As the lines converge between IT (information technology) and OT (operational technology), critical infrastructure (CI) systems once perceived as insulated from cyberthreats are coming under attack. In addition, the security controls commonly used to defend IT networks often don’t apply to or interact with OT environments, and rely on people-power to fill the gap. Unfortunately, skilled cybersecurity professionals are in short supply amidst high demand for their talent. This new reality hits organizations responsible for the safety, health, and economic stability of our communities with a one-two punch: they are highly vulnerable to cyberattacks and, at the same time, are facing a dire shortage of skilled cybersecurity professionals.
The (ISC)² Foundation’s “Global Information Security Workforce Study” (GISWS) predicts that the information security workforce shortfall will reach 1.5 million by 2020. An alarming statistic in and of itself, this deficit magnifies the risk and potential impact of a cyberattack to our vital services. With an understaffed security team, CI systems are checked less often, fewer security controls can be managed, and a single incident could overwhelm staff and lead to severe outages. The December 2015 hack of Ukraine’s electrical grid is a prime example of the risks. Attackers overwrote firmware on SCADA devices at 16 substations at the Prykarpattyaoblenergo Control Center, leaving more than 230,000 residents without power for the next 6 hours. The incident is an ominous testament to the cyber risk posed to CI.
In order to combat cyberthreats with the capacity to strike out where organizations and the communities they serve are most vulnerable, CI needs to take charge in closing the cybersecurity skills gap.
There is an acute need to scale up the size and skill level of the cybersecurity workforce to address these looming cyberthreats. CI organizations looking to attract and develop their cybersecurity workforce need a multifaceted, strategic approach.
1. Consider Draw of Other Industries on its Talent Pool
For those seeking stable employment in a lucrative field, information security offers both high compensation and opportunities for growth. According to Gartner, global information security spending will reach USD 81.6 billion in 2016. This growth is expected to accelerate in the next 5 years with USD 1 trillion to be spent worldwide on cybersecurity between 2017 and 2021, according to projections from Cybersecurity Ventures’ Q3 2016 Market Report.
If CI intends to attract top talent to take on cyberthreats, it needs to ensure not only the offering of competitive compensation, but also attractive packages that compete with alternative opportunities available to sought-after cyber talent.
2. Position Intrigue of White-Hat Challenges
Protecting CI from cyberattacks is the perfect challenge for white-hat security professionals who want to define innovation in the cybersecurity industry and make a difference in protecting their communities. The CI sector often faces advanced cyberattacks carried out by state-sponsored actors or sophisticated cybercriminals, and utilizes advanced persistent threats, hybrid physical/virtual threats, and novel social engineering techniques. And CI security professionals tasked with protecting IT and OT environments will encounter the range of security challenges still emerging against the Internet of Things (IoT).
Over the next 10 years, the IoT technology class will see a rush of new devices and security processes to protect industrial control systems, remote monitoring devices, and more. These technological changes will strengthen the demand for cybersecurity leaders able to drive security innovations, and make the industry even more intriguing to security professionals who relish a new challenge.
3. Bring More Women Into the Fold
Female professionals are vastly underrepresented in the global cybersecurity workforce–comprising only 10% of those employed in the field, according to a 2015 (ISC)2 report. On the other hand, women have largely closed the gap with men with respect to undergraduate degrees in computer science and engineering, and they hold a higher concentration of advanced degrees in these areas than men.
Recruiting efforts should look to this untapped pool of STEM-degree talent who has not been drawn to careers in information security. Reversing this trend will require a consolidated approach from CI and industries across the board. But the long-term, dedicated effort to recruit and boost retention among female cybersecurity professionals is an investment from which CI could reap benefits far into the future.
4. Diversify Sought Skills
Innovation and creative problem-solving are necessary to unravel the unique cybersecurity challenges facing CI industries, and innovation thrives in an environment that encourages diversity of thought and collaboration. Astute managers in information security, and arguably in almost any technical field, understand the importance of building a well-rounded team that can bring diverse ideas and communicate well. Expanding the cybersecurity candidate pool to include those who bring product and project management skills, communications, and organizational management will support innovation to fight new threats.
Cyberattackers are nothing if not adaptive. They will find and harness new opportunities to exploit security weaknesses; fine-tune attack sophistication; and jump at the chance for financial gain, notoriety, or to create chaos.
Ultimately, the ability to defend organizations that are the backbone of the security, economic function, and health of communities against an onslaught of cyberattacks will be directly tied to the development of a motivated and adaptive cybersecurity workforce.
Michelle Johnson Cobb is vice president of worldwide marketing for Skybox Security, a global company in cybersecurity analytics. She helps to lead the company’s growth in more than 50 countries. For more than 15 years, Cobb has held executive roles in computer security, networking, and enterprise software companies, including McAfee, Tumbleweed Communications, and several startups. She received her MBA with high distinction from the University of Michigan Ross School of Business and a bachelor of science in computer science also from the University of Michigan.