Did you know that the US Department of Commerce estimates that there are around 350,000 cyber security jobs that are currently unfilled and that by 2021 there will be over three and a half million cyber security jobs unfilled globally?
At the same time, hackers are getting smarter with AI based tools. What does that mean for our businesses? And how do we tackle this?
Let's find out. My guest today is Matthew Rosenquist. He is an expert and influencer in cyber security with over 30 years of experience. He speaks globally on cyber security topics and is here today to help us investigate the cyber security skills gap, along with the rise of AI based threats. Let's dive in.
Matthew, before we get into the meat of the conversation, can you give us a little bit more information about your background?
Yeah, absolutely. I've been doing security for about 30 years. I spent about 24 years with Intel in a variety of different roles. I justified and built Intel's first 24x7 Security Operation Center. I landed Intel's cyber crisis emergency response, and I was Intel's incident commander. I worked on the product side to help figure out and balance security controls.
I've done security strategy and as part of my role and influence with that organization, I've actually consulted and advised Fortune 100 companies, academia all over the world, and even governments all over the globe in regards to cyber security best practices, emerging threats, things of that sort.
I’ve had a great career diving into all sorts of different challenges, whether it be metrics or best practices, or evaluating threats or working with anti-malware companies and whatnot.
It’s exciting to have you here today. I'm interested to know some things that have really inspired you to be in cyber security.
As we go through this digital revolution, right, where everything is being connected and being changed into bits and bytes and flowing over the internet and other networks, we are gaining such great benefit. Technology like that connects and enriches people's lives, all over the globe.
But with it comes an equitable amount of risk. So, the more we rely on it, and the more we empower technology like this, the more it can potentially be used against us. And there's all sorts of interesting adversaries out there that are looking to take advantage of that.
Technology is a wonderful thing. Innovation is a wonderful thing and can bring so many great things. But in many times, we don't realize the risks until something bad really happens. We are accelerating so fast in the industry right now. You know, you're looking at autonomous vehicles and electronic voting and, and people get all their news and communication online.
All of that can be manipulated or used against us. So, I find it just a tantalizing subject, that we are in the midst of this revolution.
We’re not paying enough respect to the emerging risks. It's definitely a field that needs more attention, and we don't want to be victimized because we want the benefits but not really the negative impacts.
I agree. It's hard for just the general population to keep up with the pace of change. And even looking back 10 years now, if we were to look at 2009, some of the things that are happening are magical, right?
If you were to tell yourself 10 years ago, that when you went to Google, it would just know what you wanted to search for after you typed in two words, your present self wouldn’t believe it.
You’ve hit on my next topic, which was to ask you what are some of the things that keep you up at night?
Oh, that's easy, right? It's the unknown.
Part of my role as a strategist is to look forward. I do predictions in the industry, and I look at emerging threats, emerging attackers, and the methods that they use and the targets that they're likely going to go after.
So we kind of look at all that and how technology evolves and guess how the bad guys are going to take advantage of it to the detriment of the rest of us.
We start seeing some interesting challenges. Today, we're worried about things like privacy, which is hugely important. Tomorrow, and the next day, and the next year, that's going to be amplified because without privacy, we lose liberty. We lose a lot of our freedoms.
Look at the autonomous vehicles that everybody is just craving for. I'm craving for them, and I'm sure you are as well.
You can get in the car and let it take you where you need to go. It’s not only cars, it's planes and trucks, and buses and things of that sort. Then expand that to industrial control centers and critical infrastructure. When you extend out the actual control surface, now you're introducing something that we've never seen really before.
And that's life safety risks. If we go back 10 years and think about that dreaded blue screen of death, you may have lost part of a document you were working on or a connection, and you would have yelled a few obscenities, rebooted your system, and off you went.
If we look in the future and you're in your autonomous car and you're going down the freeway at 70 miles an hour, or even more, and now, something bad happens. Somebody hacks the car or the blue screen of dealth appears in this scenario.
That blue screen of death is no longer just figurative. It could be literal. It could be you and your family; it could be a pedestrian; the vehicle could go out of control very easily if it gets hacked. Or all the vehicles on the road could get hacked all at once.
And some really bad things, life safety things, can be impacted. This is also true for critical infrastructure with electricity or manufacturing or chemical plants. You name it; there can be all sorts of terrible, devastating things that we've just never even had insights to.
Nobody's even talked about it. We're worried right now about the data breaches and maybe our credit card getting violated. There are much bigger risks on the horizon that we're not even talking about.
Definitely scary when you put it into that context.
Let's come back to a little bit of the past. How did you find yourself in cyber security?
I actually started in the physical security world. I started doing investigations typically for things like theft, fraud, and embezzlement. I was looking at people making very bad choices and committing crimes.
I was doing those investigations and surveillance. So that started me on this path over 30 years ago now, and I got to learn from some of the best in the industry.
It was just a natural intersection to take the behavioral threats and the technology and apply the processes that interlaced those to start building a picture that is very relevant to the cyber security world.
Today, I'm seeing a little bit more of this Chief Security Officer role actually encompassing both the physical and the cyber aspects.
We actually talked about this in the industry about three or four years ago. I did a keynote at ISC West, which is one of North America's biggest physical security conferences.
We talked about how the physical and cyber security worlds are starting to come together. And there's more and more overlap every single year.
If you think about security cameras, they were traditionally not IP related. They were connected with coaxial cable and a dedicated video surveillance device that was recording it.
Back in my day, it was actually VCR tapes. Let's not go there. But you've seen a transformation. Almost all of the video cameras nowadays are IP related. T
They're running all their data on IP networks. And the old cameras are gone for the most part. So, we've seen the digital revolution there, and all that data had to be secured and captured. There's a tremendous wealth of information there.
Those systems could also get hacked. We're seeing that recently now with some of the home security cameras getting hacked. And again, it just all comes full circle.
As we look at some of these current and potentially future cyber security threats, we have a major people problem in that there are big staffing challenges today, even at some of the most well-resourced organizations.
How do you see this currently impacting the industry? What's your viewpoint? And how do you see this evolving?
The staffing shortage in cyber security is huge. We've seen the numbers climb. The current estimate is that there are 3 million unfulfilled cyber security positions globally. And again, that isn't even the whole picture.
Let's pause here for a quick detour around the data that Matthew is discussing. If you'd like to see more research on this topic, you can go to isc2.org and look at their 2019 Cybersecurity Workforce Study for some really interesting data points.
You can also go to cyberseek.org. Cyber Seek has maps about where the biggest gaps are in terms of workforce roles, as well as looking at ways that you can get into the cyber security field.
I encourage you to go check that out and see how all of the data points are really showing the same thing.
We're just learning and starting to understand how cyber security flows across different organizations, and you need skill sets in many areas we're not even thinking of.
So that number is going to grow even more. When we look at surveys from companies, they're saying that they can't fill the positions that they have.
And we look at the academic side, and they're not as prepared as they need to be to be able to generate that next generation of cyber security professionals.
There are very few standards. In fact, standards are just coming out now.
So, you've got greater threats, greater technology being developed, and innovation is growing. In order to secure those technologies, you need to secure it from architecture and development, into operations.
You need more people to be able to do that. And yet, we don't have that pool of people.
The pool that's out there is growing, but essentially, if you looked at the number of available jobs and the number of available people, there's just not enough.
We’re short by 3 million people. And a lot of those positions are very, very critical. The highest criticality tends to be in the leadership positions and the highly technical positions.
How do you think we got to this staffing shortage?
Innovation is moving fast. And again, security tends to be an afterthought. We have an axiom in cyber security, right? Security's not relevant until it fails. Then it becomes relevant.
Everybody rushes to innovation and rushes to market. Security tends to take a backseat and that then becomes a problem. When something bad does happens, now you're in massive cleanup mode.
You're trying to change something that's already architected in a certain way.
We've taken a poor approach because we haven't prioritized security where it needs to be. And in many cases, it doesn't need to be the top priority, but it shouldn't be an afterthought that never really gets done either.
We haven't found that balance yet. Because of that, we're playing catch up. And in general, security is always a catch up game anyway.
The attackers always have the initiative; they decide what to attack and how to attack. Security tends to respond, and in cyber security we are several steps behind that curve.
I've noticed that security can also be like a hot potato. It's not always clear who owns security within an organization.
When we look at the CISO role, the chief information security officer, that role has evolved and will continue to evolve radically over the next probably two decades.
Originally, people thought, "Okay, the CISO is really just kind of a network security person."
No, because the perimeter has gone away. Well, alright then, maybe they're also an endpoint security person.
Well, that's important, but that isn't everything.
Now, what about the data? Okay, yes, let's evolve the CISO role to include data.
People need to understand that every organization, every department, every group within a company needs some type of security. If you go to finance, they'll say, "Hey, make sure nobody changes the numbers in my spreadsheet. Make sure the integrity is there."
If you go to HR, they say, "Make sure my data is confidential. Don't let anybody know who's working for us or find their personal information. How much money they make also needs to stay confidential."
You go to IT, and they say, "Keep our networks up, keep the database up."
The product team, they say, "Hey, make sure nobody attacks our products and brings them down."
In reality, everyone needs security. It's tough to define what role and what scope does somebody have as a cyber security leader or a C-level officer within a company? It's pretty big.
Companies need a cyber security leader that can help all of the different divisions and all the different groups achieve what they want to achieve.
It's hard to find all of those skills in one person. As you mentioned, there's a shortage within the leadership, and it's not necessarily a technical person that's going to be able to encompass all of those roles.
When you look at the leadership, and managers and directors in cybersecurity, much of them have come up through the ranks through the technology side. Obviously, that is the playing field that we're all on.
When we talk about security, think of it as a two sided coin. You've got the behavioral aspects of the attackers, the users and even the developers of whatever potential application is going to be attacked.
On the other side, you have the technology that is going to be exploited.
So, we have to understand both of those sides of the coin, and a leader has to go beyond that and understand what's the value to the organization.
Security isn't a standalone concept. When you're finding that balance, you have to know what the goals are of the organization, and you should be supporting those goals.
The real successful CISOs understand the business and understands how what they do can enable and support the overall goals of the business. And that's where that balance comes in.
If you're only on the technical side, you're not going to understand the business very well. You're not going to understand the behavioral side, right?
The very best CISOs out there understand all of those and can synthesize them.
One of the biggest challenges in security today is being able to articulate ROI, which is a business goal. So many people struggle to do that, because the business value isn't necessarily inherent until you have a problem, as you mentioned earlier.
How do you communicate the value not of what just happened yesterday, but as you look forward, what you need to prepare for tomorrow?
I advise a lot of CISOs out there. One of the areas that I would say is the biggest challenge is communication, because they have to communicate upwards to the CEO, as well as the board in many cases.
They have to communicate laterally across their other C-level peers, and then they have to communicate downward in the organization.
It's tough because a lot of people don't understand the language in cyber security and don't understand risk. You have to be able to quantify risk.
Nobody ever gets to remove all risk. We wouldn't want to either, because it would be hugely expensive and just crushing to any type of use case.
Leadership skills are so important. Cyber security is not easy. It's tough, and it's grind work. You have to be able to lead an under resourced group of people and ask them to do something incredible.
You have to ask them to not just do it that day, but every day, facing unimaginable threats that are constantly evolving and changing. The bad actors may have more resources than you and may actually be smarter than your team. They may have more experience and be more savvy, and that's tough.
You've got to have the leadership skills, the communication, and then the understanding of risk.
If you can't find that person, then you have to decide how do you staff. Which roles are the most important? That's also a challenge when there's this dearth of abilities today.
In fact, organizations ask me, "How do we get get the right people in?"
I tell them they have two problems.
The first problem is that they have to identify the right people and overcome the supply/demand issue, which is going to be expensive.
The second problem is that they need to keep them once they are hired, because every other organization out there is going to try and come in and grab those people.
You have to make sure that the work environment is good and that you're meeting their goals. Headhunters are constantly knocking at the door.
Another topic that intersects with this is the mental health challenges involved in cyber security, and how much it's actually impacting the current pool of cyber security experts.
It's an interesting field because you're dealing with a lot of ambiguity, and a lot of change day to day.
When I speak with new people coming into the industry, I'll tell them that no matter what job you pick, that I guarantee you within 18 months, your job will have fundamentally changed.
Plus, the workload can be immense, especially when you talk about operations. When I turned on the Intel Security Operations Center, we had millions of alerts that would come into the Security Operations Center every day.
It was overwhelming. And typically, the only people that survive are the ones that are passionate about their job to begin with.
Matthew, let's shift gears to discuss the rise of AI based threats.
We're going to be talking a lot about this over probably the next two decades. It's going to be transformational.
You're going to have AI in just about every type of digital system, and you're going to have AI in security systems as well, helping manage risk.
You're also going to have AI systems being used by the bad guys to be able to be better at attacks.
Let's talk about some examples of AI based threats.
To make this a little bit more familiar, CNBC in December of 2019 came out with an article that said that automated hacking and deep fakes are going to be major cyber security threats in 2020.
One really scary example of how AI based threats could be impacting us even now is through these deep fakes.
Deep fakes are images and videos created using computers and machine learning software to make real audio and video, but they're not actually the person that it looks like. It's not really real audio and video. It's a fake, but it's indistinguishable from the real thing.
That's one example of how AI based threats could impact us starting now.
Another example is that AI can be used to automate and target hacking. So, basically a hacker gets a ton of extra firepower using these AI based threats.
For me, deep fakes are one of the scariest things that we could be facing, especially coming into this election year.
November is not too far away, and we are already starting to see these deep fake scams. Let's head back to the interview with Matthew.
We now need to have cyber security also understand the various forms of artificial intelligence, both in how to use it and seeing how it's being used against your assets.
How do we do that?
There is no quick and easy answer in anything having to do with cyber security.
There is no silver bullet. Anybody that tells you there is a silver bullet is trying to sell you something, and it's snake oil.
It comes back to fundamentals. Security is about people. It always starts with people.
The root of every attack originates from a living, breathing person. And it may be somebody who writes a piece of malware; it may be somebody who's a disgruntled employee; it may be a cyber criminal that's looking for some type of financial gain.
But there is always a person, and they are going to use whatever tools necessary to achieve their objectives.
They're motivated, and they have assets, right? For security, we tend to look at assets and protect those.
We should be looking at those attacks, and figuring out okay, out of all the possible things they could do, what are the likely things they're going to do?
People are pretty basic. We have desires, and we follow the path of least resistance to get there. We don't want the long route; we want the short, easy route.
Attackers are no different. Defenders can start looking at those behaviors and narrowing the field down. The goal is to put together a strategic capability of predicting what's going to happen, what's going to be attacked, and who's going to be attacking me?
We start to collapse the problem down and distill the types of things we need to worry about, and the type of assets that we need to be able to protect.
And that makes security more reasonable. It's still incredibly difficult even if you do all of those things.
Whether it's AI or blockchain or any of the other emerging technologies that are coming out, following those fundamentals will get us to that next logical step.
AI is a tough one simply because it allows attackers to be able to do tremendous quantities of attacks, and then learn from those in an automated way to get better.
If you're a small or medium business, and you know that you can't afford the best cyber security staff, where do you start?
You want to start with the fundamentals.
A lot of organizations don't go through that initial exercise, asking, "What do I need to protect? And what are the biggest threats that I face?"
And it might be ransomware. It might be a data breach; it might be regulatory non-compliance.
Whatever it is, you need to be able to sit down and understand what you need to protect, and in that conversation, then you can choose the best practices in the industry for your business and go and execute those.
Every organization is different. If you need a professional organization, there are many of those out there, including managed security services that will take care of everything. They can be expensive, but perhaps not as expensive as having to try and staff it yourself (if you can even find the staffing).
There's not a single playbook that's right for everybody. The first thing for all businesses is to recognize, "Yes, I'm at risk."
Many companies and organizations are still in denial. They don't understand their risk until something bad happens.
The latest metrics show that of the small and medium businesses that get hit by cyber attacks, 60% go out of business within about two years. It's astronomical.
As we look at the security economy, as I like to call it, money is at the heart of a lot of these decisions. If it's a toss up between keeping the lights on and preparing for something you don't think is going to happen, how do you make that choice?
It's tough, right? But that's really what a risk assessment is about.
Risks are future looking. It's trying to understand what are the likely impacts moving forward.
You pay car insurance. You pay home insurance or life insurance, and you hope nothing ever happens. But if it does, you understand that there's a certain benefit for that.
So, we do the same kind of thing in cyber security, and that's why we even have a rise in cyber security insurance.
For example, I was talking with a law firm, and it's a small to medium sized law firm. They wanted to understand where they were with cyber security and what they needed to do.
They weren't really worried about their website going down. They weren't even all that worried about their internal offices or their office applications going down, which would be crucial to many companies.
I asked, "What about the records of your customers, because you keep track of and you log those conversations. You have things dictated into records, and you have statements and sensitive information about your clients that you don't want out. How important is that?"
They get white in the face and admit that if that gets out, then they are out of business.
Now, we know what they need to protect. It's a much higher priority than anything else. That's when it all distilled down for them.
When we started the conversation, cyber security was this massive cloud that they couldn't quite grasp in their brain; it was just fuzzy. By the end of the conversation, they realized what was at risk.
You brought up another topic just now that I've been thinking about, which is cyber insurance.
When when we talk about risks, you have a few options. You can mitigate risk. You can ignore it and just say it's not there. You can also transfer the risk, which is what cyber insurance does.
The cyber insurance industry has been growing for more than a decade, and it's still chaotic. It's still not standardized.
I've talked with a lot of insurance companies and agencies, especially about their risk calculations.
Everyone is different. You might go to one insurer, and they may send you an email and ask you 20 questions.
You may go to another insurer, and they will send a team out and spend several days with you, filling out several hundred pages of analysis before they're even going to give you a quote.
So, there is a huge amount of disparity. We've also seen insurance companies refuse to pay claims. The legal footing is not as strong because we don't have a lot of case law yet.
We don't have standard contracts out there. We don't even have standard risk assessments out there. Now, it’s a good business mode,l and cyber insurance has helped many, many clients recover from things like ransomware or data breaches.
But again, mileage will vary. And I always caution people to make sure that your attorney looks very closely at the contracts.
You need to have a risk professional, preferably a cyber risk professional, look at the wording to see what is covered and what is not. Losses can skyrocket, and some insurance companies don't want to pay.
You mentioned this idea of a lack of standardization and legal footing. I'm wondering what your thoughts are on where regulations are going.
There are regulations all across the board. If we're just talking about regulations in cyber insurance, I think we're going to have a few more, but right now the insurance industry is almost self-regulating itself.
I think as the industry grows, there will be more regulation in the cyber insurance industry, just like there is in other industries.
I think more of what's going to move the needle are the lawsuits and the case studies. Even the maturity level of the insurance companies themselves, they see this as a huge growth market.
They are investing and trying to get these insurance contracts in place to generate revenue. So, they are investing the resources to make this work for them.
Hopefully, it becomes a great healthy, self-regulating capitalistic environment.
What do you think the role is for academia going forward, not just for necessarily a cyber sciences degree, but also for educating the general public better about cyber risks?
I see academia is playing two primary roles.
First, we need to prepare the next generation of capable cyber security professionals across all the different domains.
They also have the ability as part of that to amplify the messages of what should be prioritized, and establish a baseline conversation among the world.
Moving forward, every CEO, every CTO and CIO, should have some knowledge and savvy when it comes to cyber security. They don't have to be an expert if they're a CEO or CTO or CIO, but they should be able to have the conversation and understand the risks.
The second part is around deep research, and AI, for example.
Most of the deep research for artificial intelligence actually is out of academia. It's out of the big universities. It's out of the high-tech institutions.
As part of deep AI research, we need academia to help make sure that AI leans more towards being configured for the side of good and used for benign and beneficial things, versus being able to be repurposed for very bad and harmful things.
Based on your experience, and where you see things going, what are the main trends that you think are going to shape the future of cyber security if you are going to distill it down to just a few?
Let's see if I can do this in under 30 seconds. How about that?
Think of dominoes falling, one into the next. We’re going to have increasingly more technology and more users, which brings more attackers into play. These attackers are motivated because they see more value; they then innovate, which means you start getting more attacks.
We have our hands tied because we don't have enough resources. There aren't enough people out there to fill some of these roles to help do critical security tasks.
We want the public to realize the bad things before they happen and get their expectations changing earlier versus later. That is part of the challenge. We’ve got some interesting few years ahead of us.
On that note, I'm going to thank you so much for being with us today.
Thank you very much for having me. It's a great conversation.
Thank you for joining us for this episode of Security Economy. See you next time.