Founder and CEO of CyberVista, Simone Petrella, highlights the disconnect between employers providing training and resources for remote workers to avoid cyber risks.
During the pandemic, businesses have been forced to accept remote work as the standard, which in turn has directly led to an increase in cybersecurity issues. As noted in IBM Security's 2020 Cost of a Data Breach, 70% of organizations that required remote work as a result of COVID-19 said that it would increase the cost of a data breach, and 76% said it would increase the time to identify and contain a potential data breach.
Focusing on solutions for the cybersecurity industry moving forward, Simone Petrella, founder and CEO of CyberVista, is transforming today's workforce to meet tomorrow's cybersecurity challenges. CyberVista is strengthening organizations and providing cybersecurity professionals with the knowledge and skills needed to drive defense. With more than a decade of cybersecurity experience as a contractor for the Department of Defense and a senior associate at Booz Allen Hamilton before creating CyberVista, Petrella offers expert insight on how executives of companies can step up to meet the challenges of hiring and training cybersecurity employees to protect themselves and the business as a whole.
Know Thy Enemy: Raising Cybersecurity Awareness
It's hard to know when or if your company would be the target of cybercrime or ransomware. However, it will be more expensive and time-consuming to put out the fire than to prepare for the worst. Although the remote workforce is more susceptible to attacks without secure networks, employers have the opportunity to take charge and empower their employees to learn best protection practices. Understanding who and where the hacking or cybersecurity attacks originate from can shape a business's procedures and processes, which can be enacted to enforce cyber-safe practices for internal operations.
During her time at the DoD, Petrella recognized that while most of their clients worked within a traditional mindset of focusing more on what had already happened instead of who caused it, there was still an essential element left out of the equation. By infusing a different, human-centered perspective into their work, she was able to help discover the motivations and level of sophistication of the human attackers as a critical piece to defense and policy prioritization for determining the vulnerabilities of a company's security system.
"The cybersecurity field has since evolved into a new profession with a workforce and leadership that evinced the need for a comprehensive and contextual understanding of the who, what, where, when, and why of threats," says Petrella. She also points out that alongside context, adopting a cybersecurity framework only goes so far, while implementing standard safe practices into the company culture could save valuable resources of time, money, and effort.
Confronting Cybersecurity Strategy
Having normalized the reliance on internet-connected devices like phones, tablets, thermostats, and fitness devices, many people assume that the data they share using those devices is secure. As most employees have open access to a company's information and regularly save passwords on computer keychains, this makes the individual more susceptible to phishing, ransomware, and cybersecurity attacks, which have only increased from international sources as the global economy continues to fight for power. But suitable security measures are only effective if a company has diligent cybersecurity professionals, technology, and practices in place behind the scenes to ensure that everything is executed and functions cohesively.
"The reality of cybersecurity in today's world is that it is more multidisciplinary than ever," stated Petrella in a New America article. "Effective cyber operations require coordination and integration between disciplines like vulnerability management, threat intelligence, security operations, forensics, malware analysis, and incident response. And beyond that, executives need to make informed business decisions - whether legal, policy or investment - based on the cyber risks to their enterprises."
Consider that to manage cybersecurity threats and protect against ransomware, especially in a remote environment where employees are working from home, companies have to have technologies that enable them to monitor network traffic and processes that allow them to understand what's happening in their network. Above all, these technologies and processes cannot be successful when their success is contingent upon competent people implementing and analyzing the output of all those things. The real issue in the industry recognizes that until hiring teams change how they approach hiring and training threat and security analysts, the cybersecurity workforce of nearly 2 million will continue to have unfilled positions.
Building up from the Baseline
Adapting to changes in the industry and the international climate can lead to companies jumping headfirst into purchasing cybersecurity technology to solve their problems. Petrella takes the firm stance that the bulk of adaptation should be applied by employers whose largest asset, and expense, are their employees. Executives need to take the lead to build a pathway of better hiring practices by identifying their actual needs, proactively screening junior candidates for their big-picture perspective, and providing comprehensive training to grow into roles, rather than paying a premium for a particular skill or literacy in a specific tool.
Automation in cybersecurity indicates a shift in the skill requirements and the complexity in which companies are ultimately looking for. Similar to how people initially feared ATMs would replace bank tellers and wipe out entry-level jobs because they were manual skills that became automated, cybersecurity is also an industry that makes people think technology replace humans. However, the introduction of ATMs actually had the net effect of increasing demand for tellers as banks were able to open new branches. Similarly, the more AI and machine learning technologies are integrated into cybersecurity, the more the industry needs more qualified people who have even more sophisticated skillset to synthesize all the information that's getting processed and expand the growth opportunities.
"The biggest misconception in cybersecurity is that everything changes so fast," Petrella said in an interview for Expert Insights. "The truth is, it doesn't! The principles are the same principles around how data is stored, how it transmits. You can build different tools and technologies around how that's handled, but you're still dealing with the same principles of computing, technology, and security."
Training organizations, CyberVista included, are eager to develop, build, and deliver courses and programs that meet definable job requirements if companies can't do it themselves. And it's no surprise they can't: the landscape is fragmented and confusing. There are 217 universities accredited as NSA Centers of Academic Excellence in Cyber Defense, another 58 dedicated to Cyber Offense, and more than 85 cybersecurity-related certifications, ranging from the foundational to the highly specialized. Instead of focusing on literally hundreds of disparate training options with subjective results, companies should focus on investing in programs and initiatives that allow them to measurably demonstrate the level of skill in their teams and show where training has led to improvement in upskilling employees to meet the business's needs.
Meeting Future Needs
Companies are evolving to meet future needs, with emerging zero-trust policies and secure VPNs for their remote workforce. They can, and should, invest in their employees' continued learning and skill development while saving money on expensive recruiting efforts. With uniquely situated employers that can articulate the knowledge, skills, and abilities most needed in their cybersecurity roles, identifying the right raw talent allows the industry to reimagine cybersecurity as a profession with lateral and vertical career paths. Focusing on hiring the broadly applicable soft skills and training on the job-specific technical skills, companies could attract and retain more cybersecurity talent with a diversity of thought, experiences, and perspectives.
"The theory, the principles, and the context matters," Petrella says. "The tools and the vendors are going to change. But the foundations will always stay the same."