Challenges with Building and Maintaining Your Cybersecurity Staff

Cybersecurity Skills Gap

Business, technology, internet and networking concept. Young businessman working on his laptop in the office, select the icon security on the virtual display.

With consistent news around breaches, attacks and incidents, it should not come as a surprise that cybersecurity  skills are heavily in demand. Yet even with the persistent need for these cybersecurity skills, there is a perpetual deficit of qualified candidates. CMI’s CTO, John Wondolowski, wrote about IBM’s Interconnect Conference and addressed the cybersecurity  skills gap around IBM’s acquisition of Resilient. Additionally, this year at the RSA Conference, ISACA discussed the cybersecurity  skills gap as the first topic for their State of  Cybersecurity  2017 presentation.

ISACA’s studies show that only 59% of North American respondents indicated they were able to fill their open cybersecurity  positions, citing a lack of qualified candidates.  While a typical corporate job will receive between 60-250 applicants, only 16% of North American respondents said that they had received 20 or more applicants for their cybersecurity  positions with 22% saying they had received less than five.  Of those respondents, the majority (64%) were deemed unqualified, usually due to lack of experience, though education and certifications also were cited as reasons.

Past reports are consistent with these findings. The demand for cybersecurity  workers is growing over three times faster than the average for IT jobs, and on average, they cost 9% more according to a 2015 report by Burning Glass. In another 2015 report, Cisco estimated that there were one million unfilled cybersecurity  jobs, with a few other sources projecting the shortage to grow to between 1.5 million and 2 million cybersecurity  jobs by 2020. To put this in perspective, as of January 2017, there were only 115,324 people with their CISSP, one of the most recognized and requested cybersecurity certifications.

This is to say that you are not alone if you have encountered challenges in building and maintaining your cybersecurity staff. ISACA’s recommendations to assist with finding and retaining talent had a common theme of minimizing frustration for those employees. This is where CMI can help –  by providing the expertise to identify technology that automates your cybersecurity  processes, providing services to implement or validate the status of that technology, and arranging a managed service to perform the more repetitive tasks.



It’s Future in Enterprise Information Technology

Blockchain - company logoWhen you choose Enterprise Information Technology for your career you virtually guarantee two constants in your work life:

1. There will be a continuous inflow of new ideas and new technologies that will be important and disruptive.
2. You will be so busy with your job that finding the time to review, understand and assimilate those new ideas and technologies will be very difficult.

It is because of these two dynamics that I (along with many of my peers not in Fintech) looked at the birth and growth of Bitcoin with amusement rather than deep professional interest. However, it now seems nearly inevitable that Blockchain, the enabling technology for Bitcoin, will be a significant disruptive technology for Enterprise IT.

More than 1,300 professionals made their way to New York City in the first week of May to attend “Consensus 2016,” a convention built around realizing the application of the Blockchain technology. This was not a gathering of fringe enthusiasts. In fact, the Governor of Delaware announced that he was directing his state to enable Blockchain applications to make it easier to do business in Delaware. Deloitte, a very large accounting firm, also used the conference to announce 5 new strategic partnerships focused on Blockchain.

Blockchain is essentially a distributed data base platform with a very hardened and continuously growing list of data records. It becomes a distributed ledger containing tamper-proof transactions. The block chain consists of blocks that hold timestamped valid transactions. Each block contains the hash of the prior block that effectively links the blocks together, forming a chain. The Bitcoin application was one for financial interchange but the platform itself is basically a giant network of connected computers that are all operating together to form a version of the truth, what has been called “a global trust machine.”

The platform can potentially be used for any number of applications where trust and identity are vital. Deloitte’s newly announced strategic partnerships are focused mainly in financial applications but Gem, a Blockchain solutions company, is working on applications in health care such as a Patient Wellness Application, Global Patient Identification and Secure Electronic Health Records. Just this past March 2016, the nation of Estonia partnered with Guardtime, a Blockchain company, to secure and facilitate interoperability for its nationwide Electronic Health Records system.

IBM had already offered a cloud-based Blockchain but also announced at the end of April that they released a framework for running Blockchain networks. This framework securely enables enterprise players in industries, such as financial services, healthcare and government, to conduct work on a Blockchain in compliance with relevant security regulations.

Microsoft formed a partnership with a New York-based startup called R3 CEV and will lead a group of more than 40 banks (including Goldman Sachs, Citigroup, Bank of America and Morgan Stanley) in an effort to develop industry standards for Blockchain technology. The Hyperledger Project is another effort to develop standards. IBM, J.P. Morgan, CME Group, DTCC and others are contributors to that project.

It is actually exciting and interesting to see the traction that the technology is getting across different industries and the corresponding embrace from old and new technology companies.  Blockchain is certainly something to keep our eyes on as it potentially settles into the fabric of Enterprise Information Technology.

RSA Conference 2016

25 Years of RSA

RSA Conference 2016 - Color

The RSA Conference just wrapped up at Moscone Center in San Francisco. A record number of attendees (around 35,000) flocked to the Halls where hundreds of vendors pitched their new (and some not so new) Cyber Security products and solutions. The keynote addresses were thoughtful and helped provide a few themes for the 2016 conference:

  • The costs of enterprise security relative to the percentage of overall enterprise I.T spend (the increase has been dramatic.)
  • The scarcity of Security Skills and competition for talent.
  • Cyber Education – not just in the enterprise but through society.
  • The flood of security data within the enterprise has reached the point where analytics will be a key enabler of the future.

Much has been written (and will be written) about the speeches, product announcements and idea exchanges at the conference. There certainly was a lot of discussion and debate about the pending United States vs. Apple case(s) where law enforcement is attempting to force Apple to assist in hacking into iPhones that were used in criminal activity. Most notably the one device in the case of the San Bernardino terrorist. For those of us who have been in Information Technology since the initial RSA conference twenty-five years ago, this discussion and debate is not really a new or novel topic.

The first RSA Conference was in 1991 and it was held in Redwood Shores where 100 attendees gathered to listen and discuss technology security. Two years later, in 1993, the NSA unveiled an encryption model that was pushed to technology vendors to adopt. That encryption model was known as the “Clipper Chip.” (Does that ring a bell?) If you are not yet in your forties you may never have heard of Clipper Chip because by 1996 it had died a lonely and miserable death. The NSA encryption technique adopted the “Skipjack Encryption Algorithm” (developed by the NSA). Skipjack used an 80 bit key and a symmetric cipher algorithm, much like DES. The fundamental part of the model for the NSA was that the private keys would be put into a “Key Escrow” where governmental agencies, with proper court approval, could access the private key in the Key Escrow and use it to decrypt the target device or communications. This was the first attempt by the United States Government to force technology vendors to create a back door for decryption.

Of course private industry had the same reaction to this type of governmental approach in 1993 that they do today. Backdoors, key escrows, or forced hacking from the manufacturer are all weaknesses in encryption and security that can be leveraged by bad guys as well as good guys.  This wonderful taxpayer-funded invention was never adopted. Perhaps most surprisingly in that story is that there actually were people in the NSA that believed that technology vendors would embrace the idea. That sentiment quickly changed after the initial announcement and turned into the approach of trying to force adoption the technology vendors. The short life of the experiment tells the story that the NSA shot an air ball with that one.

The RSA Conference 2016 showcased amazing new advances in technology and innovative approaches to deal with Cyber Security. However the basic discussions in the hallways and lounges of RSA Conference 2016 were those around the topic of the nexus of privacy, technology, private industry and government. These conversations have not advanced much since the RSA Conference of 1994 when the Clipper Chip was being pushed.

IBM Interconnect 2016

Conference Review

The rIBM Interconnect 2016 - snippetelegation to irrelevancy that has been predicted for IBM may be a bit premature. IBM is still big enough and relevant enough to draw nearly 25,000 Information Technology professionals to their annual Interconnect conference in Las Vegas. The fourth week of February is the week that IBM, IBM Partners and IBM Customers flood Las Vegas and spend the week exploring current and future capabilities in Information Technology. We are here looking at the conference through the lens of Enterprise Information Technology, and this blog is about what we are seeing so far.


One of the consistent themes so far at Interconnect is technology’s role in helping to bridge the I.T. Security skills gap.  For perspective, Enterprise Strategy Group (ESG) recently did a research study on the I.T. Security skills gap. The ESG Research found that 46% of organizations classify themselves with a “Problematic Shortage” of Security skills. Notably, ESG did a similar study one year ago and the results this year show an increase of 28% of organizations that classify their situation as “Problematic.” In fact, the ESG Research 2012 study found that only 24% (half of the 2016 number) classified their situation as “Problematic.” Beyond ESG, Burning Glass analyzed cybersecurity job postings and found that the increase in the number of cybersecurity job postings was 74% from 2007 to 2013. That increase was twice the total increase of ALL I.T. job postings in a comparison of the same period of time. ISC2, the organization that manages the CISSP certification, projects that there will be a 1.5 million job deficit between CISSP-wanted and CISSP-certified in 2020.


With all of that in mind, it should be no surprise that the rumors at Mandalay Bay and MGM Grand this week have been about the potential of IBM acquiring Resilient Systems. Resilient Systems has built an Incident Response Platform that focuses on process automation. One way of addressing the skills shortage is to automate as much of the security work and processes as possible, lowering the headcount requirement for organizations. In that approach, if good automation platforms and tools are available then buy them because good and qualified security professionals are not available.


But it has not just been IBM acquisition rumors that speak to the security skills shortage. We attended a roadmap roundtable on the IBM QRadar SIEM this week and (without violating our NDA) we can report that most of the features and functionality being currently worked on and planned for the QRadar platform revolve around automation and integration of security tools that will relieve workload and increase effectiveness of existing staff. While QRadar is in an industry leadership position for SIEM, this trend is not unique to IBM.


One takeaway from the heavily-populated and vast hallways of the Mandalay Bay and MGM Grand Conference Centers, is that the Security Vendors may be able to make the biggest positive impact in closing the security skills gap for Enterprise Information Technology.