One of the key challenges with what we now call cyber is the shortage of relevant technical cyber skills. This is directly linked to what would seem to be an inability to recognize or accept the real scale of the cyber threat, which is, of course, playing into the hands of the criminals and hackers who are harvesting millions in revenue as a result of their malicious activities.
It was U.S. Defense Secretary Donald Rumsfeld who commented, “There are known knowns. These are things we know that we know, and there are also known unknowns. These are things we know we don’t ‘know’ and then there are the unknown unknowns, which can represent very real and present threats” that are unseen by the conventional eye of security.
It’s these elements of unknowns that pose the highest degree of danger in today’s cyber landscape of complex, interconnected global systems.
Rumsfeld might have arrived at this perspective from an external influence. In his 2007 book The Black Swan: The Impact of the Highly Improbable, essayist Nassim Nicholas Taleb tells of a presentation on uncertainty he was requested to give to the United States Department of Defense shortly before Rumsfeld’s speech. The core message of The Black Swan was (is) that ‘unknown unknowns’ are responsible for the greatest societal change.
It is in this landscape in which some members of the security profession recognize that if they could acquire an understanding of the things we don’t know and which are unknown, they could use these nuggets of isolated intelligence as an early warning system against individuals who practice exploitation and/or compromise.
This group is made up of Cyber Criminals, Hacktivists, Black/Grey Hat Hackers, some specialist members of Law Enforcement, the Intelligence Agencies, and a very small number of imaginative forward-thinking Professionals.
The bottom line is here we are turning Gamekeeper to Poacher in order to adopt the very methodology and applied thinking that is exercised by cyber criminals.
The question is: are the current skill-sets employed by the run-of-mill thinking security profession leaning far too close to the wind of PCI-DSS and other standards, such as the ISO/IEC 27001, and has the industry in the main moved too far away from the pragmatic basics of security?
On the first level, we should be seeking to develop a much more in-depth appreciation and understanding of the technical components of cyber security if we are to fight the good fight on a level playing field. If we don’t, then all may be lost until such time we do.
The second question is as follows: do certifications really make a difference? Well, my answer here is both yes and no. Yes insofar as they prove to some extent that the holder of the said qualification understands the high-level components of IT/cyber security requirements, but no insofar as it takes more than a certification to serve as an effective operational team member.
We should not fool ourselves that just because someone holds a CISSP or other such certification that they know what they are doing in real dirty-hands terms.
As a conclusion, in the current drive to ramp up the level of real-time cyber skills, we need to fight the fight on a level playing field of cyber adversity, and we must balance the professional profile with a proven understanding the back-to-basics of operational security beyond governance and compliance.
However, this must be further facilitated with a level of up-to-date thinking, research and an awareness of the next generation of threats along with the real ability to sniff out those suspicious looking conditions of unknown unknowns before they become known to all.