Javvad Malik is a security advocate for Alien Vault, prominent information security blogger and co-founder of Security B-Sides London. The Cyber Leader’s Network spoke to him to find out how AI and machine learning is changing cyber security, and how firms can handle the growing skills gap in info-sec whilst retaining talent.
1) WHAT WOULD YOU ANTICIPATE WOULD BE THE GREATEST CYBER SECURITY THREAT TO ORGANISATIONS WITHIN THE NEXT THREE YEARS?
It’s very difficult to predict the future, especially in cybersecurity. The threat landscape changes very rapidly, so in the coming years it’s a long way away in cybersecurity terms. You don’t know what the future holds. Just in the last few months, we’ve seen say ransomware go down in popularity, but on the flip side what scene is crypto-jacking, and mining of crypto-coins going up, especially Monero or the ones that are worth a lot. People have been turning to that. A lot of the trends or the threats when you look at criminals, they’re driven just like a normal business. They’re looking at market opportunities, where do they go up and they’re looking for reduced barriers of entry. We’re probably going to see a lot more threats that are very opportunistic, taking advantage of a lot of the mid-sized enterprises as opposed to the big banks or big companies. Instead, just taking advantage of the inherent unawareness of security, and not focusing a lot on cloud services.
2) DO YOU BELIEVE COMPANIES HAVE THE TALENT TO COMBAT THESE THREATS AND HOW WOULD YOU ENCOURAGE ORGANISATIONS TO ATTRACT THE TALENT THEY NEED?
Companies typically fall into two camps. They either have very good and mature security teams with a lot of talent, or they have hardly anyone at all. It’s normally one person who’s wearing multiple hats in technology and security happens to be one of them. It’s not that they lack the talent, I think they lack the giving the talent that they have the focus or the time to spend on security, so what they can do to address that is, firstly look to see how they can nurture or give the existing talent time to focus on security and that comes from a company cultural perspective. If from the top down, they’re worried about security they can say to their technology teams or that risk teams ,they say ‘Hey, we’re worried about security we worried about these threats, we’re worried about being taken offline by a DDoS attack’ or ‘we’re worried about someone stealing our intellectual property, can you go out and focus on this’ and that will help them adequately identify where the gaps are in their talent because it might be they have all the talent there, they’re just not focused in the right direction.
3) WHAT ARE SOME OF THE MOST COMMON CHALLENGES WHEN MANAGING AND NURTURING TALENT?
When managing and nurturing talent in security, one of the hardest things is that security tends to attract people who are attracted to solving difficult problems because I think that’s (from a technical side at least) is one of the appeals of the thing. You get complex problems and you want to work it out, and you want to go against the status quo, you want to try and say ‘Why is this being done always this way? Why isn’t it like that?’, which is a great asset to have and you know you want that inquisitive mind, which also then becomes the hardest challenge in managing that because they’re naturally going against the grain, they don’t want to conform as much, so they’re inquisitive if you’re saying this is how we do it well why are you doing it this way. Sometimes, I think that can be the challenge in, when we look at especially the technical side. It is creating an environment that encourages them or helps them flourish, without putting constraints on them because otherwise they’ll get frustrated and they look to move, so retaining the talent because of that environment becomes a challenge.
4) WHICH SKILLS ARE TYPICALLY THE HARDEST TO FIND AND WHICH WILL BE IN THE GREATEST DEMAND IN THE NEXT FEW YEARS?
At the moment, one of the skills that is hardest to find amongst good security professionals is not so much the technical side, it’s more the communication side, the risk side, the understanding the business side. It’s one thing being able to go out and find a vulnerability, or say this is wrong, it’s another skill being able to convince people that this is what we need to focus on, this what you need to spend money on, or this is how we need to go about making sure this doesn’t happen again. That’s one of the hardest skills to find at the moment, and I think going forward the skills that would be more in demand is more strategic thinking around security, it’s not just fixing what is the problem today, but saying ‘Ok how can we ensure this doesn’t happen again in the future?’, so I think having some business skills or being able to understand the company: how it operates, how it makes its money, if it’s a public company understanding what the shareholders report says, what are they committed to it, that would give you a really good understanding of what the risks are that are relevant to the company. I think in the future, we’ll see more and more need of security professionals and especially security execs to be far more wary of that, and then recommend security controls or activities based on that.
5) HOW DO YOU ANTICIPATE MACHINE LEARNING AND ROBOTICS IMPACTING CYBER SECURITY?
There’s a big surge of artificial intelligence machine-learning, fancy algorithms at the moment and there will be an impact on technologies from these. To a degree, we’re already seeing some of it, we’re seeing some security technologies adopting these capabilities within their product, so you have defensive products that use some of this to say, ‘Hey, we can eliminate false positives a lot better.’ On the on the flip side, there’s a potential for criminals to use these technologies to say ‘Okay, now we can get artificial intelligence to go do all our hacking for us’ or send all the spam emails then respond to it in a in a realistic way. Fundamentally though, I don’t think there’ll be a big change in everyone’s day-to-day job. Some of it might change, they might start looking at things in a different way, but that critical thinking will still remain, that need to assess the risk will still remain, so these are just the tools, and how the why still is there and for that we still need the people.
6) WHAT ADVICE WOULD YOU GIVE TO SOMEONE STARTING THEIR CAREER IN CYBER SECURITY?
If someone’s just starting their career, I’d say take your time and go broad. Security is a very broad discipline, there’s some very technical elements and there’s some very non-technical management elements and business elements to it, and there’s a whole breadth of things in between. Try to capture like you know as much as you can from all elements, don’t go too deep. it’s good to specialise in a part of it in the future, but for now, try to go wide and try to pick up as much as you can.
Watch the full interview here: