The Birth of a New Cybersecurity Hole

 The cybersecurity job market is exploding as companies look to bring on new personnel—very often in newly created roles—to address the increasing complexity and severity of attacks. Below are just a few statistics from a recent CSO article that highlight this trend:

• There are currently approximately 350,000 cybersecurity job openings, a 67% increase from 2015
• The sector’s unemployment rate in 2016 was 0%, and it’s expected to remain that way until 2021
• Symantec predicts that the demand for cybersecurity talent will rise to 6 million jobs by 2019

It’s clear that the industry recognizes that cybersecurity expertise is essential in today’s heightened environment. But what good is investing in cybersecurity hires if management doesn’t take their advice?

I recently came across this Reddit thread from a cybersecurity architect expressing his frustration with a server project. You can get the background and email correspondence between him, his colleague and their boss on Reddit, but the gist is that his significant security concerns and advice were overruled in the interest of getting the project done. From an email with his boss:

Due to timing of the Insert Important Event let’s get this up and running and we will circle back about patching and hardening methods.

The thread’s comments underscore that this is far from an isolated incident. One reader explained:

If security slows down production which in turn reduces profitability, [executive management is] never going to side with IT. It's a matter of risk balancing, and if they've never experienced a security breach, they're going to take the risky route until they do.

Another agreed, saying:

Even then, if they have a security breach, there will be about six weeks of taking security seriously, before it goes back to status quo and management says "well, compared to what you're proposing, the security breach wasn't that expensive".

Perhaps the original poster put it best:

 Between the corporate buzz words and misprioritization, we can see the birth of a new cybersecurity hole that will never be closed. 

This mindset must change if companies are truly serious about protecting their most valuable assets.  Cybersecurity professionals should be included in the early stages of a project, and their input used to inform the timeline and expected deliverables. In the case of the Reddit poster, he was only contacted about the server change in the eleventh hour, at which point his suggested enhancements were deemed less important than meeting the project’s targeted completion date. Had he been consulted at the outset, it’s possible that the company could have incorporated his feedback and still turned the project around quickly.

Of course, it’s equally possible that his warnings still would have been ignored. This is the scenario that’s most troubling to me (and probably all readers with a security background!) Bringing on new cybersecurity resources is a great first step in responding to today’s security threats, but if their counsel is not heard, respected and implemented then their value is significantly reduced.

If we hope to see the situation outlined on the Reddit thread become more of an exception and less of the rule, the industry has some serious legwork to do. The demand for cybersecurity talent is well-known—now it’s time to let that talent go to work.