by youth. The nonprofit offers lessons on encryption, privacy policies, digital citizenship, data breaches, passwords and social engineering, all of which are organized by age group.

“BNBCE also produces animated videos tailored for each school’s core values and principles, as well as conducts outreach events and runs biweekly research-based blog posts on relevant cybersecurity concepts for the classroom. We would love to support schools as they integrate cyber in their classroom discussions,” Guru said.

How to Break Google’s Influence on a Generation

Recognizing that her generation is digitally driven and has been raised to consider “Googling” as sufficient research, Guru said it is critical that the time young people spend using technology as their new medium for discovery and exploration be spent securely and safely so they can learn without limitation.

“K–12 students are by far the greatest consumers of digital information there are. In fact, a recent survey showed that 82 percent of Generation Z shares that Instagram, Snapchat, Buzzfeed and other social media sites are their primary news sources,” Guru said.

Engage Students in Cyber Awareness

In the Cyber Day 4 Girls workshop, hosted by IBM in advance of the NICE K12 Cybersecurity Education conference, young women in grades six through nine had a chance to learn how to protect their online identities and internet-connected devices while working alongside some impressive female role models who are already studying and working in cybersecurity.

Attendees also heard about the defensive hacking curriculum created by IBM and Hacker High School (HHS), and how to infuse ethical hacking skills across the curriculum, which was presented by HHS director Kim Truett.

Learn more about Hacker High School

Industry Professionals: Step Up

Clearly, educators and students alike are doing their part to move the cybersecurity needle forward, but industry leaders also play a critical role in helping to raise cybersecurity awareness and education among today’s youth.

In his presentation to audience members at the Miami conference, Eduardo Cabrera, chief cybersecurity officer at Trend Micro, talked about the need for more partnerships between enterprises and the K–12 sector.

“We have to rethink what we are doing around cybersecurity education, not only from an awareness and hygiene perspective, but also from the perspective of establishing a permanent pipeline of talent from K–12 that feeds into higher education,” Cabrera said.

What would that actually look like, though? According to Cabrera, one model that could work is what has been happening with DevOps. “There is a concept or movement around DevOps that is speeding up the cycle, taking plays out of the playbook of agile development and looking at the partnerships required between operators, developers and testers. These microservices are creating smaller, quicker sprints. We need to move toward a DevOps model of workforce development.”

Rather than operating in silos, all connected parties can work together. “The operators are the industry, developers are educators and the testers are certifying bodies,” Cabrera said.

Teaching cybersecurity is not solely about STEM and technical skills, either, Cabrera said. “Soft skills are becoming equally as important as technical skills. We have a rock-star employee when they can be technical but equally as skilled at communicating and storytelling.”

Cybersecurity isn’t just about defending one’s digital footprint, after all, but is just one piece of a network of protection for the whole person. To teach the best, most complete self-defense is to teach the whole student — not just the computer-savvy parts.

The post From Naughty to NICE: Best Practices for K–12 Cybersecurity Education appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kacy Zurkus

Academia, Application Security, Cloud, Cloud Infrastructure, Cloud Security, Data Privacy, Data Protection, Education, IBM Security, Petya, Security Awareness, Security Leaders, Security Leadership, Skills Gap, WannaCry,

How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data

There’s rarely a time in the day when Andi Hudson isn’t immersed in technology. When he’s not fulfilling his duties as IBM’s cloud security architecture lead in the U.K., he’s reaching out to the next generation of cyber professionals through volunteer work with universities and colleges. Or, he’s teaching his own young kids how to write in Python, or how to make wacky contraptions, such as an automated irrigation kit and a Tesla coil that plays music.

Simply put, Andi Hudson lives and breathes tech and security, and he’s always happy to chat about anything from cloud security, to artificial intelligence (AI), to the impact of the Internet of Things (IoT) to the neuroscience of privacy denial.

“For me, cybersecurity has to start right at the very beginning,” he said, speaking from his home in South Wales. “Giving kids access to this stuff is important, but even more important is teaching them to use it ethically and responsibly.”

Spreading the Gospel of Data Privacy

No matter what else he’s doing, Andi is always keeping a close eye on the future. He’s particularly interested in artificial intelligence, data privacy and what the C-suite needs to pay more attention to.

Much of it comes down to the data, which Andi classified as “the oil of tomorrow.” He believes that, given the right bits of information, cybercriminals can steal data (including identities) and “really go to town with this information.” He’s also worried about the confirmation bias this level of sharing brings — that our “likes” are collected and we’re grouped with other users who share the same ideas opinions. To quote Andi, quoting author Cory Doctorow: “It’s not about what you have to hide; it’s about what you choose to share.”

“We give away so much information so freely, to a degree I think the horse has already bolted,” he said. “That’s why I invest so much of my own time in educating academia, because they’re the next generation. But it doesn’t just start at universities and colleges; it starts at home in the family, and in primary school and secondary school. Security is not a product — it’s a process.”

Andi is a science, technology, engineering and mathematics (STEM) ambassador, as well as a Barefoot volunteer with Computing at School (CAS). He visits primary schools to nurture the next generation of cyber professionals. Andi shows the faculty how to teach computational science, helps children understand the importance of STEM subjects and exposes them to careers in technology.

Andi Hudson, cloud security architecture lead at IBM

A Nontraditional Approach to Cloud Security

When he’s not nurturing the youth, Andi leads a growing team of architects at IBM Security U.K. Part of his role is to ensure that all the individual skill sets in security keep cloud-based applications front of mind. IBM promoted him to lead after catching wind of the impressive work he did in the London insurance market, building collaborative cross-vendor solutions for a new target operating model that enables 9,000 U.K. financial services companies to work together.

“IBM never really had a cloud team that encompassed a lot of those different skill sets,” he said. “A lot of the traditional architecture always sat in resource pools within somebody else’s data center — but, of course, with the cloud, that’s all different now. They’re not using their own data centers anymore; they’re using ours.”

While Andi primarily works hands-on with clients on cloud-related transformation projects, he also gets to speak at conferences and, of course, engage with the education sector in both his day job and his volunteer work.

A member of the South Wales Cyber Security Cluster, Andi works with Cardiff’s three universities to make courses as relevant as possible according to the latest industry trends. That plays into the work IBM does with Exeter University, and may soon start doing with Warwick University and the University of the West of England.

“It’s about making a difference,” he said before launching into a story from last year when, at the height of the Petya and WannaCry ransomware outbreaks, he found himself in a war room on a weekend trying to reverse-engineer a client out of an attack.

“You know when you feel sick in your stomach, the nerves and anxiety? I’ve had it before when I used to work for a services company; we switched the system off once and it didn’t come back on,” he recalled. “You have this gut-sickness feeling. You’ve just done a lot of work, you’ve had no sleep, and you know you won’t get any sleep or food until this problem’s gone. It was exactly like that — that sick feeling.”

Why Security Leaders Need to Tell It Like It Is

Luckily, Andi was so close to the customer and had been so hands-on with the account that he was able to solve the problem and develop a watertight remediation plan. He even won an award for his work.

The key, he said, is his willingness to have frank discussions about security, even if it means telling clients what they don’t want to hear. Andi has found that this nontraditional approach helps him develop closer relationships with clients and break conversational barriers that would otherwise stymie progress.

“I think that clear, open transparency just resonates with customers,” he emphasized. “A lot of things were always taboo — certain things you didn’t say to certain executives, and certain things you didn’t cover — but if you want a real, secure solution, unfortunately you have to have those conversations.”

This transparency is especially crucial today, given the lightning-quick pace of change in the industry and ever-evolving nature of the cyberthreat landscape.

“The fact is, it keeps changing — and what’s right today might not be right tomorrow.”

That’s why Andi always has his eyes on tomorrow — both in terms of the threats his clients will have to contend with and the next generation of cybersecurity heroes that will defend them.

The post How Cloud Security Architect Andi Hudson Nurtures Today’s Youth to Protect Tomorrow’s Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff

Chief Information Security Officer (CISO), CISO, Cybersecurity Jobs, Education, Incident Response, Skills Gap, Threat Intelligence, training,

How Can Industry Leaders and Academia Help Improve Cybersecurity Education?

Just as the field of cybersecurity grew out of information technology, cybersecurity education is evolving as an offshoot of the computer science field. The current state of cybersecurity course offerings as an underdeveloped computer science footnote is allowing the skills gap to grow. To change this, higher education has to address the theoretical and hands-on skills students need to do their jobs post-graduation.

Without sufficient expert staffing, security teams lack the resources necessary to do their jobs effectively; in this way, the skills gap itself is a significant security risk. How, then, can the industry educate the next generation at scale? While there is no one answer, let’s take a look at what’s going on in classrooms across colleges and universities to see how higher education can evolve to meet the needs of the industry.

How to Recognize Shortcomings in Cybersecurity Education

By taking a closer look at the actual cybersecurity training programs higher education currently provides, industry leaders can help draw the road map of where it needs to go. How can they improve its offerings without bankrupting students who are already spending tens of thousands of dollars on degrees that fail to prepare them for the real-world problems they will face?

Bo Yuan, professor and chair of the Department of Computing Security at Rochester Institute of Technology (RIT), acknowledged that many undergraduate degree programs in cybersecurity start out with common introductory courses in computing and mathematics, such as Computer Science I and II and Calculus, eventually ramping up to more specialized training.

“As they get further into the program, students at RIT take more cybersecurity-focused courses, including Introduction to Cryptography and Cyber Security Policy and Law,” Yuan said. “In master’s degree programs, courses often focus on the theoretical foundations of computing security and how to become leaders in the implementation of computing security and information assurance policies and practices.”

To ensure that graduates are able to successfully transition from the classroom to the security operations center (SOC), cybersecurity education leaders should expand and more deeply integrate their hands-on learning opportunities.

Why Student Outreach Is Crucial

With the hefty price tag on degrees these days, students need to be judicious in the programs they choose. But it’s also up to industry leaders to reach out to their future recruits and help connect them with opportunities. Although one-to-one engagement across school districts is impossible, any role security professionals can play is a significant investment in long-term cybersecurity strategy.

Steering students cybersecurity training programs that offer them the chance to detect, identify and respond to existing threats in a simulated environment will yield the best returns. Unfortunately, those opportunities are not equally available to all students, and many won’t have the exposure they need to recognize their specialized interests within computer science early enough to plan effectively to get there.

Collaborate to Offer Experiential Learning

Hands-on learning opportunities are essential for cybersecurity students, and many academic institutions, including RIT, enable students to gain experience through simulated real-world exercises. But the students need to know what’s out there before making career-defining decisions to specialize one way over another.

To that end, some security companies have already parterned with educational organizations to extend opportunities for such immersive training.

“We have a heavy hands-on component to the degree programs with labs and project assignments,” Yuan explained. “Additionally, RIT computing security students are required to do two terms of co-ops (paid internships) before graduation.”

Yuan noted that RIT students have engaged in cooperative educational experiences with organizations such as IBM, Eaton Corporation and government agencies. These experiences often lead to job offers before graduation; both students and recruiters are reaping the benefits of these arrangements.

Why It’s Important to Make Connections Early

Through internships and co-ops, students can develop strong cybersecurity skills in the field, which hiring organizations desperately need to keep up with the evolving threat landscape. The Advanced Cyber Security Center (ACSC) and the University of Massachusetts created the Cybersecurity Education and Training Consortium (CETC) to bring industry leaders and students together. According to a press release, “The CETC will connect higher education leaders with business leaders to promote academic programming in cybersecurity that aligns with the needs of Massachusetts employers.”

Higher education programs around the world should partner with the cybersecurity industry to learn more about the needs of students and professionals. Through these innovations, students and enterprises can gain efficient access to both learning opportunities and talent. By working together with institutions of higher learning, businesses can ensure that students come out of learning programs armed with an understanding of the existing threat landscape and how to monitor its constant change so that they are fully equipped to do their jobs.

The post How Can Industry Leaders and Academia Help Improve Cybersecurity Education? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kacy Zurkus

Academia, Chief Information Security Officer (CISO), CISO, Cybersecurity, Cybersecurity Jobs, Education, Security Professionals, Skills Gap,

3 Creative Strategies to Narrow the Skills Gap

Confronting the skills gap is a challenge that has many in the cybersecurity industry confounded. With overworked security teams, an ever-expanding threat landscape and widening attack surfaces, the growing gap poses a serious challenge to the future of the security workforce.

The International Information System Security Certification Consortium (ISC2) looked at the cybersecurity skills gap more completely in its recent report, “Cybersecurity Workforce Study.”

Rather than making its calculations solely by subtracting supply from demand, the study looked at the percentage of companies that currently have open positions and considered the estimated growth of different-sized organizations. This builds an estimated gap based not only on current openings, but also future staffing needs.

“This more holistic approach to measuring the gap produces a more realistic representation of the security challenges — and opportunities — that both companies and cybersecurity pros are facing worldwide,” the ISC2 report said.

3 Out-of-the-Box Ways to Close the Cybersecurity Skills Gap

Sixty-three percent of the more than 1,400 respondents confirmed that their company has a shortage of staff dedicated to cybersecurity. Because of the shortage, 59 percent believe their companies are at moderate or extreme risk of cybersecurity attacks.

The good news is that there are ways to close, or at least narrow, the skills gap. For 48 percent of ISC2’s respondents, plans to increase cybersecurity staffing over the next 12 months are in the works. Whether it’s investing in cybersecurity awareness training, broadening the talent pool or partnering with local colleges and universities, organizations are getting creative when it comes to recruiting and retaining talent.

1. Expand Educational Resources

With an eye on the future of the cybersecurity industry, New York University (NYU) launched a citywide effort called Cyber NYC, according to NYU News. The goal of the initiative is to help fill the industry’s skills gap by providing educational training in cybersecurity.

“New York City needs to be ambitious about cybersecurity because our future depends on it,” said James Patchett, president and CEO of New York City Economic Development Corp. (NYCEDC) in a press release. “Cyber NYC will fuel the next generation of cybersecurity innovation and talent, leveraging one of the world’s greatest threats to create a major economic anchor and up to 10,000 quality middle-class jobs.”

2. Hire From the Public Sector

Another recently published ISC2 report, titled “Building a Resilient Cybersecurity Culture,” found that employees at government agencies bring a lot to the talent table. As such, many organizations have started recruiting directly from governmental organizations.

Of the 250 participants in the study, 50 percent of private organizations have successfully recruited talent from a government agency. Not surprisingly, the salary a private company can offer is attractive to those government workers who have undergone extensive training in the government’s battle against nation-state threat actors and organized cybercrime.

“One of the biggest draws to private industry, according to 67 percent of respondents, is salary,” the report said. “It’s no secret private companies generally pay better than government agencies, so it stands to reason many recruits from the government would welcome higher pay. Other deciding factors for government recruits include having a great leadership team (60 percent) and working for a mission-based organization (59 percent).”

3. Promote STEAM Education

While cybersecurity has long been a highly technical career, the roles and responsibilities of job categories has expanded to the point that many of the jobs that need to be filled actually require nontechnical skills.

“The solution to the talent gap is understanding the roles and responsibilities for each position in the field of cybersecurity, so we can train people,” said Deidre Diamond, CEO and founder of CyberSN. “We haven’t had a common language to work from. Bridging the talent gap requires extreme focus on creating a common language.”

To advance talented candidates into both traditional and nontraditional roles while fostering inclusive hiring practices, Diamond co-founded Brainbabe. Through their work, the leaders of Brainbabe have found that teaching companies to shift from a focus on science, technology, engineering and mathematics (STEM) fields to STEAM (the “A” is for “all”) is a critical step toward narrowing the skills gap.

Executives and hiring managers need to understand the value of inclusion. Being inclusive means being open to the contributions of all candidates, regardless of the boxes they check on a traditional job application.

It’s Time to Reach Across the Skills Gap

At the 2018 Security Congress, Diamond noted that studies have already produced data to support the fact that a diverse team is better at problem solving because it can see everything from a 365-degree view.

If the industry is serious about hiring for perpetually vacant positions, it’s incumbent upon those in executive leadership positions to cast a wider net in their talent searches. Whether by offering greater educational opportunities or inviting broader skill sets, the only way for organizations to fill security jobs is to take a more open approach. It’s time to reach across the gap.

The post 3 Creative Strategies to Narrow the Skills Gap appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Kacy Zurkus

Academia, Career, CISO, Cybersecurity Jobs, Cybersecurity Training, Education, Incident Response (IR), Internet of Things (IoT), Security Awareness, Security Leadership, Security Operations and Response, Security Professionals, Security Training, Skills Gap, Social Engineering,

Why Security Career Journeys Need to Start From an Early Age

It has never been more important to attract young people to the cybersecurity industry. With the global IT skills shortage predicted to increase to as many as 3.5 million unfilled roles by 2021, according to Cybersecurity Ventures, there is a growing need to educate those seeking out a security career so they can come prepared with the right skills for the job.

Why You Should Engage Students at a Young Age

Many organizations looking to hire young cyber talent support university programs. The challenge here is that university students have already been nurtured through the education system and will likely already have an understanding of what type of career they want to pursue. This approach thus excludes individuals who never had career guidance or opportunities that pointed them in the direction of the security industry. The talent pool to fill the skills gap would be much larger if organizations engaged with and provided more security career information to students at a younger age.

Having never received knowledge of the security industry during my own school days, I landed in this field thanks to the opportunities and connections from my previous roles. Thinking back to when I was at school, there were many kids who did not know what they wanted for a career, as well as those who wanted to be doctors, teachers, veterinarians, — some of the typical roles the education system unconsciously pushes through the curriculum.

So, how do we help young people understand the vast amount of different jobs in the world? We tell them.

Public-Private Partnerships Expose Students to the Security Career Track

Some governments have implemented programs to help improve security job awareness, both within the school curriculum and through extracurricular activities. The U.K. National Cyber Security Centre (NCSC) already runs several initiatives under the CyberFirst umbrella, providing opportunities to young individuals looking to get into the industry.

But educating more people about security is not just the job of the public sector; organizations that hire security professionals also have a responsibility to help grow this talent pool. We need to empower young people and help them be open-minded about the careers they might embark on 10 years down the line.

Since 2016, IBM has been hosting CyberDay4Girls events to promote cybersecurity education for students in the U.S., Canada, Australia, South Africa and, most recently, the U.K. The most recent event, which hosted 92 13- and 14-year-old girls from Farnborough Hill in England, took place at the IBM Hursley research and development laboratory. The NCSC was also present to provide advice and information on the CyberFirst program, a great example of the public and private sectors working together to inspire young individuals about security. The event was also important as a means to show that there is a place for female security professionals in the industry.

On the day of the event, IBM Security employees led educational and interactive activities covering the Internet of Things (IoT), social engineering, security operations and incident response (IR). The day rounded out with some inspiring career journey presentations from IBM Vice President of Development Mary O’Brien and champion for women in cybersecurity, author, speaker and advisor Jane Frankland.

The Long-Term Benefits of Cybersecurity Education

The event was a huge success, with 95 percent of students rating it either good or excellent. We certainly enjoyed their engagement and curiosity.

Security professionals have a responsibility to provide career and education opportunities to students, and while these types of sessions are rewarding in the short term, the benefits we’ll see in the long term will no doubt be even more worthwhile.

Learn more about IBM Cyber Day for Girls

IBM #CyberDay4Girls LogoNCSC CyberFirst Logo

The post Why Security Career Journeys Need to Start From an Early Age appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Laurie Gibbett

Academia, Compliance, Cybersecurity, Education, IBM Security, Incident Response (IR), Managed Security Services (MSS), regulatory compliance, Security Compliance, Security Professionals, Security Services, Skills Gap,

How Security Consultant Ben Goodrich Uses Physics to Navigate the State of Constant Change in Cybersecurity

There’s a labor shortage in cybersecurity, and the industry can’t get enough computer science graduates to fill the roles left empty in companies around the world. One way to tackle this shortage is to partner with a security consultant team to help deal with short-term challenges. Another option is to hire people with backgrounds outside of computer science and information security to bring in a new set of skills and help retrain and grow the company.

Ben Goodrich checks both of those boxes. A recent graduate with a physics degree, Ben works with IBM Security in the U.K. as a security consultant. He gets deployed to different companies and spends two to three months at a time working with their in-house teams. This type of role means every day is unique — and it also means he learns a lot about the industry, the latest trends and what clients are looking for.

“I’ll go wherever I’m told to go,” Ben laughed. “But when I talk to clients, it’s about understanding what they’re struggling with at the moment, and bringing in the experience — both my own and the wider IBM business — and seeing what we can do to help the client out.”

At one recent job the client didn’t have a clear idea of how to show that it complied with a new regulation related to essential national infrastructure. Ben was part of the team that showed the client how to demonstrate compliance and worked with it to complete the process.

Every Day Brings New Challenges for a Security Consultant

While every challenge is unique, Ben said he has started to see patterns emerging even though he’s only been in the role a short time. The skills gap is one of the big recurring themes.

“Sometimes clients are still trying to hire for roles, but sometimes they actually don’t want to have a really highly skilled security architect or response person,” he said. “Firstly, they’re really expensive, but they’ll also get bored if they’re sitting there not being engaged every day. That’s why clients work with someone like IBM that has a range of really skilled people that you can bring in and out as you need.”

The opposite is true, too: Some organizations have teams of highly skilled security professionals who have been at the same company for decades and are thus isolated from the rest of the industry.

“Security changes so quickly; best practice changes and what people in the industry care about changes so quickly,” he said. “We are coming in as the trusted advisor. We’re coming in and filling gaps, but also working in partnership longer-term to advise on everything cybersecurity.”

In his third year at IBM, Ben loves the constantly shifting nature of being a security consultant. He enjoys going to client sites, speaking with them about their challenges and finding the solution that will work best. It’s about bringing together not only the knowledge of that particular client, but also experiences from across other client sites.

A State of Constant Change

A fascination with pulling things apart and putting them back together to figure out how they work is what led Ben, a Norfolk native, to study physics. He ended up in cybersecurity because, while he loved the field of physics, he craved constant change.

“It can literally change day to day because there will be a story in the news, and then it’s what about us? What are we doing to protect ourselves against ransomware or malware or WannaCry or whatever it is? That’s what really attracted me to cybersecurity.”

While cybersecurity wasn’t the plan for Ben when he chose his academic path, he does encourage students to get involved with science, technology, engineering and mathematics (STEM) fields.

“I did physics, so I’m quite biased, but I think STEM subjects are really important,” he said. “I’d actually say even if you are on an arts track, and even at GCSE and A levels, it’s useful to have one or two STEM subjects as well just to prove you do have those analytical skills, the ones cybersecurity companies are looking for.”

But education is only one part of what makes someone a great candidate for a career in cybersecurity. More important than a candidate’s field of study, Ben argued, is a sense of curiosity and an itch to innovate.

“If you bring enthusiasm and a willingness to learn, you’ll go far,” he said. “Whoever you are, whatever your degree, there has to be that willingness to learn new things and stay on top of changes.”

For Ben, this includes a willingness to travel. The international nature of IBM Security is one of the things Ben loves about his job — but the recent university graduate isn’t getting ahead of himself.

“I’d love to work abroad at some point,” he said, “but it’s about building a reputation for myself first.”

Visit the Subway System of Cybercrime With Francisco Galian

The post How Security Consultant Ben Goodrich Uses Physics to Navigate the State of Constant Change in Cybersecurity appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff

Data Breach, Data Protection, Education, Incident Response, Incident Response (IR), Incident Response Plan, National Cyber Security Awareness Month (NCSAM), Phishing, Phishing Attacks, Phishing Emails, Risk Management, Security Awareness, Security Training, Social Engineering, Spam, Threat Intelligence, User Education,

Why You Should Practice and Drill to Prepare for a Cyber Emergency

Nowadays, businesses operate in a ubiquitous computing environment, relying on information technology to enable the speed and agility of modern business practices from payroll to public offerings. With the vast amount of email content and links that are populating employee inboxes, just one click on a phishing scam can cause a cyber emergency that results in the loss of millions of dollars and customer loyalty — not to mention a lengthy remediation process that amasses additional costs over time.

Spammers Don’t Take Days Off, So Neither Should You

According to the Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average cost of a data breach globally is around $3.86 million. The cost of a mega breach — an event that involves the loss of 1 million to 50 million records — is between $40 million and $350 million, depending on the number of compromised records.

Of the security events recorded in the study, 48 percent were caused by malicious or criminal attacks, including the use of phishing and social engineering techniques to gain unauthorized access to corporate networks. Inboxes are slammed with spam every day of the week, increasing the odds of successful compromise.

The IBM X-Force Kassel research team operates a network of globally distributed spam honeypots, which collect billions of unsolicited email items. Last year, the research team pulled a sample of worldwide data to gain insight into when attackers’ spam bots were the most active.

A look at the same sample size from 2018 echoes last year’s findings: Spammers never rest. However, they are primarily active on Tuesdays and Wednesdays, clocking in at 21 percent and 22 percent, respectively. In addition, they tend to take a less aggressive stance on Saturday (4 percent) and Sunday (9 percent), when offices are less populated and therefore not as target-rich of an environment.

Spam Data, Incident Response

A 5-Step Approach to Avoiding a Cyber Emergency

Any coach or instructor will tell you that you get what you train for. In the heat of the moment, our practiced reactions determine the speed and course of our actions. To provide better online security throughout the organization, user vigilance must be a practiced part of the daily workflow.

The U.S. Fire Administration outlined five key components for designing an effective fire safety education program. In cybersecurity, we can apply that same approach to train personnel to consistently avoid the flames of phishing and react effectively to inadvertent compromise.

1. Assess Your Environment

Begin by gathering information about your workforce and network security posture to identify where risks and vulnerabilities may exist. If you’re going to build a safe and consistent security environment, governance is key. Employees must understand what the organization deems right or wrong. Likewise, network defenders should be well-versed in existing policies and procedures for addressing cyber emergencies.

Using examples of previously successful breaching techniques — such as mimicking the phishing scams that already made it through the organization’s safety net — can help you determine how familiar employees are with the dangers of current-day deception and social engineering scams. Meet with IT managers to learn what procedures are in place to help protect against exposure and minimize risk. This is also a great time to ask network defenders about secure email gateways, orchestration and automation, password protection, and two-factor authentication (2FA).

Finally, whether hosted locally or in the cloud, a best practice for email security is to take a layered approach. Digital fortification — from the network perimeter down to individual device hardening — that is built into corporate IT planning can help reduce exposure and risk.

2. Develop a Clear Escalation Map

Every emergency action plan needs to identify key internal and external stakeholders. Who should respond and who needs to be notified if a malicious link is accessed and the network is set ablaze?

Speed and calmness are everything in this moment. Companies that have an in-house incident response (IR) team or an on-call service to confirm and respond to a breach stand to substantially reduce losses in the event of a compromise. According to the “2018 Cost of a Data Breach Study,” companies with a low mean time to identify (MTTI) a breach — less than 100 days — saved more than $1 million. Likewise, companies with a low mean time to contain (MTTC) a breach — less than 30 days — saved more than $1 million compared to those that took longer than 30 days.

A company’s IR plan should clearly outline who to contact in different departments and ranks — in network security, the C-suite and the IR team component, but also the PR team and the company’s legal counsels. The plan should make it easy to reach them, know their responsibilities and have a clear view of their resources for carrying out mission-critical functions in the event of a cyber emergency.

3. Plan and Implement Your Incident Response

Once you have analyzed your risk environment and identified stakeholders, it’s time to establish objectives and create a plan of action. In case of suspected activity, employees should be able to recognize a phishing scam, whether via email or on the phone, and react appropriately as part of their everyday workflow. To do this, you need to recognize, react and repeat.


Establish what “normal” looks like to help personnel readily identify what key indicators should not be trusted. For example:

  • Was the email solicited or did it come out of the blue? While some criminals craft very personal emails, most cast a wide net that can be avoided.
  • Do you recognize the sender, and does the domain check out?
  • Does it read, and is it formatted, like a legitimate email?
  • Do the embedded links point to authentic domains?


Identify the next steps that personnel should take when something alarming appears. Is the organization set up to enable quick and effective reporting of suspicious emails and activity? Ensure that any employee can easily report an issue to IT security and the IR team. If a user identifies something malicious, a referenceable policy should be in place that clearly states where to forward it and how to flag it. Statistics should then be captured from these events and used to help establish trending threats.

If an employee has already clicked a link, identify what needs to happen next to correct the situation, from pulling the plug to quarantining the network. If a larger issue is confirmed or an attack is underway, each corporate player should know his or her role. Decisive action can save priceless moments when reacting to a digital threat.


Drills should happen monthly, quarterly and double during the holiday season. After all, what’s more enticing than a gift card during the shopping season? Security-savvy reactions aren’t built in a day; they become a part of the culture, a practiced reaction to inbox items that look and smell “phishy.”

4. Market Your Plan to Management and Teams

Gone are the days when droning through a stale slide deck will satisfy a training requirement. People learn in a variety of ways; if you want employees to remember and adhere to your plan, it needs to be engaging. Those in charge of security awareness training would be wise to reach, frame and connect their content with the target audience, a practice known as role-based training, to fit each role’s specific risk factors and likely attack scenarios.

Training needs to be memorable and interactive, so don’t skimp on quizzes, visual reminders, mock phishing campaigns and even companywide giveaways. There’s nothing like a security reminder on a new thermal cup. A spoonful of sugar is a small price to pay to boost organizationwide security awareness.

5. Evaluate Your Plan, Then Evaluate Again

An unexamined plan isn’t worth practicing. Training must be systematic to yield results. Simulate relevant attack scenarios that may affect the organization as authentically as possible and collect the stats on response times and accuracy. Do it again in a quarter, in a month or at random. Crunch the numbers and compare the results. Are employee responses improving? If not, how can the program be improved?

Remember to systematically return to the first step in this approach: assess your environment. In addition to internal review, an outside set of professional eyes on your network to perform periodic penetration testing can help expose previously undiscovered vulnerabilities. Criminal phishing methodologies and the ways by which they target employees are evolving every day, and a good IR plan should too.

Empower Your Users to Adapt to Evolving Threats

The need to establish a corporate culture of cyber awareness has become an accepted tenet of digital enterprise security. To help online safety become second nature across the organization, employees must be able to recognize the sparks of all kinds of scams and learn to react appropriately. Employers, in turn, must give their users the resources they need to continuously adapt to evolving threats and act as a protective layer that can help avoid losses from a cyber emergency.

The post Why You Should Practice and Drill to Prepare for a Cyber Emergency appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Claire Zaboeva