Changing The Narrative – Cyber Security as an Inclusive Career & Winning The Cyber Wars!

I strongly believe that education is the foundation for empowerment and this special feature brings together two examples of exactly that within the cybersecurity space, covering both a fantastic initiative to improve literacy and insights from a Tomorrow’s Tech Today podcast special bringing to the fore the latest tips, trends and technology support with Lisa Washburn, Senior Director of Product Management at Secureworks, and all underpinned by investment in culture, process and skills too.

Firstly, let’s explore the Secureworks Cybersecurity Literacy Challenge created in partnership with the DevPost community and where I was honoured to be a judge. This initiative was devised to help change the narrative on security, especially to promote cybersecurity as a profession alongside helping to build greater awareness of key principals of protection for both home and work. And the method? A super engaging quest to educate users by building a gaming or entertainment app under the criteria below – brilliant! 

·      Build a game or entertaining app that teaches any important cybersecurity concept in a fun and interesting way.

·      Provide a URL so judges can evaluate what you’ve built.

·      Create a three-minute video explaining your concept and make it publicly available to our judges on YouTube, Vimeo, or Facebook Video.

The standard and diversity of entrants was a joy to see – and a very ‘nice challenge’ to judge! And the results are officially in with the top entrants and their prize winning submissions to help promote cybersecurity literacy now available to view in full here. A special congratulations to winning team🥇Cybersecurity Escape Room whose cloud-based security awareness training game sees players take on the role of a hacker getting their hands on sensitive information – it’s super engaging - and learning by playing and doing personified! 

Special mentions too for second placed entrant 🥈Cysec Intern, who created a relaxed game where you learn about cybersecurity concepts through decision-making as a newly hired intern. And also to third placed 🥉Cypher Forest Operation Systems whose game sees you playing as the character of a young hacker called Six. And when Six’s Dad then disappears but leaving behind an old Mac OS computer, you enter into an immersive and mysterious story all whilst solving puzzles within retro operating systems. One for learners of all ages 😊

And there’s more! In the podcast special with Lisa Washburn, Senior Director of Product Management at Secureworks, we drill down into managing the economics of cybersecurity – or as I like to say, foregrounding the cost of insecurity. Firstly we explore the current landscape challenges as threat vectors continually grow, converge and rapidly evolve, especially across ransomware and phishing, coupled with the rise of bad actor collaboration and an accelerating cybercrime marketplace. Attacks can now be easily ordered as a service with alarmingly low costs of entry – for instance, you can hire a threat actor for $250 and purchase ransomware for as little as $66. Simply eye watering!

In the latest SecureWorks State of the Threat Report many insights and predictions are shared, which we discuss in depth, especially around ransomware and the next evolution in tactics that is now anticipated to move beyond holding a company's data hostage via encryption as one example, onto threat actors increasingly threatening to expose that data, and make customers choose between paying a ransom or facing regulatory and compliance fines. A superb related webinar on this subject is now available on demand here. 

And adjacent to this, lies the impact on cybersecurity insurance with ransomware now accounting for 75% of cyber insurance claims (AM Best 2021) and with the ratio of losses to premiums earned at a staggering 73% (Fitch Ratings 2021). We are already seeing cyber insurance providers starting to impose stricter due diligence terms or even declining renewals alongside introducing tightened clauses with market wide implications as highlighted by recent Lloyds of London news on coverage limitations. More of my perspectives on this are available here - and with Secureworks researchers predicting ransomware threats may simply become too cost prohibitive for insurers to cover, this is a subject ripe for further dialogue. 

Resources and Training

Also in the podcast discussion, we afford particular focus to 4 key pillars underpinning core security challenges today, namely Resources and Training, Visibility, Data Noise, Complexity and Culture, and Security Response Activation. Linking strongly to the critical importance of the Cybersecurity Literacy Challenge described earlier, the escalating shortage of cybersecurity resources comes centre stage, coupled with having the right resources in place to manage the right tools, and at the right time. As Lisa describes:

‘So for midsize companies, we estimate they might need between four to six full time security analysts to provide 24 x 7 security. And in the US, if we do the math, there's only enough cybersecurity workers to fill about 68% of those roles’

Lisa Washburn, Senior Director of Product Management at Secureworks

Undertaking an inventory of your people and skills resources is key. It can help identify talent gaps and where it may be germane to outsourcing specialist support such as targeted threat hunters. But beyond this lies the criticality of planning for continual education and upskilling, including in data and security literacy for those in non tech facing roles. This can also avoid areas of frequent misunderstanding, such as what Zero Trust really means, as explored here.

‘If we are seeking to embed a culture of shared responsibility around cybersecurity, everyday accessibility to hands on learning for every single person in the organisation is a must. And the skills imperative goes beyond technology to investment in STEAM learning – placing an equal value on skills such as emotional intelligence, empathy, problem solving and communication – this is key to help people have the confidence to apply what they have learnt and speak up when they perceive a threat, whether it turns out to be actual or not. It’s absolutely critical’

Dr Sally Eaves, CEO Aspirational Futures & Chair of Global Cyber Trust 

Threat Visibility

Ensuring 360 degree threat visibility right across your organisation is also imperative, underpinned by having the right technical controls in place to detect and recognise these threats. This can be a challenge across network cloud identity and endpoints, especially with increasing choice - once traditional, established trust boundaries that use perimeter security simply no longer exist. To support this, standard cyber hygiene practices alongside preventative tools must be part of your protection arsenal, for example regular patch management, multifactor authentication and next generation AV intrusion prevention – all helping to not only afford a first line defence but to move beyond reactive to proactive intelligence. As Lisa describes, ‘just because you have an alarm system in your house doesn’t mean you don’t still lock the doors’. 

Data Noise, Complexity and Culture

Today the average midsize enterprise company has between 15 and 40 security controls in place and it perhaps should come as no surprise that security staff can become overwhelmed by the sheer number of tools and alerts these generate. Ironically, the very tools designed to reduce risk can actually increase it when the data noise cannot be filtered out to achieve data value, and when the complexity of management can create gaps in access to timely and actionable security intelligence. As I describe here, sometimes less can be more!

Alongside auditing which tools you have in place, their effectiveness, visibility and integration, it is also useful to review the number of vendor relationships and invest in deeper trusted partnerships. Further, within any business it is a truism that ‘security is a team sport’ and enhanced cross-organisational coordination can make a huge difference in embedding cybersecurity by design, for example closer working between IT Ops and Sec Ops, regular communications with the procurement team, and producing standard requirements for due diligence for vetting suppliers and vendors to help ensure that partners are not opening up the organisation to further risks, however unintentionally. 

Security Response Activation

Resiliency in the face of a cybersecurity attack requires planning and preparation. Does everyone in your organisation know how to respond if a breach is successfully executed? Companies must ensure that overall business continuity and resiliency plans cover security threats, including preparing and running tabletop and simulation exercises to confirm that should a breach occur, they are not only ready but they can mitigate the impact too.

Attackers get creative when trying to find a weak link – so this should also include areas that are sometimes overlooked in risk assessments, for example the targeting of social media accounts or launching CEO impersonation phishing attacks. So as part of the response plan, one recommendation is to periodically test employees by launching fake phishing attacks internally and ‘observe then learn’ from the response. Finally when it comes to evaluating the maturity and success of your security programme, holistic metrics matter:

‘I think the measure of success is not only looking at metrics that demonstrate potential threats that were avoided, but how quickly and effectively the programme is able to respond to and minimise the impact of any incidents’.

Lisa Washburn, Senior Director of Product Management at Secureworks

To learn more about how Secureworks helps organizations prevent, detect, and respond to threats to help customers reduce their risk, maximise ROI on extant security investments, and fill their talent gaps these cases studies may be highly relevant. 

Final Thoughts

In closing, it is clear that ‘winning the cyber wars’ necessitates investment across technology, culture, processes and skills, including dedicated activity to address the growing talent gaps – as demonstrated by the Secureworks Cybersecurity Literacy Challenge the time is now to change the narrative on what a career in this sector ‘looks like’ and to broaden education and awareness too. Additionally, it is imperative to change the narrative on the cost of security to one that focuses on the opposite – the cost of insecurity.

Today, the ability to demonstrate security due diligence is something that can actually differentiate a company in the eyes of its prospective customers, partners and investors. Let’s reframe the conversation beyond cybersecurity as a necessary spend cost, to one of a business and value enabler. 

About the Author

Dr. Sally Eaves is a highly experienced chief technology officer, professor in advanced technologies, and a Global Strategic Advisor on digital transformation specializing in the application of emergent technologies, notably AI, 5G, cloud, security, and IoT disciplines, for business and IT transformation, alongside social impact at scale.

An international keynote speaker and author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the "torchbearer for ethical tech", founding Aspirational Futures to enhance inclusion, diversity, and belonging in the technology space and beyond. Sally is also the chair for the Global Cyber Trust at GFCYBER.