Tim McCreight, Director of Strategic Alliances at Hitachi Systems Security and member of the Board of Directors of ASIS International, participated in a live broadcast hosted by Chuck Harold of Security Guy TV on cybersecurity talent shortage last October 24, 2017. You can watch the video recording here or read the full interview summary below.
In 1981, I started to work in physical security as a Chief Security Officer in a hotel in Winnipeg, Manitoba, Canada. I learned about fraud investigations, forensics through HR files and executive protection.
In 1998, I came to realize that Internet will stick around for a little while. Plus, in the physical security industry, I saw more and more devices being attached to the corporate network, such as cameras or card access, and it was starting to scare me. No one was thinking of these being part of the IT network; they were considered part of physical security devices.
That’s when I decided to focus my time on IT security and go back to school. I spent 2 years at a technical college in Edmonton, Alberta, Canada, and learned about computer systems technology. Personally, I didn’t want to code, I wanted to break things. I learned that if I could figure out how to break it, I could also figure out how to protect it.
Moving forward, I worked in information security roles and became Chief Information Security Officer (CISO) or the equivalent in four different companies from 2000 until today.
Yes. We currently experience a shortage between 1 million and 1.8 million qualified people in the physical and cyber security industry. Today’s CISOs struggle between choosing to build their own IT security dream teams or outsourcing their security to a trusted security service provider. Now the question is, if we put 1 million people in a college and train them for 4-5 years every year for 20 years, would there be such a talent shortage? Did we miss the window to get that done?
When I was CISO of Alberta, I didn’t have a degree, I had completed grade 12 and a college diploma on computer systems technology and I ran the security for a 48 billion dollar a year organization with IT operations around the world.
You can do this. I’m the living proof that someone who is not technical can become a part of the IT security world because you think of things from a risk perspective. You don’t get tied down to “I can’t” but to “How can I?”. I was interested in knowing how things worked. I learned earlier on, I wasn’t that technical guy but I wanted to learn enough to at least be relevant in a conversation so I needed to understand the technology. I spent time doing my own research before going back to school.
However, how are we going to come up with that volume of people and convince them that cybersecurity is an actual career, that you can make a living out of this, that you can provide value to an organization, that you are going to enable a company to achieve its objectives? I would love to see more people come onboard and go through a university and college programs, but the challenge of gathering so many people that quickly remains.
As professionals, we need to start bringing people in. In the old days, we used to have on-the-job training programs. Like in the military, we just got people coming in, people who had an understanding and an interest in the job and we would teach them on the fly. Maybe we could be looking into that. I met a lot of people throughout my career that didn’t have any university degrees but they had this desire, this will of curiosity to know how things work. They were self-taught, they spent time learning.
Is there a way we could start bringing people in this industry and train them on the way and give them a formal training once they get established, once they start understanding where they want to explore and grow?
We are going to have to. We have to find solutions. Otherwise, how are we going to deal with 1.8 million of people to train? It will become a huge burden.
How can we get the next generation to be interested in cybersecurity? There are great cyber titans’ programs in the United States and in Canada targeting junior high and high school students as well as post-secondary education students.
We must get to the point where kids get hooked at a junior high level so that they can start looking at this as an opportunity and chance to learn skills early. Can they bring those skills forwards as they get into high school? Can they take these as a career when they enter university? Can they do an on-the-job training program once they get into high school? They could get an understanding of vulnerability management by giving a try at some penetration testing or white-hat hacking to understand part of cybersecurity.
How do we get people to get engaged in our industry, start thinking about it from a risk perspective and look at the different components?
Take a home inspector for example. From the time a home inspector gets out of his truck, gets your ladder out and starts walking up on the sidewalk with clients to take a look at the home, he’s conducting a risk assessment. From a compliance perspective, he knows what he needs to see from a building code, he needs to understand the diverse types of building structures, how old this facility is, what the original electrical code was etc. All of what he is doing is making observations and documenting them for clients. He is providing them with his assessment of risk, giving them a timeline of when they would need to change the roof, electricals, windows, as well as their cost. All of these will help making the final buying decision and will be taken into account when the buyers will provide an offer and when they will start planning their future budget to remediate the risks.
We need to know how do we stay relevant inside the industry that we are in. Regardless of the field we are in, whether it is in physical or cyber security, it is our job to identify and reduce the risks on behalf of an organization. The trick is to remain relevant in your role. Can you understand the different components that make up the risk program or the security program? Can I provide value by offering my skill set to the other side?
We need to understand the concept of relevance and how to continue to remain relevant in an industry that is constantly changing.
Yes, partially. Most people try to embrace change. If people understand that there is an opportunity to move forward in their career by willing to learn more, it is possible to have a good knowledge of cybersecurity.
Once you understand what the risk is, regardless of the physical or IT security, you can leverage your knowledge in physical security, for example walking the perimeter, checking the doors etc. In the end, it comes down to asking yourself a few very simple questions:
More and more, we have become numb to the concept of a breach. We have become numb to the idea that our privacy and confidential information is readily available, numb to the sheer volume of how many times we’ve been contacted by a credit card company saying that a certain hotel got breached or that our PlayStation account got hacked.
We created this massive data about each one of us and we are dealing with companies that may or may not have the budget or the ability to address the risk but are taking your information anyway to provide a service. Unfortunately, many organizations don’t have proper risk practices in place and executives just ignore the risk and cross their fingers to make sure that we are not going to get hacked.
There is no company that you can trust with your data that hasn’t announced a hack or hasn’t figured it out yet. How to deal with the repercussions? The repercussions are not something you are going to see tomorrow. This is a problem that will occur 20 years from now but that we need to deal with today.