Security work is hard, thankless, and mundane - interview
Ransomware attacks will only worsen if companies keep focusing on check-the-box security and do not change their attitudes towards hiring cybersecurity professionals.
Cybersecurity talent hires are expensive and sparse, but it costs very little to be a malicious hacker. Some countries have become safe havens for threat actors where their wrongdoing is sometimes even celebrated. Therefore, the ransomware problem will only go from bad to worse, the CEO of Fletch Grant Wernick said.
In October, Fletch will publicly release its first two security solutions - Workforce Risk Analysis and Emerging Cyber Threats Analysis - for free. Wernick believes in automating our mundane tasks so that the most experienced and expensive people could focus on “doing the real work - protecting the organization.”
We invited Wernick to chat about some of the most pressing issues in cybersecurity - talent shortages, check-the-box security, and ransomware.
‘Recruiters are out of touch’
Cybersecurity is short around 4 million professionals. As Wernick has once tweeted, 500,000 open cybersecurity jobs are offering entry-level salaries between $60-90K. Yet, not many are jumping on this opportunity. Why?
“A lot of the job posts are not helpful at all. Recruiters are out of touch. They are putting in 5 to 7 years of a technical degree requirement. If I have 5-7 years of technical degree, I can become an engineer, making a lot more money and doing more creative stuff. Security work is hard, and it's thankless, and it's mundane a lot of the time. We need to rethink these job postings and the training programs of these companies to help bring on a new group of workers,” Wernick said.
'Mundane' is another factor here. The most boring tasks should be automated, just like specific processes in the factory, so that people can focus on more creative and vital tasks.
The approach to cybersecurity should also go through the transformation and take the most mundane technical tasks off our shoulders.
“The model is broken. The model now is to buy many products, put them in the big lake, organize them yourself, come up with 500 controls or more. You are going to be building stuff for years, and you will be relying on your professional services or one person in your team who has technical skills and know-how. That's why we are in this problem,” he said.
If we would find a way to make cybersecurity less technical, Wernick added, the skills shortage would become less of a problem.
“Think about intelligent thinkers with English majors and people inquisitive like journalists. If you can start asking data the right questions, and you are very good at observations being a journalist, cybersecurity becomes something intelligent people with good, inquisitive skills can do. Think about security guards, FBI agents. These people are taught to think, but they will never have those technical skills that are keeping them out of being in cybersecurity,” Wernick explained.
Check-the-box security scares the professionals away
He has many friends who are CISOs (chief information security officers), and the stress levels in the world of cybersecurity have never been higher for them, Wernick claims.
Another thing that annoys them is check-the-box security. Many companies are still focused not on protecting their perimeter but rather looking at compliance.
According to Wernick, many companies still don't really care about cybersecurity, and security professionals do not work for them for too long.
“A company goes 'OK, I need to check these boxes so we can make sales.' They are running so hard trying to make these checkboxes, and they are not actually securing the organization. They are trying to get the penetration test needed, the documents needed so Deloitte can come in and they can audit them and say, 'you are fine.' So much of security is actually that," Wernick said.
Many CISOs join companies hoping to actually secure the organization but they hear there's no budget for that, and only money enough to check the boxes so that the company can make sales.
“It's extremely frustrating for really good CISOs. They can't be there much longer, and they have to quit. This is not good for who they are, what they are set out to do. This will damage what they want to do with their career,” he said.
The importance of understanding employee behavior
This autumn, Fletch is rolling out two solutions that will be publicly accessible for free for a limited period. Emerging Cyber Threats Analysis will basically personalize cybersecurity news for individual companies. Every morning, Fletch will deliver insights into whether a particular company has been exposed to the latest malware, ransomware, or other types of threats reported in the media. It will select relevant news based on vulnerability scanners and endpoint products the company uses to figure out whether it has been exposed.
Another feature that Fletch is rolling out is Workforce Risk Analysis. The company is partnering with products like G Suite and Microsoft 365 because that’s where some of the most critical assets are hosted, and it is often the first place a bad actor will start their journey to steal data. Insider Threat Detection will monitor for any abnormal activity across these applications.
“Every company should make sure they have something in place to be able to quickly see the user activity of every single employee, to understand what they are downloading, where they are logging from, is this person actually this person, or is this something pretending to be this person,” Wernick said. Once you understand the expected behavior, it gets much easier to look for unexpected behavior patterns and cut the intruder at the pass.
More from CyberNews:
Subscribe to our newsletter