It's time for more ‘Stories from Cybersecurity’! This week we talked to Kayne McGladrey ( @kaynemcgladrey ). Kayne is a member of the IEEE and the executive advisory board for Cyber Security Hub. He’s been published in USA Today, Reader’s Digest, Fast Company, the Philadelphia Inquirer, and many cybersecurity publications like Dark Reading, SC Magazine, and CIO Magazine. If that wasn't impressive enough, he's also #3 on the top twenty worldwide thought leaders in cybersecurity.
We thought it would be a great idea to get Kayne's take on some key issues facing the world from a cybersecurity perspective, and also learn more about his journey. We get lots of questions from readers about how to break into the cybersecurity industry, how to get their foot in the door, and all manner of other questions relating to getting started. This is why we think it's so important to share the experiences of those in the industry.
A key ingredient for success in cybersecurity is a passion for all things tech and security. Needless to say, we were also impressed to learn that Kayne has over fifty smart devices and a handful of robots! Let's take a look at what Kayne had to say:
On your website, you say "One of my career priorities is to inspire underrepresented communities to pursue careers in cybersecurity". This is an admiral goal I'm sure our readers would like to know more about. What do you think needs to be done to lower the barrier to entry in the cybersecurity industry?
As an industry vertical (an industry that offers niche services that fit into multiple industries), the cybersecurity industry has an image problem. The industry places too much emphasis on technical skills when hiring new talent.
The stock image of a white male (beard optional) working at a computer while wearing a hoodie, permeates the news and has regrettably become the default for both “hacker” and “cybersecurity employee”.
That it assumes a male default is a problem. It’s a further problem that assumes we’re all working at our computers in darkened rooms while staring at Matrix-style scrolling fonts. While this imagery may appeal to some, it’s off-putting to most.
HR departments across the globe are creating job postings for those who have a master’s degree in cybersecurity, have held the ethical hacker designation for twenty years, can program machine learning forensics artificial intelligence in Rust, has nineteen years of Kali Linux experience, and who was posthumously awarded the Purple Heart.
This impossible combination of skills only serves as a further barrier to entry. The resulting pool of candidates is a predictable lot; men have been statistically shown to be more willing to apply for jobs where they do not meet all the criteria.
Addressing these dual problems takes public outreach by industry. We don’t need another women’s cybersecurity breakout session while an all-white male panel is on the main stage. We don’t need another red teamer showing their latest 0-day to a cheering crowd while there’s no place for the non-technical people to discuss technical writing, project management, or technical support. We don’t need to create another cybersecurity conference.
Instead, the industry would be well served to invest in community outreach. Send project managers from cybersecurity companies to speak at colleges. Send physical penetration testers to talk to middle-schoolers about lock sport. At conferences, make sure that panels, breakout sessions, and keynotes reflect the diversity we want to see in our industry. Work to educate future generations that the cybersecurity industry needs new voices, new opinions, and new approaches.
What do you think is the best approach to increasing awareness of cybersecurity issues, both in business and in the public?
The threat actors have already figured this out – continuous and persistent engagement.
Businesses should set up spear-phishing exercises within their company to track how successful (and therefore dangerous) these attacks may be.
This job should be assigned responsibly to one or more employees who understand the nature of the task. Then the failure rate of those campaigns should be covered as part of their annual review. It’s essential to focus on the number of times the phishing emails were reported, the number of people who didn’t click the link, the number of responses that weren’t sent to spoofed emails from someone’s manager asking them to send a personal cell phone number.
This is a way of measuring the effectiveness of a training program because if highly targeted phishing campaigns are failing, it means employees of the business are learning.
In the public sphere, cybersecurity needs to be part of the elementary school curriculum. Elementary schools are giving students access to computing devices at an increasingly early age, though at a slower rate than parents. Doing homework on computers is the new normal. But talk of cybersecurity is limited to the “computer lab” or couched in “stranger danger” discussions about online chat.
Teaching very basic cybersecurity skills, like not downloading software from dodgy websites and looking for red flags in online communications would have immediate and lasting benefits to society. The immediate benefit would be to parents, who’d be less likely to have their home computer infected by ransomware due to their fifth grader having downloaded a game cheat. The lasting benefits would be awareness and increased curiosity in the industry.
What do you think needs to be done to increase diversity in cybersecurity?
We need to talk to people who aren’t in cybersecurity. Individual practitioners should find local community organizations where there’s already an audience and a meeting cadence and offer to present on a lightweight cybersecurity topic.
Ideally, this could be linked to recent media coverage; as it’s November, safe online shopping would be a great idea. These presentations can be given to professional organizations, community organizations, veterans, or tailored to job-seeking organizations. By educating the public about cybersecurity we both make it harder for threat actors to monetize their illegitimate businesses, and we also may find people who were considering a career change.
What do you think are the biggest cybersecurity threats we are facing right now?
Apathy and a lack of responsibility. Hundreds of millions of Americans have received hollow-sounding letters offering a year of free credit monitoring because of one of the massive breaches in the past five years. Coupled with the sheer amount of media coverage associated with massive breaches, it can lead people to believe there’s nothing that they can do to protect themselves or their families.
Cybersecurity then becomes someone else’s problem – some company, some cloud provider, the government – instead of taking individual responsibility like setting up multi-factor authentication (MFA) and using a password manager to stop re-using passwords. Part of the reason for these massive breaches is threat actors know people re-use passwords, they use easy-to-guess knowledge-based authentication questions, and the closest they get to MFA is using their phone number as a backup for password resets.
How do you see the industry changing over the next decade?
With four million cybersecurity jobs to go unfilled according to ISC(2), we are at a crossroads.
The default path is to do more of the same. Increased venture capital investment in speculative technologies like artificial intelligence and machine learning to hope to automatically identify and stop breaches due to the lack of security operations center (SOC) analysts. More colleges and universities offering cybersecurity degrees to people with similar life experiences from the same zip codes as before.
This is the definition of insanity, per Alcoholics Anonymous, doing the same thing and expecting a different result. This path leads to increased movement of wealth to threat actors, higher insurance premiums for everyone, increased cybersecurity costs for all, and a loss of privacy.
The harder path is to encourage people who have different life experiences and viewpoints to get involved in cybersecurity. Our industry needs to incorporate the approaches of people who have struggled against discrimination, who have prevailed in the face of hardship, and who came from outside of the IT industry.
This path is harder for everyone as we don’t share a common vocabulary, yet, and the newcomers will need accessible training covering both technical and non-technical roles in cybersecurity. It’s unknown if this direction will decrease the number of breaches, as we have not made a concerted effort. However, there are economic advantages as cybersecurity jobs are a pathway to the middle class, and social benefits as this approach involves breaking down tribalism and bias.
We all own this choice and can choose our future. It’s the ethical responsibility of everyone in cybersecurity to choose a better, safer future.