GRCIE

donate now

Category: Workforce Security

Workforce Security
March 20, 2022

ISACA State of Security Part 1

State of Cybersecurity 2021, Part 1: Global Update on Workforce Efforts, Resources and Budgets reports the results of the annual ISACA global State of Cybersecurity Survey, conducted in the fourth quarter of 2020.
We’re joined by:
  • Jenai Marinkovic, vCTO/CISO at Tiro Security and advisory board member at Beyond, and member of ISACA’s Emerging Trends Working Group
  • Jonathan Brandt, ISACA Information Security Professional Practices Lead.
The report (www.isaca.org/state-of-cybersecurity-2021) focuses on the current trends in cybersecurity workforce development, staffing and cybersecurity budgets.
The issue of cybersecurity workforce deficiencies remains unresolved, despite years of reporting on this problem from numerous resources.
By GRCIE Blog
Cloud SecurityWorkforce Security
March 20, 2022

The Growing Field of Cloud Security and What it Means to You

Now that everything is in the cloud — who’s going to secure all of that data? Cloud security is a growing field inside a field with a great shortage of talent, so if you’re curious about cyber security, the cloud is a great place to start. Join us for this panel that will include moderated questions, as well as a Q&A portion — bring your questions and your curiosity.
Jenai Marinkovic – Executive Director – GRCIE & vCTO/CISO TiroSecurity
Jenai is a multi-disciplinary technologist and strategist with 20 years of experience in architecting, building, and securing systems at scale. She has designed and operated cybersecurity capabilities in live sports, gaming and entertainment, biomedical manufacturing, laboratory diagnostics, healthcare, and robotics in agriculture. She is an expert speaker for ISACA with a special focus on emergent technology and cybersecurity futurism trends. She has run architecture, innovation, engineering, security, and operations teams. Her security expertise spans security architecture, engineering, defense, and forensics. Jenai is a founding member of the NextCISO Apprenticeship, an organization dedicated to preparing women and people of color for positions in the GRC industry while identifying and cultivating potential CISOs at the onset of their careers.
Sara Tumbarella, CISSP – Sr. Cloud Security Engineer & Information Security Manager at Foghorn Consulting
Sara is a Sr. Cloud Security Engineer & Information Security Manager at Foghorn Consulting where she helps clients secure cloud systems, automate compliance, and navigate regulatory requirements. Prior to Foghorn, she was the Information Security Manager at SRS Acquiom based in Denver. She has a passion for helping companies build information security programs from the ground up that are tailored to meet their unique needs and requirements. Sara holds an M.S in Information Systems and Security and has been awarded the following certifications: CISSP, and AWS – Security Specialty.
By GRCIE Blog
Portrait of multiracial diverse young woman smiling and looking
Security & CommunityWorkforce Security
March 20, 2022

Cybersecurity, Community and Change: How to Meet the Coming Challenge

At the end of the great World War II, no industry was more vital than American steel. The global steel demand was voracious. European and Asian cities had been devastated by the bombings and needed to rebuild while American cities were booming. Besides rebuilding, steel was needed for everything from new cars to the new interstate highways under construction.
US steel mills were there to heed the call, producing more than half the world’s steel in the late 1940s and roughly 40% of the world’s steel throughout the 1950s. Four out of every 10 Americans made their living directly or indirectly from the industry. Steel companies were at the apex of an industrial power with virtually no manufacturing rivals for decades.
However, by the 1970s, the steel industry had begun its epic collapse. The American steel industry, believing itself invulnerable, was headed by a complacent and oftentimes insular management that was slow to bring in modern technology and respond to changing market conditions. In a labor-intensive industry like steel, that meant closing mills and massive, regional layoffs.
Towns in the shadow of these shuttered mills lost over 50% of their populations, leading to a collapse in their economic base. The impacts were devastating. High unemployment and the declining tax revenues led to a crippling of the education systems. Poverty increased, urban blight crept in and there was an amplification of the social injustice laid upon communities of color. To this day, the greater Midwest suffers as a result of being hard-coded into the technical debt-ladened architectures that make it near impossible to adapt or pivot out of a downward spiral.
But what happened in the 1970s cannot be traced to a singular reason. There was no sudden disruptive event that triggered the downward trajectory of steel. Any time you see an epic collapse in any system, you need to go bigger to understand the problem.
“Any time you see an epic collapse in any system, you need to go bigger to understand the problem”
But what happened in the 1970s cannot be traced to a singular reason. There was no sudden disruptive event that triggered the downward trajectory of steel. Any time you see an epic collapse in any system, you need to go bigger to understand the problem.
When you look at things at the macro level, we start to see that what happened to the steel industry was triggered because we were moving from the second to the third wave of the industrial revolution. The First Industrial Revolution really was a revolution. It gave rise to the invention of water and steam power leading to the industrial transformation of society with trains and mechanization of manufacturing. The Second Industrial Revolution is typically seen as the period where electricity and the assembly line led to mass production and to some extent to automation. The Third Industrial revolution had everything to do with the rise of computers, the rise of robotics in manufacturing, the birth of the internet and significantly more automation. The year 1969 marked the induction to the third industrial revolution. And it was at this time — almost to the year — that, looking back, we started to see the collapse of the steel industry.
The opening decade to any revolution in industry is always marked by what we call big bang disruptions. According to Forbes, “Big bang disruptions are large-scale fast-paced innovational waves that can disrupt stable businesses very rapidly. With big bang disruption, entire product lines — whole markets — can be rapidly obliterated as customers defect en masse and flock to a product that is better, cheaper, quicker, smaller, more personalized and convenient. Disrupters can come out of nowhere and go global very rapidly. Disruption can happen so quickly and on such a large scale that it is hard to predict or defend against.”
In 2020, we entered a new wave — the Fourth Industrial Revolution. You might have already guessed the focus. We are in a time marked by the convergence of the digital, physical and biological worlds, all with the additional accelerators such as advanced robotics and cognitive-thinking systems.
We opened this decade with the first of many big bang disruptions. The pandemic triggered a wave of automation, the extent of which we may not fully understand for years to come. Other disruptions are sure to follow.
In the era after World War II, American author and journalist John Gunther proudly proclaimed that “America is steel” because, at the time, the United States alone could produce more steel than Britain, West Germany, France, Japan and Russia combined. America was indeed “steel.”
That is what cloud is now; our new world’s steel. Cloud, like steel, undergirds the very fabric of society. It strengthens and interlinks the technology in our bodies, our buildings and all creatures great and small. It underpins our digital, biological and physical worlds. And as we enter this new age of thinking systems and move into this brave new world, it is critical that we understand our past.
Cloud, like steel, undergirds the very fabric of society
Just recently, the US government awarded SpaceX the contract to build the first modern human landing system (HLS), returning Americans to the surface of the moon for the first time in nearly 50 years. This marks a dramatic step toward sustainable lunar exploration and preparation for the ultimate journey of a human-crewed mission to Mars. And, even more recently, the first commercial rockets were launched into space with “space tourists.”

Leaders and futurists have predicted that we may see the first human on Mars in the next 5-10 years, with colonization to happen soon thereafter. This is not a Star Trek futuristic visioneering exercise. We sit at the dawn of interplanetary travel, and it is critical that we as an industry understand the implications of the biggest big bang disruption in history of our planet.

And with all disruption comes opportunity. All Game of Thrones fans know that “chaos is a ladder.” Attackers are better and faster than us at adapting to, leveraging and exploiting disruption. In a future where speed and agility are defining factors, they have the edge.
One of the downfalls of the steel industry was our collective inability to come together and tackle world-changing problems with world-changing thinking. We lacked a diversity by design mindset. We failed to understand that diversity was our strength — diversity enables resilience, adaptability and scalability. Diversity forces us to think outside of the box and create the conditions where we control big bang disruptions instead of succumbing to them.
Ultimately, monocultures die. When a monoculture dies, it wipes out or cripples everything in its wake. So, why a diversity discussion when talking about space? Because cybersecurity today is a monoculture. It’s why we are failing. It’s why we are losing this war. We are the same people we were 20 years ago. We do not even have to look at gender, identity and race; it’s more than that. Our experiences are the same. We all came up through systems administration, network engineering, application development or desktop support. We have the same skills and the same ways of thinking.
If we are to protect and defend the people, companies and countries in our charge, we will need racial, gender, identity, physical and neurodiversity. We will need creative problem-solvers and divergent thinkers. The only way to think outside of the box is to apply the learnings and insights from a diverse set of collective experiences and to do what humans do best: to connect and to share these experiences, and improve upon them. It takes community to truly innovate.
So, having taken a trip through our past and gazed forward into our future, we must ask ourselves: how prepared are we to enter this new age — the dawn of the Fourth Industrial Revolution?

Like the days of steel, the infrastructure that girds our digital critical infrastructure is fragile and it’s breaking. One needs look no further than the continuous reporting of supply chain breaches and ransomware demands to understand the state of security. When a security breach prevents a large swath of the United States from getting gasoline, we have a problem. And that’s minor in comparison to what could happen.

ISACA recently released its State of Cybersecurity 2021 Part 2: Threat Landscape, Security Operations and Cybersecurity Maturity report. A big conclusion in the report is that “business as usual is not working.” The report states: “Change is ever present for cybersecurity professionals who partner daily with business leaders to meet organizational goals amid growing regulatory requirements and a threatened landscape. Much has already changed since ISACA collected this data at the end of 2020. High-profile cyber-attacks, including those affecting SolarWinds, Microsoft and Colonial Pipeline, thrust cybersecurity to the forefront for government and business leaders, prompting new regulatory changes. Undoubtedly, there will be more.”
“One of our issues is that proper security is inordinately resource-intensive”
One of our issues is that proper security is inordinately resource-intensive. Regardless of the amount of automation we have at our fingertips, it is not enough. As we have learned with previous industrial revolutions, the opening years are wrought with disruption that impacts whole communities. The difference is that today’s disruptions too often have immediate, often widespread impact.
This new wave of automation is now upon us, and this time we expect to see massive job losses inside the services sector, the exact sector that manufacturing pivoted into when their jobs disappeared.
The World Economic Forum’s Future of Jobs Report 2020 supports this. The report states that:
  • Automation, in tandem with the COVID-19 recession, created a ‘double-disruption’ scenario for workers, with technology adoption accelerating in some areas.
  • By 2025, the time spent on current tasks at work by humans and machines will be equal.
  • 85 million jobs may be displaced by a shift in the division of labor between humans and machines, while 97 million new roles could emerge.
  • Most people (77%) are ready to learn new skills or completely retrain, and 40% of workers have improved their digital skills during the pandemic.
  • Long haul trucking will be transformed as autonomous vehicles will be capable of taking all but the last mile of their trek.
While it might be exciting to think that 97 million new roles could emerge from this latest phase of the industrial revolution, we cannot ignore the fact that millions of people might be left behind. We need a new way of thinking to solve this, especially when it comes to cybersecurity. We are looking at millions of jobs opening up in security worldwide and no real plan for how to fill them.
“We are looking at millions of jobs opening up in security worldwide and no real plan for how to fill them”
Currently, we commonly do not hire people with little to no experience — “junior people” — in the cybersecurity field. Regardless of how many degrees, certificates, will or grit. It does not matter. We want people with 5–10 years of experience and a CISSP just for a junior role. Shame on us. We continue to let the ghosts of the past haunt us into the same group thinking decisions that nearly wiped out a region.
Cybersecurity professionals are working 100+ hour workweeks and killing ourselves to keep our executive leadership from having to testify in front of Congress because of problems that manifested under our jurisdiction. Yet, in this field, we resist hiring trainees.
Training a junior person takes 6–12 months before they can take work off our plates and, of course, makes us less productive in the short term. Yes, there is risk to bringing on a junior person. They do not always work out. But neither do some of the people who have had technical careers their whole life. And the investment lost is greater. We need to stop looking at people as junior, not technical enough or not experienced enough, and start looking at each person as a container of limitless potential with decades of collective experiences that will enable us to once and for all break outside the proverbial box.
Consider this: in 1966, an African-American nurse named Mary Van Brittan Brown, who spent many nights at home alone while her husband was away, and felt unsafe with high rates of crime and unresponsive police in her neighborhood, devised an early security unit for her own home. It involved a camera and a monitor to see who was outside the front door. This type of security system is now widely used in homes across the world.
There is no book we can read, no well-worn path that we can take to solve our cybersecurity staffing needs — it’s the greatest challenge of our collective lives. We will have to start from the beginning.
The answer lies in community. And we need more.

One in Tech, an ISACA Foundation

One In Tech is an organization that seeks to build a healthy digital world that is safe, secure and accessible for all. To combat barriers commonly faced by underrepresented groups, they built a suite of programs focused on children, women, people of color and those underserved socioeconomically and due to bias. Their objective is to build equity and diversity in the digital space. One In Tech provides three key programs designed to address global needs and provide programs with measurable impact:

The We Lead Tech program looks to amend the racial and cultural diversity imbalance within tech professions. The lack of diversity is incompatible with the values of the tech industry — innovation, creativity and diversity of thought. Hiring individuals who do not look, talk or think like their employers enables organizations to avoid costly pitfalls of conformity and results in more innovative thinking. ISACA collaborated with City Colleges of Chicago in the creation of this program. 

SheLeadsTech is a program that works to increase the representation of women in technology leadership roles and the tech workforce. Powered through a vast global network of women IT professionals dedicated to supporting others, SheLeadsTech provides women with mentorship, leadership training and skills training to grow and excel within that industry. This very robust program offers a number of opportunities for engagement, including the ambassador initiative, education and events, a mentorship program and a resource center.
The Young Leaders in Tech program focuses on under-resourced, disenfranchised children with the knowledge and skills to help them avoid online risks, build e-learning skills, and explore career pathways into the cybersecurity field. Young Leaders in Tech works to ensure the common barriers blocking equity are addressed so that youth will serve as the building blocks of a safe, knowledgeable, innovative and inclusive digital future. The program offers a suite of online and in-person educational initiatives for grades K-12.

The Next CISO — Building a Next Generation Cybersecurity Workforce, Diverse by Design

On a farm in Northern California, the idea was born for the NextCISO Program. Together, we partnered with Kris Rides, a cybersecurity recruitment specialist, to start an apprenticeship for people with no technical expertise to train them as Junior GRC analysts. We based it on the belief that a foundational understanding of GRC might allow someone to pivot into any other area of cybersecurity.
A foundational understanding of GRC might allow someone to pivot into any other area of cybersecurity
Working with a diverse group of people from across the country and from diverse experiences, we taught our students the fundamentals of GRC, ISO 27001, how to audit artificial intelligence and the fundamentals of design with an emphasis on human skills (soft skills). We put them on client work and, with a team of entirely junior people and one senior executive, we built an entire ISO 27001 compliant information security program. In addition to the technology aspect, it included service provider selection, security testing and assessment services, and auditing of cloud environments and defense. The duration was seven months; the pace was intense. “It would have made a drill sergeant proud,” claimed one graduate of the program.
ISACA’s State of Cybersecurity 2021 report digs into why hiring managers have low confidence in cybersecurity applicants. Interestingly, the report cited that the largest skills gap among cybersecurity professionals is soft skills — communication, flexibility and leadership — yet these are rarely considered in the hiring process. The second-largest skills gap cited was security controls implementation.
At Next CISO, we believe that part of our problem is where we’re looking for talent. Are you looking at your internal teams beyond just the IT team? Are you looking at Marketing? HR? Legal? QA? We have students from all of these experiences who have done very well in this program and will make wonderful GRC analysts. And now we are training three local people, all in front-line service jobs, into this new world of ours.
We need to start thinking differently. Not everyone needs to or should start as a SOC analyst. We all need to look at every neighbor about to lose their job to automation and ask, can you transition to infosec or an adjacent industry?
We at the local community level need to build local programs that reskill and upskill people into digital security careers. And every company that has a security workforce needs to start looking at their percentages. What if 40% of all your incoming roles were open to people with little to no experience but promising potential? How could you restructure to accommodate this change? If you are a mid-size company starting a security program, might you bring in one senior and one junior role? We think that not only you could, but you should. It can be done successfully. We proved it!
It’s time for new approaches. Remember, the Fourth Industrial Revolution is upon us.
By GRCIE Blog
Futuristic networking technology remix with woman using virtual
Workforce Security
March 20, 2020

ISACA State of Cybersecurity – Part 2

By GRCIE Blog
error: Content is protected !!