Who are the stakeholders in cybersecurity? How do they impact an organization?
The cybersecurity industry is expanding into an immersive conglomerate of the 21st Century and has gained global recognition as a fundamental part of national security. Initially, cybersecurity was regarded as an obligation for software engineers. As the need for digital security became more prevalent, organizations began allocating additional resources to protect digital systems. The two primary stakeholders in the cybersecurity industry are private and government entities, and each respective sector has its own unique capabilities and price tags. The government cyber element can be further subdivided into civilian and government contractors.
In the private sector, this industry has seen technology giants grow exponentially. Organizations such as Apple, Amazon, Google, and Facebook have seen record growth over the last 10 years. These organizations offer innovative technologies and services that consumers crave, most of which aren’t offered elsewhere, and are so successful that they can easily afford to hire the best and brightest computer scientists in the world. Some of the dominant accounting firms in cybersecurity include PricewaterhouseCoopers, Deloitte, EY, and KPMG. These four companies offer unique services, such as penetration testing, incident response, or IT compliance auditing. These services are frequently required for various federal government regulations, such as mandating customer data security. The cybersecurity industry has thousands of smaller organizations that specialize in a single consulting offering. Regardless of these specializations, smaller firms historically lack the quality compared to the dominant accounting firms. In June 2015, the U.S. Department of Defense issued National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” which mandates cybersecurity requirements on unclassified networks. To satisfy section 171, much of the private sector is utilized to fulfill federal requirements. Consulting firms must provide excellent services; otherwise they can be held legally accountable for not finding vulnerabilities during their assessments.
In contrast to the private sector, the federal government has struggled to maintain a sustainable cybersecurity workforce. Within the industry, we have long recognized the National Security Agency (NSA) as the dominant force in the cyber domain. This agency has some of the strictest applicant requirements, often superseding requirements set by the private sector. While one agency has continued to strive to protect classified networks, other agencies are failing at an alarming rate. One of the most apparent issues with retention in the federal cyber world is salary. The private industry pays nearly double the salary of what the federal government can afford, making retention a difficult task. Particularly within entry-level positions, federal agencies struggle to match what the private sector offers college graduates. The Departments of Defense and Homeland Security both now offer specialized pay grades to incentivize cybersecurity careers, but these incentivized pay grades are still substantially lower than those in the private sector.
Even as the federal government struggles to retain internal cyber talent, most of the cybersecurity market still originates from the federal government in the form of contracts. So when the 2015 data breach of the U.S. Office of Personnel Management (OPM) grabbed the national spotlight, it underscored the impact these staffing problems have within the federal government. Even the private sector actively seeks government contracts, typically because the U.S. government continues to invest significant resources in the cyber domain. Government contractors also have the luxury to charge a premium for their services. While day-to-day cyber operations can be accomplished in-house, specialized services (server hosting, network overhauling, incident response, or penetration testing) require unique skill sets that many federal organizations lack within their cyber divisions. Contractors are aware of this and don’t hesitate to charge accordingly.
In parallel to the great space race of a prior generation, the cybersecurity industry needs a critical boost. The painfully obvious lack of cyber talent will take years to fill. Recent pushes for science, technology, engineering, and mathematics (STEM) education could provide a stopgap for the shortage, but competent cyber skills take years to develop. In a highly dynamic landscape, this rapidly becomes a lifelong commitment. Schools are beginning to teach cybersecurity, but they barely scratch the surface of this issue. Academic institutions introduce students to rudimentary computer-science skills, but basic undergraduate educations fails to adequately prepare them for a successful career in the cybersecurity industry. Threats evolve, technology improves, and functional methods are quickly rendered obsolete. Required skills (incident response, log analysis, patch security, digital forensics, data recovery, encryption, etc.) are highly specialized and demand finesse; one analyst can only cover so much. This situation makes the most valuable asset of cybersecurity, the human mind, the most fragile ecosystem.
We would be remiss not to mention the adversaries. These range from a lone wolf flooding an emergency dispatcher with bogus 911 calls to potential nation-state actions intent on altering politics. They exert significant leverage over what we do and how we respond. The endgame of cyberwarfare, espionage, or sabotage is to influence people and their actions. Events in cyberspace will touch the physical world. Mirai in October 2016, as well as Petya, Eternal Blue, and Locky of 2017 have all highlighted how susceptible commerce is to cyber action. Target’s breach in 2013 and The Home Depot’s breach in 2014 are just the tip of the iceberg. All too frequently, intellectual property is silently whisked away to be reverse-engineered and copied in a foreign country. The utilities in another nation are crippled through sabotage. Whether citizens realize the fact or not, our lives are tied to the digital era. The internet is the backbone of our 21st Century society. Cyberattacks are always imminent. When will the next attack hit your organization?