Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Cybersecurity Has a Talent Shortage & Non-Technical People Offer a Way Out

When I decided to get a degree in criminal justice, cybersecurity wasn’t top of mind for me. I just wanted to get justice for folks who had been wronged.

But as I learned more about the criminal justice system in the United States, it wasn’t long before I made a pivot. In my junior year in college, while working for a degree in history, I received an unpaid internship to work at a small company in New Hampshire. It was there that I got my introduction to the cybersecurity world — and it led to an epiphany.

I realized that what I learned in college about human behavior extends in the same way to any criminal — whether we’re talking about the physical or cyber worlds, a similar logic applies. Since I had always wanted a job where I could develop my analytical skills, cybersecurity was an unexpected fit.

Tapping an Untapped Talent Pool

This field can also be an unexpected fit for some of the hundreds of thousands of people who enter the job market each year, even if they graduate with degrees other than computer science. Cybersecurity suffers from a talent shortage and we’re making it worse by not tapping this reservoir of potential talent.

There’s no one-size-fits-all handbook to guide the battle against cybercriminals. Most often, it requires cybersecurity defenders to fit together different pieces of a human puzzle that will vary depending on a myriad of geographical, political, and cultural influences.

Essentially, this boils down to problem-solving on a global scale. Yet, whether it’s cybercrime or physical crime, it’s possible to read into the motivations of the threat actors and understand why they’re doing the things they do. And then, once we know that, we get closer to predicting their next steps. This is where people with finely honed analytic skills can make excellent cyber sleuths.

Clearly, it’s important to possess technical knowledge. But I think you can always teach technical skills to curious minds who enjoy a challenge. The critical thinking aspect is harder to come by. People who possess top-flight problem-solving abilities can make a difference and leverage their skills and fill the cybersecurity ranks with badly needed talent. It’s key to have skilled individuals who are capable of training and teaching these individuals.

Understanding Criminal Motivations

In terms of adversary detection, there are several variables to consider. But you don’t need to be a veritable Sherlock Holmes to understand the criminal mindset. We need people who can determine what motivates someone to commit a certain act, and subsequently identify the likely next potential actions a threat actor would conduct, whether we’re talking about a distributed denial-of-service (DDoS) attack or a home intrusion.

When it comes to deciphering criminal groups, we repeatedly find similar patterns.

Cybercriminals can often be lazy and tend to choose targets that are designated as “easier,” or simply target everyone to see what sticks. Professional cybercriminal groups develop and distribute malware on a global scale, and some groups can be very sophisticated and financially motivated. For example, advanced persistent threat (APT) groups are highly sophisticated professionals that tend to be motivated to carry out the theft of sensitive information, and sometimes, the destruction or prevention of resource access. With Russia-sponsored groups increasingly active since the Ukraine invasion, we can sometimes see both motivations simultaneously. Cyber espionage is solely motivated by information, and threat actors will go to great lengths and show extreme patience to get it. Nation-state groups arguably have the most resources at their disposal, and they can function with different motivation depending on their given objectives.

So, the process of adversary detection comes down to making logical deductions to understand how cybercriminals approach their goals. Once we know what the bad guys tend to do, then it becomes easier to detect their behavior. That’s not to dismiss the complexity of the task. Attacker detection is challenging, but not impossible.

It’s about getting that full picture of the actor, their motivations, and how they like to operate. Just like Sun Tzu said a long time ago, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

Related News

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

Bundestag Bungle: Political Microtargeting of Facebook Users Draws Ire

German politicians and political parties have been using data about Facebook users’ political preferences to deliver microtargeted advertisements, a watchdog…
Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Epidemic of Insecure Storage, Backup Devices Is a Windfall for Cybercriminals

Companies in every industry continue to leave backup and storage platforms unsecured, with more than a dozen issues, including insecure network…
The Board of Directors Will See You Now

The Board of Directors Will See You Now

For more than 15 years, the cybersecurity industry has been talking about communicating with the board of directors. It’s common…