Chris Gray, Vericlave’s Chief Revenue Officer, was watching television with his wife when an Amazon.com commercial came on TV about 20 years ago. That’s exactly when the West Point graduate and former U.S. Army captain found his new calling. If people like Jeff Bezos were going to invest millions of dollars on the internet in the early 1990s, someone would be needed to police it. But after two decades on the job defending military systems, other government entities and clients in the financial, technology and professional service industries, the job isn’t getting any easier.
The Richest Targets
Organizations, especially those with legacy systems — healthcare, government as well as critical infrastructure — are rich targets because they possess critical data and often cannot consistently address security issues due to technical limitations, limited budgets, overtasked resources and the inability to let their critical computing environments go through significant downtime needed to perform needed updates. Many of their platforms, although aging and rife with potential security flaws, absolutely work — and the money to replace them just isn’t there. In many cases, these older networks do continue to evolve, often converging with newer platforms and application services, but the security concerns actually become more pronounced due to the merging of generationally different operating systems, APIs and protocols.
Compliance – Security Friend or Foe?
Many of the organizations faced with these issues operate under stringent compliance obligations that, by the nature of their requirements, do provide enhanced security and environmental resilience capabilities. Even with this in mind, IT platforms, and the commonly converged OT versions, are being pushed toward advancements such as cloud enablement, platform/infrastructure/software as a service and outsourcing. These business methodologies, while certainly cost-effective and beneficial, exacerbate the security issues. Companies had not fixed their problems before they brought in outsiders, and things rarely get much better once they expand. These issues, whether due to native flaws, insecure practices, incompletely converged technologies or distributed operations, create a world that is ripe for malicious users to thrive.
On-The-Job-Training is Key
These issues point toward the need for skilled security operators who can detect and respond to their adversaries. Finding these professionals, however, proves very difficult for many organizations. The first issue is often one that we are all familiar with – experience versus cost. You need to have a job to get the experience that you need to get the job, but you can’t get the experience until you’ve already had the job. There’s just not a lot of room for people to be able to walk in and say, ‘I don’t know any of this. Help me out.’ Given the sense of urgency that most companies face, they are unwilling to hire anything less than resources who can be immediately useful. These organizations understand that security professionals are very expensive, stretching limited budgets, and they do not feel that they can hire junior resources and provide the on-the-job-training needed to make them fully effective.
The Role Technology Plays, Both Good and Bad
CyberSecurity Ventures projects 3.5 million computer defense jobs will be unfilled by the end of 2021. The bottom line is that technology is outpacing the people. And that’s true on the bad side, too. The hackers are being able to take advantage of technology at the same rate that the good guys are. Technological advancements, including industry buzz topics such as SOAR (security orchestration, automation and response), machine learning, artificial intelligence and others, enable fewer personnel to have a greater effect. These technologies, however, are, in many cases, in their infancy both from an industry acceptance and knowledge perspective. In order to keep up with the adversarial advantage, organizations must understand that they, too, must learn to move at the speed of the machines. Again, cost, limited resources and timing constraints make these efforts very difficult.
Opportunities to Educate
Academia is taking steps to help fill the personnel shortage. Just last year, Marquette University in Milwaukee was recognized by the Department of Homeland Defense for its work in cyber defense. Marquette currently is the only accredited university in the country to offer an information assurance and cyber defense program at the master’s level.
However, it might not take a whole lot of student loans to beef up domestic cybersecurity. Learning platforms such as the Cisco academies were more commonly promoted in years past. Learners as young as middle school were given access to the platforms and skills needed for a competitive workforce. In half a year, while being integrated into other elements of the students’ daily lives, our industry could churn out fully functional routing and switching professionals. The need for that sort of learning platform is obvious for the security industry today as well. We live in an interconnected world, and that is not going to change. Industry needs to teach increased security capability as part of their basic knowledge. It is too widespread to exist as a niche skillset any longer. I hope that opportunities will present themselves throughout all educational platforms – four-year universities, community and technical colleges and physical/online trade schools for working professionals.
Standards Driving Progress
To support these efforts, standards of security performance are continually being reviewed and created. These guidelines are authored by governmental organizations such as the National Institute of Standards and Technology (NIST), state and local governments, industry organizations (such as the Payment Card Industry Security Standards Council) and professional associations.
I was retail before the PCI (Payment Card Industry Data Security Standard) came out. Our security practices were, by today’s standards, pitiful. If a nickel spent did not directly drive toward pushing product off the shelves, it was a questionable nickel. Then PCI came along and said that not only should we do these things but that a financial penalty would be attached if we didn’t. Our budgets increased almost immediately and security and awareness of the issues improved almost overnight.
Know Your Network
Still, as things stand now, the talent and capability shortages are real. Organizations need to understand their risk strategy and leverage internal resources, professional services and robust technologies. Vericlave’s solution was built to prevent things from happening in the first place. We sought to provide a more proactively secure capability that allows organizations to implement layered security where it is needed. In doing so, we have enabled our clients to rapidly extend their existing networks and capabilities, enhance their overall security program and better manage the nuanced data protection needed to safeguard their assets throughout the commonly seen integrated network fabrics. We enable the development of common security baseline capabilities that allow confidence that data assets are secure.
The Vericlave Approach
Our systems are also intended to address many of the platform issues that are common in our industry. We have built a world-class capability that operates independently of inherent security issues that the client may face in their own environments, working either with or in the place of existing technologies, with the intention of supporting program goals with ease, requiring less investment, reduced overhead and a preventative (rather than detective or responsive) mindset intended to stop the malicious activity before it can spread.
There’s already a shortage issue now, but it’s one Vericlave is ready for with an array of hardware and software network protection options as well as security expertise.