Thursday, October 13, 2016

More about the cybersecurity skills gap

I recently presented a paper titled "Mind This Gap: Criminal Hacking and the Global Cybersecurity Skills Shortage, a Critical Analysis." The venue was Virus Bulletin, a premier event on the global cybersecurity calendar that is particularly popular among malware researchers (for the story of how "VB" achieved this status, see below).

Papers and Slides

When your proposed paper is accepted by the VB review committee, you first have to submit the paper, then deliver the high points in a 30 minute presentation at the conference, which takes place several months later. In this case, the elapsed time between paper and presentation was very helpful because it allowed me to incorporate some of the findings from my postgraduate research into my conference slides, which are available for download here: Mind This Gap.

The VB conference papers are published in an impressive 350 page printed volume. However, the conference organizers have kindly given me permission to share my paper - which is only 8 pages - here on the blog:
As you may know, I've been studying various aspects of the cybersecurity skills gap this year, I put together a short white paper about the size of the gap:
Later this year I hope to publish the full results of my postgraduate research which looks at some of the assumptions behind efforts to close cybersecurity skills gap.

A note about Virus Bulletin

The origins of Virus Bulletin date back to the 1980s when the first wave of malware or malicious software started impacting computer security. Back then, the most common form of malware was the computer virus, code that is designed to self-replicate. This typically spread between computers on floppy diskettes.

People seeking knowledge about computer viruses back then had limited options. The percentage of computer users with access to any form of email was very limited and the first web server didn’t go live until 1990. Coincidentally, 1990 is the same year that the term “malware” was coined, although it took a long time for malware to supersede “computer virus” as a common umbrella term for things like worms and trojan code as well as viruses. (Even today, a lot more people put the search term “antivirus” into Google than “antimalware”.)

So, back in 1989, when a group of researchers decided to spread information about computer viruses and how to thwart them, they had to publish something on paper that was delivered through the postal service, hence the term "bulletin." The term "virus" was used because "malware" had not yet been coined. The Virus Bulletin publishers organized the first conference in 1991 and it has been held every year since then. There are some folks who have been to every VB conference (I first spoke at VB in 1994 but have only been to six in total, a lot less than some of my colleagues who have 20 year pins already.)

Monday, September 26, 2016

Email account breached? There's a website for that

Recent news that half a billion Yahoo accounts have been compromised has prompted me to again tell friends about a great website for exploring the effect of security breaches on your online accounts. The site is called: haveibeenpwned and I encourage you to explore it.

The site is run by Troy Hunt, a security researcher at Microsoft and a Microsoft MVP, as in Most Valuable Professional awardee for Developer Security (I am very familiar with the MVP designation because my good friend and fellow ESET researcher, Aryeh Goretsky, is a multiple MVP awardee - MVPs are good people!). You can read more about Troy on his very interesting blog at and there is a very clear explanation of the site at

By now you will have realized that pwned is not a typo. It is hacker slang derived from the verb pwn meaning: "to appropriate or to conquer, to gain ownership (Wikipedia). I'm not a big fan of the term pwn because it can lend an air of coolness to illegal and unethical acts that are definitely not cool.

But I am a big fan of Troy and this site. Why? Because it is the one place I know where you can easily check if one of your accounts is compromised in a headline grabbing breach, sometimes years after the fact (something that has happened five times in less than five years to one of my accounts). Furthermore, you can sign up to be notified if a breach affects an account. For example, on May 24 of this year I received this message from haveibeenpwned:
In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.
That arrived in my inbox more than 24 hours before I heard from LinkedIn, and it included a couple of data points that LinkedIn did not. I'm not picking on LinkedIn here - anyone who has suffered a data breach is a victim, and victim blaming is not going to deter cybercrime. Bringing swift justice to criminals is what's missing at the moment and shaming our politicians into enabling more of that is what's needed.

Now, you may have read that the Yahoo breach was state sponsored. If it was, that is also a matter for politicians to handle, and as citizens who value a free and open internet we need to urge them to act to end such activities. For more about the Yahoo breach see:

Friday, September 02, 2016

Surveys galore: cybercrime wave, government prodding, and more

One of the biggest problems with fighting cybercrime is knowing how much of it there is. If you or your organization have been a victim of cybercrime - and a recent study said that 80% of organizations have* - then you know there is too much of it. Indeed, another recent survey suggests that 69% of US adults agree their country is experiencing a wave of cybercrime.** This state of affairs has many people thinking that the government is not doing enough to fight cybercrime. How many? About 63% in a recent survey.***

And right there, in that short paragraph, you see how important it is to measure the problems you are trying to solve, whether it's "how big is that gap in the planking that's letting water into the boat?" or "to how big is that gap between the number of people we need to fight cybercrime and the current supply?" That latter question has been preoccupying me a lot this year and it's a tough one to answer, but that doesn't mean we shouldn't try. After all, this gap is causing serious problems for many organizations. According to a CSIS/Intel-McAfee survey more than 70% of enterprises had suffered losses that they attributed to lack of skilled security professionals.

Friday, July 15, 2016

Sizing the Cybersecurity Skills Gap: A white paper

Whether you're in charge of the security of your organization’s data and systems, or working in IT security, or looking for a career, it is hard to ignore headlines like this: “One Million Cybersecurity Job Openings in 2016.” The term “cybersecurity skills gap” is now being used as shorthand for the following assertion: there are not enough people with the skills required to meet the cybersecurity needs of organizations. (You will also see cyber skills gap as a short form of cybersecurity skills gap, but some people also use cyber skills gap for the broader lack of people with skills like coding, networking, etc. so I often use cybersecurity skills to avoid ambiguity)

But is this gap real? Is the million missing people claim true? The security industry has a shaky record when it comes to numbers, something I talked about at Virus Bulletin last year in the context of cybercrime (see paper and video of session here). At this year's Virus Bulletin in Denver I will be presenting a paper about efforts to address the cybersecurity skills gap. I am also studying aspects of the problem for my MSc dissertation (see CISO Survey).

In the midst of all this work I accumulated some observations about the size of the cyber skills gap and wrote them up in my spare time, in the form of a paper titled Sizing the Cyber Skills Gap. I hope folks find this useful.

Monday, July 11, 2016

The Effective CISO Survey: A call for participation


Are you a CISO? Do you work for or with a CISO?

If you answered yes to any of those questions, please consider taking the 12 minute survey I am conducting for my MSc in Security and Risk Management at the University of Leicester in England. Your participation would be greatly appreciated and you can get an early copy of the resulting report. To get right to it, the survey starts here:
Why am I doing this? To find answers to this question: What do you need to be an effective Chief Information Security Officer? This is the subject of my dissertation, a piece of original research about 15,000 words in length, conducted in Leicester's Criminology Department, pictured below (it may look like Hogwarts, but it ranks among the world's top universities).

University of Leicester, Department of Criminology
(I kid you not, I took this myself on my first visit)
The question about what it takes be an effective CISO is not merely academic, it is also of immediate practical importance. Right now, under-staffed crews of information security folks are struggling to hold the line against criminal activity in cyberspace. And there are not enough people in the education and employment pipeline to fill all of the open defensive positions. 

This situation is referred to as the "cyber skills gap" and later this month I will be releasing a white paper in which I examine the claim that there are one million unfilled cybersecurity positions globally (there will be a link on this page). In the US alone the gap could be as big as 200,000. This situation, which has been building for some time, has caused many countries to begin pouring money into cybersecurity education and workforce training. However, some of these funds may be wasted because there has been very little research into what a cybersecurity career is like. What does success look like? What is job satisfaction like? What personality traits are a good fit for cyber roles, and so on. On the bright side, by studying these questions we may find ways to close the skills gap and make cyberspace a safer place (hmm, I wonder if optimism is an important trait).

I decided to devote my dissertation to one small part of this cyber research gap: what it takes to do the top job, to be the person who manages information security for the organization: the CISO. My research led me to create the Effective CISO survey, which is carried out through SurveyMonkey but accessed via a website I created at, all of which has passed the university's ethics review process.

If you want further verification, or have any questions about this project at all, please email my university email account which is stcnn at, where nn = is a two digit number, the one you get when you multiply four by itself. The address is also displayed beneath the university logo at the top of the page.

So, if this survey subject is of interest to you, and you would like to get an early look at my results, and you have about 12 minutes, please consider participating at


Wednesday, June 15, 2016

20 years of CISSP, ELOFANTs and other cybersecurity acronyms

This article is about some things I don't know, and some other things that you might not know.

For example, I don't know who was the first person to pass the exam to become a Certified Information System Security Professional or CISSP (pronounced sisp). The CISSP website says the certification program was launched in 1994.

(That means if someone tells you they've been a CISSP for more than 25 years, and the current year is 2016, then they may be fibbing.)

I became a CISSP in May of 1996, something that I wrote about recently in an article on We Live Security: What the CISSP? 20 years as a Certified Information Systems Security Professional. The CISSP qualification has served me very well over the last 20 years, so I felt obliged to address some of the reasons some people criticize it, and did so in that article. Those criticisms not withstanding, I would encourage anyone who meets the experience requirements for the CISSP to apply for, pass the test for, and then maintain CISSP certification (you need to earn continuing education credits every year to stay certified).

The place to start learning about CISSP is the website of the issuing body, the International Information Systems Security Certification Consortium. This non-profit organization is known as (ISC)2 which is pronounced “I-S-C-squared” because the name contains two each of those three letters, which is cute but sometimes a pain for typographers and search engines.

Another cybersecurity acronym that's been on my mind lately is CISO, as in Chief Information Security Officer, a title often used to designate the person most directly responsible for the organization's information system security. I am studying CISOs as part of my studies at the University of Leicester. I will soon be launching a survey on the subject (that I will link here when it goes online).

Of course, a lot of CISO's have certifications from (ISC)2 and that reminds me of something else I don't know, the answer to an interesting question, one that is not asked during the six hour CISSP exam: Is (ISC)2 an acronym?

Seriously, I don't know the answer, but speaking of acronyms and unknowns, I coined an acronym for an unknown a few weeks ago: ELOFANT. Those letters stand for Employee Left Or Fired, Access Not Terminated. (Those letters also account for the image at the top of the article.) I wrote about ELOFANTs here.

The point of coining this acronym was to draw attention to the fact that one of the biggest risks to company networks and data are people who have departed the organization but still have access to some of all of its data: ELOFANTs. Here are a few data points to back that up:
ELOFANTs are not a new problem, but these days they may be a bigger problem than in the past thanks to the proliferation of apps that companies use, particularly cloud-based sharing and collaboration apps, credentials for which might not be centrally tracked like corporate network access usually is. So let me leave you with a couple of questions to which your organization's CISOs should know the answer: how do you determine what access to the organization's data a departing employee has, and how do you revoke it?