What Cyber Security Skills Are Most In Demand

A cyber security vendor could have the best product offering on the market, but salespeople and marketers still must be savvy and find a differentiator if they want to stand out, according to Marci McCarthy, CEO and president of T.E.N., an information security executive networking and relationship marketing firm. McCarthy was the guest on Monday’s Episode 65 of Task Force 7 Radio, with host, George Rettas, the president and CEO of Task Force 7 Radio and Task Force 7 technologies.

“You may have technically the best solution out there, but the reality is there's going to be 10 other folks saying the same exact thing and you might have better solution,’’ she said.

McCarthy described herself as a connector of buyers and sellers of cyber security offerings. “I get to see the buy side and the sell side of cyber security, and my whole job is really understanding the top of mind issues and then connecting those folks that are trying to do business together.”

Sales people and marketers don't understand the inner workings of some companies and as a result, “their tactics are a big turn off, or turn on, for different individuals,” McCarthy added.

Her firm specializes in information security executive (ISE) programs and dinners that bring together a targeted group of security executives who might have a vested interest in learning more about the solution provider that is the sponsor, she said. That works better than cold marketing to a CISO or other security leader, she said.

In response to a question from Rettas about the biggest challenge in the cyber security industry today, McCarthy cited three: the increasing pressure on security teams to deal with complex breaches; the changing regulatory landscape from the enactment of the GDPR in the EU; and finding and retaining cyber security talent.

Another top of mind issue is “the crowded landscape of security solution providers that are out there, and everyone's saying that they have solved the world's problems, but they really don't. And how you get through all that clutter to really find the right company and solutions that are going to really align with your business.”

Skills in short supply

The show’s second segment began with a discuss about the types of cyber security skills McCarthy sees as being in high demand and in short supply.

“What's in short supply is the security analyst type of individual as well as someone that's very knowledgeable about software security assurance … and application security. I'm seeing those two areas being the most difficult to locate.” McCarthy said a threat hunter is a newer role that is also in demand in the security operations center. A threat hunter, “is really able to cross and correlate the different threat feeds and all the different data and build conclusions on what's happening from inside and the dark web and across that horizon.”

She said that as security threats become a lot more complex, “you really need some very smart and savvy young folks that have a real appetite for correlating that data … like the James Bond of IT” who is interested in threat hunting, pulling data together and problem solving.

Rettas said he has seen “different definitions of threat hunting or just hunting in general.” Rettas said he views the skill as a manual process of looking at operating systems and identifying anomalies and behaviors in those operating systems that automation wouldn't find. Often, he said this skill is only found in the military.

A lot of these people with cybersecurity skills are not being properly utilized by an enterprise, Rettas added. “You have them doing basically supplementing tools and still getting involved in a lot of the automation and tools and running and setting up the tools that SOCs use.”

This often leads to a retention problem, Rettas said. “Corporations still think they have the leverage. They're still thinking that's how corporations and HR departments work. They have leverage over the employee,’’ he said. “That's not the case in the cyber security world, and HR departments and corporations are quickly learning that they do not have the leverage. It's the employee that has the leverage, and that's really changing the discussion.”

McCarthy agreed, and said that when T.E.N. finds an ideal candidate for a client, “one of the things we have to make sure they really, truly understand … you need to interview them within 24 hours if physically possible. You can't be going on vacation or ‘I'll get to it tomorrow’ because chances are, that threat hunter, that security analyst, that security software assurance individual, that person's going to be here today, gone tomorrow, and they're probably being courted by six other companies along the way.”

The way to retain talent is keeping them engaged, she said. While they are motivated by money, they are also looking at opportunity and what type of work will keep them interested, she added. < That is the type of engaging work that keeps people at a company, she said.

Thinking outside of the box

Companies need to think about investing in the next generation of technologists and cyber security professionals -- and they need to think outside of the box, McCarthy said. For example, she cited programs that are teaching disadvantaged individuals who have the passion, the desire and the aptitude to learn technology like front-end development, Salesforce and some cybersecurity skills, she said. McCarthy also teaches a class on how to use LinkedIn to promote themselves.

“When you give people an opportunity and a purpose out there, they're going to be a vast source of potential employees that are very loyal because they realize what … the flip of the coin is at a minimum wage type of job that's very inconsistent.”

Rettas said that about 26 percent of the cyber security workforce is comprised of minorities, and about 20 percent of the workforce is estimated to be women. He asked McCarthy what corporations can do more to attract and retain women and minorities?

“I think you've got to partner with some different organizations and make an investment here,’’ she replied, citing organizations like ICMCP, TechBridge, and Gear Up.

McCarthy said there also needs to be college campus recruiting programs. Organizations can support and underwrite those programs and have their executives appear as guest speakers and instructors to explain to students what's it like to work in cybersecurity. They should also offer students internships “so that you can ingrain them and teach them about your culture and your corporate values and train them to be what you want them to be.”

Rettas then asked McCarthy to offer some tips on how to develop soft skills and discuss the type of impact they can have within a corporate security team.

“First, what everyone needs to understand … cyber security professionals are, by nature, incredibly determined, highly intelligent, quick-thinking individuals,’’ McCarthy said. “But they're covert by nature” and don’t have “major social skills.”

Because a lot of them come from law enforcement or the military, they tend to have a “no nonsense” personality. That doesn’t translate well in the corporate world, she said.

Managers need to understand personalities and what makes employees tick, and that is how you can build loyalty to a team; by taking the time to get to know somebody.

She also suggested is that managers start meetings on time, “but have a little bit of moment where you just ask somebody how they're doing that morning or that afternoon.”

McCarthy also pointed out that not everyone will have “an external-facing type of personality … but I think you have to have some type of connection with people no matter how hard that is. And I think that you've got to really make that investment as well in emotional intelligence about yourself, as much as you're doing in terms of your technical side. That's how you're going to stand out.”

What’s on the regulatory horizon for 2019

In the show’s final segment, Rettas asked McCarthy to discuss what we can expect to see in terms of regulations and laws for 2019?

McCarthy pointed out that with a change in Congress she expects there will be a backlash against “the flagrant practices of companies like Facebook and Google.”

She said she is also seeing a “need for some rules of engagement that people can live with. I think the GDPR piece is very complex and they're going to find very difficult to implement and enforce.”

Some states, like California, are trying to pass aggressive privacy laws similar to the GDPR, McCarthy said. At the same time, “Sometimes one has to realize that the company is also a victim of some of these cyber breaches. No, ignorance not an excuse, nor is it bliss, but the company sometimes is also a victim of a nation state or organized type of attack against them.”

And on the flip side, she said, consumers need to be able to hold companies accountable for a data breach and have the right to know where their data is going and how it's being utilized.

Rettas said he’s seen reports calling for CISOs to be jailed if there is a significant cybersecurity failure, and asked McCarthy for her thoughts on that. McCarty called that “a knee-jerk reaction of Sarbanes–Oxley … where actually a CEO and a CFO can go to jail if they're defying [it].” Sending a CISO to jail because their predecessor might not have implemented the right technology, or they didn't get the support they needed is not “a good way to promote the profession or penalize the company.”

She said she believes in having financial penalties in place, but they should not put a company out of business. “There's one [bill] right now out there that will literally put a company like Equifax out of business. Now, what would that have accomplished?”

There should be reasonable guidelines put in place that a company can “digest,” McCarthy said, like HIPAA and PCI. “I don't think it's smart to have 50-plus single breach notification laws that are completely conflicting with each other, and only, at the end of the day, confuse a customer or consumer, and then really create an air of opportunity for a hacker to take advantage of the chaos.”

The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes, click here.