March 28, 2019
Credential Stuffing: Why Password Reuse is not a Good Idea
Mind the gap.
If you’ve ever travelled on the London underground, you will be familiar with the line: “Please mind the gap between the train and the platform. Mind the gap”.
This audible phrase reminds (or warns) passengers to be mindful of the spatial gap between the station platform and the train door. The first time I heard this heavily British accented voice – on my first day in England – I thought to myself, “only a careless blind man wouldn’t see that”. As I grew into the system, I found that the Brits are pretty good at stating the obvious. Roughly a decade later, I came to realize the tremendous benefits of stating the obvious but that’s a story for another day.
Like the train passengers, cyber security (and indeed business) leaders are a group of people that would benefit immensely from minding the cyber security talent gap. The problem is real and the bad guys will continue to exploit this gap to their advantage until stakeholders realize how much of a problem it is. Of course there will always be people who don’t buy into this “myth” because they simply believe that organizations with a good team of system, database, and network administrators will have their cyber security needs addressed if only these capable folks can be allowed to do cyber security as well.
Well, impossible is nothing.
Over the course of my IT and cyber security career, I have only seen this work once and this was because those “good folks” had genuine interest and motivation to secure their organization’s information systems. In addition to that, they were well mentored and directed by a fine IT leader with keen interest in cyber security. This resulted in an organically developed IT & cyber security team. There were gaps here and there but they got the basics right for the most part.
On the flip side to that, I have also witnessed the opposite of this on more than one occasion and the result each time was a team that took several steps in the wrong direction thus making the task of securing organizational digital assets more difficult than beginning from ground zero.
Apathy is the enemy of cyber security but this hardly ever manifests itself as such until a humbling cyber security breach occurs.
Now back to the matter of discourse. According to Cyberseek—a program of the National Institute of Standards and Technology (NIST)—nearly 1 in 3 available cyber security job positions is currently unfilled in the U.S. alone. As of today, its cyber security supply/demand heat map shows the total number of employed cyber security professionals in the U.S. as 746,858 while the total number of open positions stands at 285,681.
Although I always take this sort of data with a pinch of salt, my trust in NIST and everything the institute is associated with far outweighs my doubts in these numbers. Also, having struggled to hire or keep talents myself in the past, I have first hand experience dealing with the challenges associated with this dearth of cyber security talents.
The supply/demand ratio for cyber security in the US is 2.6 compared to 5.6 for all jobs. This is pretty telling and it’s not going to get any better if the 8th Global Information Security Workforce Study (GISWS) is anything to go by. According to this (ISC)² study, the global workforce gap shortage is projected to reach 1.8 million by 2022. If we assume that 1 in 3 cyber security professional is based in the U.S. then nearly half of the projected 600,000 vacancies has already been met – going by cyberseek.org.
How can this trend be reversed? This goes back to my earlier point about how business and cyber security leaders need to start acting. As Arnold Glasow once said, one of the tests of leadership is the ability to recognize a problem before it becomes an emergency. The scarcity of cyber security talents is a problem that could very well become an emergency – especially with the Internet of Things (IoT) on the horizon – if current trend is not arrested.
It is not all gloomy though. Every year, institutions of higher learning produce talented, bright, and hungry graduates whose zeal and energy can be leveraged to plug as much of the cyber security talent gap as possible. I have no doubt in my mind that we need not look beyond these millennials for the solution to this problem.
According to the (ISC)² study referenced earlier in this article, millennials aspiring to become cyber security practitioners were unanimous in “communicating” their wish list to their future employers as follows:
It is not too much to ask for, is it? Personally, I think the list is spot on. One ask that is surprisingly missing is “flexible working”. I’m sure this would soon make the list once these individuals start working.
Millennials with the right passion, desire and attitude will undoubtedly turn out to become fine cyber security professionals while complacent practitioners who refuse to keep their skills current may find themselves out of a job once these army of enterprise defenders finally start to emerge.
Firewalls, anti-virus and strong password used to be good enough until application-layer attacks, zero-day threats and pass-the-hash tactics showed up. Evolutions in the IT and cyber threat landscapes have caused the industry to respond with impressive technology solutions like next-generation endpoint protection, digital rights management and cloud access security broker.
Any current cyber security practitioner that fails to keep up will be kept out.
In relative terms, there is more focus on the need to address cyber talent gap than the need to close its knowledge gap. And rightly so, but this is one field that continues to evolve so to stay in a job, today’s practitioners need to keep learning.
Suffice it to say that cyber security leaders have two gaps to mind – the cyber security talent gap, as well as its knowledge gap.