This week, Smarter MSP continues our discussion with Dr. Nur Zincir-Heywood, a cybersecurity specialist and computer science faculty at Dalhousie University in Halifax, Nova Scotia. Key discussion points include specific cybersecurity challenges Canadian businesses need to be paying attention to in the year ahead.
We begin the discussion with: where should we be putting our resources? MSPs, CISOs, and other security stakeholders have limited budgets but face constant threats, so we asked Heywood where she would recommend businesses spend money.
Her answer: talent. That is easier said than done, however, because of a perpetual shortage of skilled IT workers.
For instance, recent research by The (ISC)² Cybersecurity Workforce shows that the global cybersecurity workforce needs to grow 65 percent to defend organizations’ critical assets effectively. The shortage of cybersecurity talent is worldwide.
“We need to put resources into finding the right talent to include on our IT teams,” Heywood tells us, adding that experience isn’t the only thing enterprises should be seeking.
Cybersecurity talent can be found at all experience levels
“Finding the right people doesn’t have to mean 25 years of experience. Sometimes the right person is someone who has different expertise or the potential based on their educational background,” Heywood suggests. While AI has made significant advances from a cybersecurity standpoint, having an attentive human on a team is still the gold standard.
“We need to invest in people who are educated and interested in cybersecurity and give them a start,” Heywood emphasizes. And once an enterprise has the right team, it can make the right decisions or mitigate the bad ones.
Finding the right people doesn’t have to mean 25 years of experience. Sometimes the right person is someone who has different expertise or the potential based on their educational background. #cybersecurity #TalentGap
“If you have the right people on your team, there is a better chance of minimizing human mistakes,” Heywood says.
Heywood opines that companies are making a mistake by constantly emphasizing experience in their postings for job openings. “Training new talent is just as important as finding someone experienced and that all stakeholders need to come together to combat the talent crisis,” she advises, adding “Companies that sell security services and products, universities and technical schools, and corporations need to work together.”
Continuing on, Heywood says, “If we invest in talent and we train the talent with the right tools and systems, there is hope as we move forward.” She also advises that bolstering the talent pool may help, eventually, cut down on some of the human error that leads to so many breaches.
Gender balance can help close the talent gap
Heywood is the rare woman in a field dominated by men. The gender imbalance in itself creates a cybersecurity risk because there’s a large pool of untapped talent, something Heywood believes we should work to change.
“We are losing huge talent, a big portion of our population, and we cannot get them interested in these topics,” Heywood contends. She said getting girls interested in cybersecurity starts at an early age, and youth is the time to get young women hooked on robotics, IoT, designs and systems building.
Cybersecurity threats loom for healthcare; businesses must watch for stealth hackers
Shifting gears, we asked Heywood about any Canadian-centric cybersecurity threats that are expected to emerge in 2022.
She tells us that Canada’s “unique geopolitical position” often makes it a target, but Canadian Centre for Cybersecurity is doing a great job of staying on top of threats. A recent bulletin warned:
We judge that cybercriminals are almost certainly improving their capabilities, and are very likely to attempt to target high-value Canadian organizations with large operational technology (OT) assets, including those in critical infrastructure, in search of larger ransom payments and valuable data. Cybercriminals are also increasingly likely to directly access, map, and exploit OT for extortion with custom ransomware.
The biggest threats she sees on the horizon in 2022 continue to be ransomware and the data repositories in large institutions, particularly healthcare.
“Hospitals, for instance, their main goal is to keep us healthy, not cybersecurity. These are huge institutions with money, and if you can penetrate one of these systems, it is a significant financial gain,” Heywood suggests. Hackers know this and are constantly on the prowl. So MSPs with healthcare clients in their portfolios need to be especially vigilant.
“Cybersecurity was never in the forefront of these businesses,” she adds.
Another trend Heywood says to keep an eye on are hackers that “lurk.” Sometimes just hanging out in a network as a stealth actor, gathering information, monitoring movements, and stealing data can be as harmful as a full-blown ransomware attack. “This will not go away, is that hackers are not going to be blackmailing us tomorrow, instead they will get in and stay in and stay in for the long haul,” Heywood concludes.
Photo: christianthiel.net / Shutterstock