Cybersecurity is a really interesting and challenging industry to work in but it can be a lonely, isolated job. If you work in a large enterprise or in an MSSP/MSP like the one I do (Davichi), it can be a challenge to get buy-in for security, but this really baffles me (Gladly not an issue with Davichi but so common). We are bombarded with news articles after news articles of breaches that are occurring, I can remember at least three big ones over the last few weeks, but companies do not want to invest or even talk about cybersecurity. Why? I really do not understand this in today’s society, everything is connected and online 24/7 and if that is brought down for any reason it can be detrimental to a business’s reputation.
Why is security so low on everyone's priority list? Is this our industries fault? Are the Ghosts of security past to blame? (It’s getting close to Christmas and I couldn’t help but put that one in) Is security perceived as a hindrance to getting their jobs done, “we just make their lives harder” why should they help us?
I believe it is definitely something that we as an industry have helped to create, we and the ones before us have cloaked our work in mystery and intrigue to I assume secure our place and possibly boost our own ego with being one of the few very secretive cybersecurity professionals or white hat hackers. Yes security is a tuff gig and it takes a particular type of individual to do it right but why all the secrecy? Why not talk about the issues more openly, why not help someone who wants to join the ranks, will it really cause us any issues? No, I don’t think it will.
I am still learning (probably always will be) and I always try to help anyone else I can gain entry into our industry but it really seems like I am swimming against the tide. We all talk about the skill shortage and how we need to increase the number of security talent with training or find a way of bringing the talent from unusual sources, but I don’t see this occurring in the real world.
Every week I hear of people not being able to get jobs even for the most basic positions in security and some of them are really smart people with some excellent experience within IT or programming backgrounds but just lack the hands-on experience with security. Many of them have done training and are self-teaching which is great but just don’t have the on-the-job experience. I know I have said it before, but we really need to look outside of the standard cookie cut certs/experience to get people in the vacant jobs, especially as the gap grows even further.
Now back to the real topic – Why is it so hard for us to work together on cybersecurity? I feel the problem is both internal in an organisation as discussed above but it is also a problem we need to work together to resolve. Earlier in the year I wrote an article about managed services being the next target for cybercriminals (I have added a link if you missed it) and I discussed that we as an industry need to find a way to better share data on incidents and help each other to be better prepared for security incidents when they happen (Yes that is a when not an if).
Since that article Davichi and myself personally have tried to push this agenda with several talks with the likes of ACSC and the JCSC (now all part of ASD) and I feel that we received some satisfactory response from them with trying to get this type of open relationship started between industry peers to help protect Australia together (it is always hard to try to get people to see past the fact that some of us are competitors though). ASD has also come out of the shadows during this time and clearly put their hand up to say they are here to help us better protect our businesses not just the big end of town or critical infrastructure (I would like to say we had a hand in getting them to make that move but I really doubt we had much to do with that).
This change in direction and coming out of the shadows is a great move that can only help Australia be stronger and more resilient to cybersecurity threats. With autonomous vehicles and IoT starting to explode we now more than ever need to put aside our differences and start to work together as a country, not just an individual organisation.
I think we can do it, but I just really don’t like that it has been more than 6 months and not much has changed. What do we need to do to get people’s attention and get them to work together? Are we going down the wrong path here? Should we forget this fantastical idea that we can all come together on this fight and make a difference? I would really like it if we could start an open conversation about this and start to get some real progress or even set up an open session/panel to discuss how this type of thing could work and if the rest of our industry support this initiative.
Tell me what you all think let’s put this out on the table and air our opinions so that we can ensure that this time next year I am not piping on about the same problem (I think that would annoy the rest of you as much as it would me) without any progress, if that is the case I will certainly be disappointed but I don’t want to give up on this fight as in my opinion it is something that could make a difference.
So, tell me I am dreaming or suggest some ways we could make this work I don't mind either way I just want us to start talking about it and either concede defeat with this probably over-ambitious initiative or get some progress (I'm really hoping that it is the latter option).