When the term “reality check” is used, it’s intended to get someone to recognize the truth about a situation. In a fast-moving industry like cybersecurity, reality checks from its leaders are necessary. Thinking pragmatically about the solutions to our biggest challenges helps drive the industry forward. 

I recently sat down with Splunk global advisory CISO Doug Brush on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management. During our conversation he shared three major cybersecurity reality checks: 

• Most tools out there are going to be part of the picture, but they’re not going to solve everything. The slow progression of incident response today is not a technology problem.
• Chinese-based organizations, such as DJI Drones and TikTok, have much in common with the Bay Area tech community. We have a lot to learn from them.
• A top-down mentality must be applied to mental health in cybersecurity. Prioritizing mental health should be adopted at the C-Suite level.

Read on for highlights from our conversation around the evolution of incident response, security practices at Chinese-based organizations, mental health in cybersecurity, and more. You can listen to the full episode online here, or wherever you listen to podcasts.

Nabil: You’ve done many different incident response investigations. How that has that evolved over time – or over the course of your career?

Doug: I wish incident response has evolved more. I would say it’s a slow evolution. Early on, it was very manual process to parse things. Say if you’re doing dead box forensics, or even memory forensics to a large degree, there weren’t tools that could automate some of those processes. 

By no means is a tool an answer to all problems, but it’s going to help build efficiencies if you understand the process. We had to deconstruct things in hex editors, it was a very manual process and took a very, very long time. Now, you can script automate a lot of those and these tools can build databases – so that’s gotten better.

When I see things like the SolarWinds incident, we focus on the TTPs around how somebody gets in. And once they get in, they move laterally, privilege escalation, build backdoors, get domain, get other accounts, and build this persistence mechanism. We’ve been tracking this since 2006/2007. There’s nothing new about it. And that’s the frustrating part to me. While we think some of the technologies evolved to allow us to be more efficient, some of the root things that we should be looking for, we are not. I think there needs to be a greater focus on detection and response and building our response capabilities, as opposed to an afterthought past defense.

Nabil: Is there a reason why that hasn’t happened yet, or why it’s taking so long?

Doug: It’s hard. And it’s not a technology problem. I work for a technology vendor, I would like to say. “we’re the best in the world and we can stop everything, detect anything,” but that’s not the reality. Most of the tools out there are going to be part of the picture, but they’re not going to solve everything. 

When you look at the entire security operations, it’s going to be people, process, then technology. Technology is only a small percentage, it’s not your entire program. We get really excited about cool, new shiny objects. We all go to Black Hat and RSA, and we all pat ourselves on the back that all these new things are coming out. The reality is that we’re solving the same problems we saw 30 years ago. We don’t have good asset inventory. We don’t have visibility of our environments.

Nabil: Let’s shift gears to talk about a topic that I quite enjoy. I would love to learn about your work with various Chinese based organizations – DJI Drones and TikTok. In particular, what do you think about the privacy and security concerns that people bring up about using their technology?

Doug: It gets overly politicized at times. Inevitably, the Chinese government has their agenda, and I would add the blanket statement that there are also a lot of Chinese companies that don’t necessarily align with how the Chinese government operates. Some of these companies I’ve talked to have said, “You folks in the U.S. think we’re the enemy and think we’re stealing all this data. But we’re just a startup.”

The thing that surprised me most in Shenzhen was that the tech center reminded me of the Bay Area. It was very westernized and had a startup vibe with many young professionals. That’s the fallacy that we have: they’re against us. We don’t realize how much we have in common. They have a distrust of their government, just as we have a distrust of our own government. They have a mentality of “trust but verify” more than we appreciate. They have some built out documented and thoughtful programs when it comes to governance and organization.

In reality these companies are trying to create cool products just as we are. The reason DJI Drones became so popular is because they work really well. They built a vertically integrated manufacturing process where they weren’t using third parties – they had control over their supply chain. They manage third party risk well in advance. There are a lot of things that these organizations do that allow them to be competitive in the capitalistic and development space that we need to learn from. 

We have to change this mindset that, because you’re in a specific country, you have to share the viewpoints of whatever the loudest political party is at that time. We need to try to look at things in a more pragmatic and realistic way.

Nabil: You’re a big advocate for mental health. It’s a huge issue and an area of focus today in the security industry, especially due to things like staffing shortages and burnout. What advice do you have for security leaders when addressing mental health?

Doug: Yeah, it’s a tough one, there’s no doubt about it. The last few years have been particularly tough, but it’s an issue that’s been coming up for a long time that we don’t talk about enough. First of all, we need to have honest and frank discussions about it. There was a nominated study in 2019 that looked at global cybersecurity professionals. 91% of the CISOs surveyed said that their stress levels were suffering and 60% felt really disconnected from their work role. In the U.S., almost 90% of CISOs have never taken a two-week break from their job. And a lot of them feel that a breach is inevitable in their environment. 

We talk about top-down security and top-down leadership, which should go for mental health too. It has to be something that is adopted at the board and C-Suite level. Leaders should recognize that they’re only as good as the people that are working for them… when they’re at their best. Humans aren’t batteries, you can’t just revolve through them. The cost of acquiring the good cybersecurity professional right now is very high and CISOs are even harder to find and you don’t want to be churning through these people. Continuously hiring people, training them, and getting them onboarded, increases the cost and reduces efficiencies. We need to change this idea of how we hire. 

I would say it’s changed since I started in consulting. It was very easy to continue this idea that you had to work 80-90 hours a week. More of the folks that I’ve hired in the past decade or so have focused on balancing mental health. We shouldn’t expect someone to work overtime each week if we want the best from them. Happier staff results in better work, more efficiencies, higher employee retention – which, in turn, results in happier customers and more top line revenue.

When people feel the best, they perform at their best. This idea that it’s mental health versus business is a zero-sum game. If we construct that from the leadership level down and appreciate the fact that you can do more to retain your employees by giving them a better self-care environment, they’re going to be better employees for you. Investing in employee health, mental health, and wellbeing is non-negotiable. 

Nabil: Can you also share a little bit about the neurodiversity initiatives you’re supporting at Splunk?

Doug: The mental health aspect is just one part of the neurodiversity journey. When we talk about diversity in the workplace it should also include neurological differences like autism, ADHD, mood, and other functions. These have historically been viewed with a negative perception, but they’re just natural variation in the human genome. These folks have exceptional abilities alongside what is traditionally been viewed as a “disability.” Recognizing that it’s not something that needs to be fixed is a shift that needs to be adopted and supported. 

Instead of saying, “thou shalt think like we do,” it’s this idea that a diverse mental environment is going to give you more candidates, and probably a better output. When I’ve had a diverse staff and we all get in the room, I don’t get affinity bias. My greatest fear is that I’m going to build my own echo chamber of people telling me what I want to hear. We need diversity in thought to increase better output for our customers. You’ll find that you get a better outcome overall when you bring a lot of different people to the table.

For more, listen to episode 33 of Agent of Influence. Or, connect with Doug on LinkedIn, Twitter, or listen to his podcast, Cyber Security Interviews.

Nabil Hannan

The cybersecurity talent shortage has troubled organizations for years. Whether you work for a large enterprise, financial institution, a services firm, or anything in between, it’s likely that you have cybersecurity roles listed on your website today that have yet to be filled. With the reported increase in cybercrime and sophistication of attacks, the demand for cybersecurity talent is at an industry high.

ISACA’s State of Cybersecurity 2020 reports that 62% of IT and security leaders surveyed say their cybersecurity teams are understaffed. Plus, those who took longer to fill cybersecurity positions reported more cyber attacks.

The (ISC)² Cybersecurity Workforce Study 2020 reports nearly identical numbers: 64% of the cybersecurity professionals surveyed reported staff shortages. The study also revealed that the Global cybersecurity workforce gap – the difference between the number of skilled professionals that organizations need to protect their critical assets and the actual capacity available to take on this work – was 3.12 million in 2020.  

In other words, we’ve got our work cut out for us – and it’s clear that, as an industry, we need to reimagine our hiring efforts to keep pace with the demand. In this blog, we’ll discuss how the events of the past year have reshaped hiring, creative recruitment ideas, hiring challenges, and why employee retention is key. Bonus: NetSPI’s COO shares advice to help narrow the talent gap while essential cybersecurity positions remain unfilled.

The COVID-19 pandemic has reshaped hiring

The COVID-19 pandemic has caused rapid change in the way we work – and the way we hire. Largely, it has given organizations more flexibility to find the best talent. Dependent on the position, recruitment efforts are no longer bound by geography, and we have the ability to source the best talent regardless of where they live.

Tsedal Neeley, a professor at Harvard Business School and author of the book Remote Work Revolution: Succeeding From Anywhere, communicates this point perfectly in a recent NPR article: “We have changed. Work has changed. The way we think about time and space has changed. Workers now crave the flexibility given to them in the pandemic — which had previously been unattainable.”

Aligned with this sentiment, it is a job seekers market. We’re in the midst of what many are calling “The Great Resignation.” More than ever, employers need to put their best foot forward, offer flexible work options, and understand that work must accommodate life – not the other way around.

7 creative approaches to recruiting

Ask any organization about their primary recruiting channels and the standard answers you will likely receive include popular job sites (LinkedIn, Indeed, etc.), job fairs, and staffing firms. However, there are many creative ways to step outside of those bounds and get creative about where you source your cybersecurity talent. In the name of information sharing, here are seven ways NetSPI has discovered some of its best talent:

1. GitHub: Are there open source tools that your technical team use on a regular basis? Look to see who has contributed to those tools for potential candidates. 
2. Twitter: The security community is very active on Twitter. Explore hashtags specific to your organization (#penetrationtesting) or follow along with topical dialogues and threads. Often, you’ll come across a public thread of candidates actively looking for cybersecurity work.
3. NetSPI University (NetSPI U): NetSPI U is a full-time, paid training program that focuses on pentesting. It’s geared toward entry level security professionals that want to get started in the space. The result? Qualified technical talent who understand our technologies, processes, and vision. More on this later.
4. Meetups: Continued engagement with security organizations such as OWASP, DEFCON, and others have been instrumental in growing our network of candidates.
5. Referral Program: In 2021 alone, we have hired 20 employees as a result of our employee referral program. We trust our employees to recommend the best talent in their network.
6. Re-Hires: Given the flexibility of remote work, we were able to reengage with many past NetSPI employees who had moved where there was not a NetSPI office location.
7. Investing in Internal Recruiters: While staffing firms are certainly helpful, we believe that investing in internal recruitment resources produces the best results. Because we’re boots-on-the-ground at NetSPI each day, we understand the organization’s standards and know exactly what to look for, from technical skills to culture fit.

Cybersecurity hiring challenges

The fact that the cybersecurity industry has a 0% unemployment rate could be seen as the industry’s greatest challenge, but it’s also an opportunity. An opportunity for employers to recognize that the hiring process is a two-way street and, just as employees need to communicate why they would be the best fit for a given position, employers must effectively communicate their strengths, perks, and get competitive about what they have to offer. Ultimately, it’s increasing the urgency for organizations to create a positive candidate experience for applicants.

Another major challenge specific to cybersecurity is the high level of standards that are set for technical security professionals. There is little room for error in this industry as one mistake could result in a detrimental outcome. We take pride in the high-quality work every NetSPI team member produces and it’s important – and an ongoing challenge – to find technical talent that is in alignment.

The security industry has countless disciplines. Cloud security, application security, network security, the list goes on – not to mention the subcategories within each discipline… AWS, mobile apps, IoT, etc. There are many different areas of security that people can specialize in, but we’ve noticed a lack of candidates with a strong focus in a niche area. While there are benefits to having a well-rounded candidate, it is particularly difficult to hire for a specific cybersecurity need today.

Finally, barrier to entry is very high in the security industry. That’s why we developed and continue to invest in NetSPI U, our training program for entry-level penetration testers. Often, the requirements on job descriptions are too stringent to open the door to new candidates with a passion for cybersecurity, but perhaps do not have a traditional security background or education. It features hands-on labs and opportunities to shadow some of the most brilliant minds in security. It gives entry-level security professionals the foundation to jump start their career. 

Learn more about NetSPI U and apply for our next NetSPI U class online here.

Employee retention should be the priority

Above all, investing in the growth of your existing team and retaining top talent is key to closing the talent gap. If you invest in your current workforce, people will be more apt to want to join your team.

Employee retention remains a priority for NetSPI, which is why we achieved an industry-high retention rate of 92% in 2020. Pulling from our 2021 Top Workplaces survey results, here are the top five reasons people stay with us.

• Collaboration: Collaboration is one of NetSPI’s brand pillars. One quote from the Top Workplaces survey summarizes this well: “The people I work with are dedicated to making sure everyone succeeds to the best of their ability – and enjoys working along the way!” 
• Fun: We take pride in the relationships our employees have with one another. The ability to create an environment where employees enjoy their work is essential to the success of our organization.
• Talent: The caliber of people our employees get to learn from and work with is a huge draw for NetSPI. Top talent attracts top talent.
• Growth: We don’t give our employees a ceiling for growth. We cross-train and hire within when possible. We believe in promoting people who can do the job, and do not base growth on years of experience. An indicative quote from the Top Workplaces survey: “Career growth is always visible and in reach.”
• Innovation: Something we do well is creating technologies that solve common problems not only for our clients, but also for our services team. The more we can automate redundant, time-consuming tasks, the more time our consultants can focus on finding the vulnerabilities that tools cannot.

Beyond hiring: 3 alternative actions that can help narrow the cybersecurity talent gap

It is important to note that today’s cybersecurity talent ‘crisis’ does not have an overnight solution. However, there are some things organizations can do in the interim to address the growing demand for talent today. We spoke with NetSPI Chief Operating Officer (COO) Charles Horton to learn what steps organizations can take to narrow the gap. Here’s what he had to say:

Automation is a critical tool for narrowing the cybersecurity talent gap. Without automating the more tedious, administrative tasks, security practitioners will not have time to focus on the strategic work at hand – or professional development activities. Keeping talent focused on the more creative, strategic work they enjoy and allowing tools to do the administrative work will keep teams engaged. Also, automation helps keep the team interested in their work and gives them opportunities to build their skills as they support key security initiatives. 

Cybersecurity leaders continue to be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings continue to be in high demand. Companies will need to do more with fewer people. To accomplish this, the adoption of program-level or ‘as a service’ partnerships with third parties that can provide dedicated support and capacity to keep key security initiatives running as an extension of the internal security team. This allows security teams to be agile and flexible with their talent as needs arise.   

Companies that can think outside of the box can take a creative approach to narrowing the cybersecurity talent gap. This would require building training programs that could be delivered internally, through external partners, or a blend, in combination with targeting candidates that may not have an exact match from a skills perspective but have a core set of skills that could be leveraged to accelerate training. These hiring and training tactics could yield a skilled workforce in cybersecurity where opportunities were not initially visible. 

If there’s one thing we love most about the cybersecurity industry, it’s the willingness to share big ideas and new concepts with one another. If you have recommendations for closing the talent gap or are curious about a career at NetSPI, reach out to jobs@netspi.com.

Heather Crosley

Dina Soulek

Last year was an interesting year for cybersecurity. As the pandemic caused chaos, adversaries capitalized on it. In the first half of 2020, Neustar saw a 151 percent increase in distributed denial-of-service (DDoS) attacks. While we saw the bulk of those attacks in May, things didn’t slow down in the second half of the year. In fact, DDoS attacks continued to grow, peaking in September when Neustar mitigated over 3,100 attacks alone. Neustar mitigated over 25,000 DDoS attacks in 2020, and even now, in 2021, we are still seeing attacks at a higher rate than before the pandemic. 

As things begin to “normalize,” we are seeing a handful of cybersecurity trends emerge as a direct result of the pandemic. From my discussion with NetSPI’s Nabil Hannan on the Agent of Influence podcast, here are four cybersecurity trends to watch throughout the second half of 2021 and beyond.

Ransom-related DDoS attacks:

One of the most interesting findings from our DDoS research was the reemergence of ransom-related DDoS (RDDoS) attacks, where the targeted organization receives a ransom note that claims if they don’t pay, the adversary will attack their infrastructure. This technique has been around since the 90s, but it started coming back in vogue late last year. 

By now, we are all aware that ransomware is running rampant. You see attacks like JBS and Colonial Pipeline making headlines, but we often do not hear about other attacks, like RDDoS attacks, that are taking place. What is shocking to me is the number of emergency mitigations my team is handling and the frequency of those attacks – we are addressing RDDoS attack threats at a rate of nearly five per week.

The increase in ransomware and RDDoS attacks brings up the dilemma of whether organizations should pay the ransom or not. My take is that a company should make the right business decision that makes sense for them, their board, their industry, and their consumers. After all, they are the ones who understand how their business model is structured. 

While I believe paying the ransom puts a target on your back, it is a question that doesn’t have a straightforward answer. The adversaries are great at what they do and they’re only getting better. It’s up to organizations to shift their mindset to proactively think about security – and it shouldn’t take a disaster to make this shift. Now that it has gone mainstream, everyone has to make sure they’re prepared for a ransomware attack. Investments made in cybersecurity today will pay dividends when an attack occurs in the near future.

Managing 5G security:

The growth of 5G is another area to watch. I see it drastically changing the cybersecurity landscape, specifically around how it will change how all devices are connected, and interconnected, to the world around them. 5G has nearly 100x the bandwidth that we had in prior generations, and it allows devices to directly connect to the network. Regardless of what you do for cybersecurity protection today, every threat gets amplified when you add 5G into the equation.

One of the biggest challenges in cybersecurity is knowing who is connecting to your infrastructure. This becomes even more critically important with 5G because many devices in the future will not be behind a firewall, a VPN, nor a NAT (Network Address Translation). I anticipate we will start to see two shifts in the attack landscape as a result of 5G. First, more attacks will be launched from mobile and other small devices. Second, attacks will target personal islands of security instead of larger infrastructures.

Cybersecurity staffing:

Studies say that the pandemic has accelerated the way we work by six to 10 years. In other words, there was an expectation that in six to 10 years we would be in the type of hybrid work environment we now find ourselves in – working from anywhere, and at any time. It has expanded our attack surface and increased our need for more robust cybersecurity efforts. 

One thing that keeps me up at night is the fact that the cybersecurity unemployment rate is 0%. This year, experts anticipate 3.5 million open cybersecurity jobs – enough to fill 50 NFL stadiums. As security professionals, we have to be right 100% of the time and the attacker only has to be right once. For that very reason it is worrisome to think about what we are going to do when these attacks start to really ramp up and scale and we cannot fill enough security roles to keep up. 

Too many security tools: 

There is not a single tool out there that can check all the boxes. If a tool claims it can do 17 great things, it’s more likely that they’re doing 17 things, but none of them are great. It then becomes a lot of plug-and-play, and we end up buying tools based on the marketing hype, as opposed to the true reason we should implement something into our infrastructure. 

As people become more reliant on the marketing promises, it opens more avenues of exposure. A tool is only as good as the process it is meant to augment or facilitate. As cybersecurity professionals, it is important that we focus on vigilant processes to ensure we are protected from threats. We have to continuously stay updated on our current patch levels, be diligent with account management, and focus on protecting what is critical to our business first and build from there. Hardened processes augmented by appropriate tools will help keep your infrastructure, business, and employees secure.  

There is a lot to consider as we move into the second half of the year and uncover the lasting technological impacts of the COVID-19 pandemic. Listen to episode 31 of Agent of Influence to hear more cybersecurity trends and insights.

Michael Kaczmarek