Cybercriminals are increasingly finding new ways to hack into organizational networks to cause mass disruption and steal sensitive personal or valuable corporate data. While achieving good cybersecurity is a multifaceted challenge, the cybersecurity skills shortage we are experiencing today is adding to the problem and leaving many organizations struggling to keep up with the ever-changing threat landscape. Globally, more than three million jobs are currently unfilled, making it harder to prevent cybersecurity incidents.
In 2018, the Cybersecurity Tech Accord participated in the annual conference organized by the National Initiative for Cybersecurity Education (NICE) in United States. The conference, along with numerous studies that were published in late 2018, highlighted the rapidly increasing gap in the number of cybersecurity professionals available to fill critical roles in the workforce today. The event and these recent studies have underlined the inescapable reality that action in this space needs to be taken to address this growing problem, and quickly.
NICE is a wonderful example of what needs to be, and can be, done if different stakeholders come together to address complex problems. In fostering a partnership between government, academia, and the private sector, NICE has already helped expand the cybersecurity workforce by accelerating necessary learning and skills development, nurturing a diverse education community, and guiding career development and workforce planning. However, by now it is also clear that any meaningful intervention will only start bearing fruit in a few years’ time, and that innovative approaches to safeguarding global security and economic prosperity are needed today.
To demonstrate its public commitment to improve the security, stability and resilience of cyberspace, the Cybersecurity Tech Accord today published a whitepaper on, “Addressing the cybersecurity skills gap through cooperation. education and emerging technologies”. The whitepaper underscores the critical need for industries to adopt and implement emerging technologies such as Artificial Intelligence (AI) and machine learning, among others, to increase cybersecurity and scale responses in an environment in which cybersecurity positions remain unfilled by qualified professionals, and current cybersecurity teams are being stretched thin.
We believe organizations that continue to address their cybersecurity needs strictly by relying on understaffed workforces put themselves and their customers at greater risk from sophisticated, large scale cyberattacks that are increasingly heavily automated by machines, especially in the near-term. As an example, while a human hacker can spend several hours on multiple attempts to take control of a single company’s network, a malicious bot can compromise computers to launch denial of service (DoS) attacks, seek out and exploit several known vulnerabilities, scan a company’s network, and steal and dump credentials for other vulnerable machines all within minutes. Enterprises that adopt artificial intelligence (AI) and machine learning, among other emerging technology solutions, will be able to further navigate this increasingly malicious landscape and counter sophisticated attacks, allowing software to fight software in an innovative, fast network.
However, we recognize that these tools will not solve the problem. We need to do more, on education, on technology, and on ensuring cybersecurity is treated as a business priority. Therefore, the Cybersecurity Tech Accord signatories urge both policy makers and the industry to:
- Support reform in education: Give greater priority to STEM curricula and career paths that adequately prepare future generations to work with emerging technologies.
- Establish cooperation between government, academia and industry: Use public private partnerships to identify the cybersecurity skills that are particularly needed, and also to determine how these can be addressed, e.g. through dedicated university courses or certified trainings with the private sector.
- Make the adoption of emerging technologies a strategic business priority: Technologies, such as AI and cloud computing can enable a smaller number of IT professionals to centrally manage certain aspects of security, e.g. patch management or administrative privilege access rights.
- Prepare for automation of cybersecurity skills: In the near future many cybersecurity functions will be automated. As a result, cybersecurity professionals will have to trained to add value by dealing with more advanced threats and by utilizing complex data science.
- Foster AI-friendly policy environments: Support open and fair markets, ensure the free flow of data, create workable privacy and access to data regimes, and promote greater regulatory alignment and common practices/standards across jurisdictions.
The effort to establish a more secure cyberspace will require improvements in many areas, from improvements in technology, to government policy, to industry standards. Creating a cybersecurity workforce that has the capacity and capability to do the job should remain a focal point of this process. Ensuring that we leverage the tools we already have available to us today to enhance our defenses needs to be a similarly critical component of our approach.