Cybersecurity Workforce Gap: 145% Growth Needed to Meet Global Demand

Cybersecurity Workforce Gap: 145% Growth Needed to Meet Global Demand

805,000 Cybersecurity Professionals Are Currently Estimated to be Working in the U.S., Study Finds

The biggest surprise about the cybersecurity skills gap is that it exists at all. The job description painted by the latest (ISC)2 workforce study, based on responses from 3,237 existing cybersecurity professionals, is attractive.

The pay is good — especially if you have professional certifications (average $90,000 in North America, and $58,000 in Europe). Motivation is also high: “high demand, the ability to work in a continuously evolving field, the ability to constantly solve puzzles and never get bored, and job security. A strong majority — 65% — intend to work in cybersecurity for the rest of their careers,” states (ISC)2 in its new Cybersecurity Workforce Study, 2019 (PDF).

The purpose of this year’s study differs slightly from earlier studies. It doesn’t merely attempt to assess the workforce gap, but also seeks to assess the number of cybersecurity professionals currently in employment. The workforce gap is calculated from the hiring organizations times their expected headcount minus the current supply.

(ISC)2 asserts that these two sets of figures (the current gap and the current number employed) provide a better understanding of what is required to succeed in the cybersecurity age. “We know,” for example, it says, “that the global cybersecurity workforce needs to grow by 145% to meet the demand for skilled cybersecurity talent. In the U.S. specifically, it needs to grow 62%.”

Cybersecurity Skills and Employment

The report then goes on to discuss “insights into immediate and longer-term methods for building qualified and resilient cybersecurity teams now and in the future.” It is, in effect, a report in three sections: the size of the workforce gap, the status of employed professionals, and how to gain and maintain good staffing levels.

“We’ve been evolving our research approach for 15 years to get to this point today, where we can confidently estimate the current workforce and better understand what it will take as an industry to add enough professionals to protect our critical assets,” said Wesley Simpson, chief operating officer, (ISC)2. “Perhaps more importantly, the study provides actionable insights and strategies for building and growing strong cybersecurity teams. Knowing where we stand and the delta that needs to be filled is a powerful step along the pathway to overcoming our industry’s staffing challenges.”

The report starts strongly. The number of participants has doubled from last year’s survey — from 1,452 to 3,237 — giving a claimed margin of error as low as 1.7%. The report also uses a complex method to assess the overall employed workforce based on market inputs.

Available data is greater in the U.S., so this region was used to develop the methodology. It led to the conclusion that “nearly 805,000 cybersecurity professionals are estimated to be working in the U.S.” The methodology was then extrapolated to other regions around the globe; but conservatively, since there is generally less available data outside of the U.S. Nevertheless, this led to estimates that there is an 84,000-strong workforce in Canada, a 133,000-strong workforce in Germany, and a 289,000-strong workforce in the UK.

The (ISC)2 respondents, presumably from the various employed workforces, were questioned over their current views on, and experience in, their employment. There is, frankly, little that is new or surprising in the details (lack of resources, difficult work/life balance etcetera); except, perhaps, the importance placed on academic achievements, industry certifications, and prior experience. Only 12% of professionals do not have a university degree at some level. Once they are in employment, security certifications become more important. “On average,” says (ISC)2, “they hold about four security organization certifications and three security organization memberships.”

Academic qualifications are consequently important to get into cybersecurity, while industry qualifications are important to progress through it. It is not surprising, then, that the primary hurdle to career progression in cybersecurity is the cost of cybersecurity certifications. “The cost of cybersecurity certification is the number one career hurdle, with more than half of respondents having to pay out-of-pocket for at least some of the costs of cybersecurity certifications,” says (ISC)2. The value placed on this certification by employees is amply demonstrated by the higher pay levels for certified staff — certified personnel have an average global salary of $71,000, while those without certifications average $55,000.

Armed with an understanding of the workforce gap, and the nature of the current workforce, the (ISC)2 report moves on to provide advice on ‘building cyber-strong teams’, and ‘developing your cybersecurity dream team’. Building is either from the outside, or from the inside. From the outside, (ISC)2 comments that organizations are “looking for relevant and extensive work experience, advanced knowledge of concepts, and cybersecurity certifications. So, they’re also seeking to hire people who are currently acting as consultants, contractors, and working within security and hardware vendors.” Basically, budding cybersecurity professionals either need academic excellence straight from university, or demonstrable experience from other employment. This is not likely to close the workforce gap.

Building from the inside might help the gap if different disciplines are attracted into cybersecurity. “In building their cybersecurity teams,” says (ISC)2, “70% of organizations give priority to training and promoting from within, according to previous (ISC)2 research. 57% offer training and certification opportunities to employees to strengthen their teams, and 55% offer cross-training on cybersecurity skills and responsibilities.”

Advice on developing a dream team offers three separate strategies. The first is to ensure that the job opportunity is appealing. The first advice given ‘to help mitigate the typical challenge professionals face’ is “Contributing toward the cost of cybersecurity certifications.”

The second strategy “is to level-set on cybersecurity applicant qualifications. Many entry-level and even mid-level positions will be appealing to candidates without the years of experience required to earn many of today’s in-demand cybersecurity certifications,” says the report. “But as our study has revealed, these professionals will be driven to obtain those certifications during their career, which will provide you with even more confidence in your cybersecurity team.”

The third strategy is to recruit from outside — firstly from university graduates with relevant degrees, and secondly by poaching from consultants, contractors, and security and hardware vendors. But the report adds, “Don’t underestimate the power of certifications when it comes to job satisfaction and recruiting… Offer certifications and training in the areas that cybersecurity professionals are most interested in.”

The fourth strategy is to grow the team from within the organization. “Start by identifying talented and motivated non-security-focused IT professionals and paying for cybersecurity trainings and/or certifications.”

The report’s own conclusion states that, “By estimating the global cybersecurity workforce, we know that it needs to grow by 145%. That’s a number organizations can get their arms around. By recruiting talented men and women into the field, attracting experts from outside the organization, and helping to train and develop existing team members, organizations can improve their security stance and help close the gap in their corner of the world.”

But if there is one single theme that pervades this report, it is the value of cybersecurity certifications; and the need for companies to consider subsidizing the cost of those certifications. It should be noted, of course, that (ISC)2 is primarily a vendor of cybersecurity certifications.

Related: Can You Trust Security Vendor Surveys?

Related: CISSP Price Hike Dismays Certified Security Professionals

Related: Professionalizing Cybersecurity Practitioners

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Source: Cybersecurity Workforce Gap: 145% Growth Needed to Meet Global Demand

Sepio Systems Raises $6.5 Million to Defend Against Rogue Hardware

Sepio Systems Raises $6.5 Million to Defend Against Rogue Hardware

Cybersecurity startup firm Sepio Systems, with headquarters in Gaithersburg, Maryland and R&D in Tel Aviv, Israel, has closed a $6.5 million Series A funding round. The funding was led by Hanaco Ventures and Merlin Ventures, with the participation of existing investors Energias de Portugal (EDP), Mindset Ventures and Pico Partners. Total funding raised by Sepio now stands at $11 million.

Sepio was formed to defend against the increasing threat and occurrence of compromise via rogue hardware. Delivered as a cloud service, it detects and mitigates hardware-based attacks, rogue peripherals, invisible network devices, and manipulated firmware. It provides visibility into hardware assets and their behavior in real time, while a policy enforcement module allows administrators to define usage rules and detect misbehavior. It consequently supports the hardware supply chain while also detecting malicious actor-inserted rogue devices.

Sepio Systems LogoA common hardware attack is delivered against ATMs, where rogue hardware is inserted. However, network infrastructures are not immune. In July 2017 it was reported that two illegally attached Raspberry Pis on a healthcare network were redirecting staff to a lookalike external phishing site.

More recently, it was reported in June 2019 that NASA’s Jet Propulsion Laboratory (JPL) had been compromised via the attachment of an unauthorized Raspberry Pi computer to the JPL network. NASA’s own report stated, “Given the architecture of JPL’s network, the attackers were able to expand their access upon entry and move laterally across the network. Classified as an advanced persistent threat, the attack went undetected for nearly a year.”

Coupled with an unpatched critical software vulnerability, the attack resulted in the exfiltration of 23 files containing around 500 megabytes of data. “The increasing number of hardware based cyber-attacks is a major concern to all enterprises,” commented Yossi Appelboum, co-founder and CEO of Sepio. “While all other security solutions are focused on software threats, they are incapable of stopping threats coming from hardware.”

Sepio was founded in April 2016 by Bentsi Ben-Atar, Iftah Bratspiess, Yossi Appleboum and Greg Poch. The first three all served in Israel’s IDF intelligence units, while the chairman of the board is Tamir Pardo, a former director of Mossad — making Sepio another product of the Israeli cybersecurity startup conveyor belt.

“Besides creating the Rogue Device Mitigation category,” said Alon Lifshitz, founding partner at Hanaco Ventures, “it’s rare as an investor to back founders that have worked as a team for over twenty years now building their third startup together.”

The second primary investor in the funding round sees its primary task as bringing the Rogue Device Mitigation (RDM) solution to the U.S. federal space. Part of the expansion fueled by the funding will be a new office in Mclean, Virginia to support US federal customers. To date, Sepio’s RDM has been deployed in more than 25 banks, insurance and telecommunications companies in the U.S., Singapore, Brazil, South Africa and Israel.

Related: Supply-Chain Attack Used to Install Backdoors on ASUS Computers

Related: DUST Identity Emerges From Stealth to Protect Device Supply Chain

Related: IBM Supply Chain Breached as Storwize USBs Ship With Malware

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


eCommerce Fraud Prevention Firm Riskified Raises $165 Million

eCommerce Fraud Prevention Firm Riskified Raises $165 Million

Ecommerce fraud prevention solutions provider Riskified has raised $165 million in a Series E funding round at a valuation of over $1 billion.

The latest funding round, which brings the total raised by the firm to over $228 million, was led by General Atlantic, with participation from Fidelity Management & Research Company, Winslow Capital Management, and existing investors Qumra Capital, Pitango Venture Capital and Entrée Capital.

In a blog post, Riskified CEO Eido Gal and CTO Assaf Feldman, who are both founders of the company, said the money will be used to accelerate product development and for further global expansion.

“We’ll be able to offer even more solutions that help merchants drive revenue and deliver a better customer experience. The new clients and partners that we onboard and the new products we deliver will, in turn, increase our accuracy and improve our performance,” Gal and Feldman explained in a joint blog post.

Riskified provides an AI-powered fraud prevention platform that enables merchants to instantly determine if a transaction is legitimate or fraudulent.

Riskified claims its solutions can help customers increase order approval rates by up to 20% and they can reduce fraud-related costs by up to 50%.

The company says its solutions are used by many major companies and it claims to analyze transactions from 235 countries and territories across the world. Riskified has offices in the U.S. and Israel, and it plans on opening a new office in China by the end of the year.

“Riskified is the rare blend of realized performance and considerable potential. The company’s innovative model has enabled it to deliver significant ROI to its customers and partners, with a clear runway ahead for strategic expansion of its geographic footprint, product offering, and consumer base,” said Tanzeen Syed, managing director in General Atlantic’s Technology sector.

Related: Shape Security Raises $51 Million at $1 Billion Valuation

Related: Fraud Protection Firm Signifyd Raises $100 Million

Related: eCommerce Fraud Prevention Firm Forter Raises $50 Million

Related: Fraud Prevention Firm Sift Science Raises $53 Million

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Source: eCommerce Fraud Prevention Firm Riskified Raises $165 Million

How Do We Get to a Passwordless World? One Step at a Time.

How Do We Get to a Passwordless World? One Step at a Time.

There’s More to a Passwordless Future than Adopting Standards and Choosing Authentication Methods

The future is passwordless: That’s the inevitable conclusion I think more and more people are reaching as we watch passwordless standards become more firmly established and passwordless authentication methods grow in number and sophistication. It’s important to remember, as we stand poised to enter this future, that there is more to the passwordless world than standards and authentication methods. There are also challenges to consider. For example, how do you prove identity for credentials enrollment in a world that doesn’t use passwords? And how do you recover lost credentials? Perhaps one of the most important considerations is how to address these challenges without recreating some of the very issues that doomed passwords in the first place – like the user inconvenience, help desk burden and costs associated with password resets. We must be vigilant not to simply end up replacing password resets with different, but equally onerous, methods. It’s still too early in the game to know precisely how we’ll address all these issues in a meaningful way. But it’s not too early to start exploring. Let’s dive in.

What Does it Mean to Define Identity in a Passwordless World?

The principal challenge in passwordless authentication is establishing a digital identity – something that proves users are who they say they are and serves as a basis for trust in identity wherever users go in the digital world, much as a passport or a driver’s license does in the physical world, that doesn’t rely on passwords. There are, of course, authentication methods available that eliminate the need for a user to present a password at authentication time – biometrics (facial recognition and fingerprint ID, for example), token-based authentication and others. But passwords continue to be used as the underlying authentication method for many of these methods. If the idea is to eliminate passwords, then by what secure means does a user prove identity in order to get that passwordless credential in the first place? We need to continue to work on developing new methods to establish the initial trust that will grant a user a secure and truly passwordless credential.

What Happens when a User Needs to Recover Credentials?

When we talk about biometrics, tokens and other passwordless authentication methods in use today, we often don’t give much thought to the fact that passwords still continue to serve as the underlying mechanism for both user authentication and credential recovery. When I lost my phone on a plane not long ago, I was both bemused and dismayed to realize that all I needed to reestablish my incredibly advanced facial biometric credential for all the apps and accounts associated with that device was – wait for it – a combination of username and password. In that case, couldn’t anyone who got their hands on my username and password just use their own face as the biometric to gain access to my account? Of course they could. The point is that any form of strong authentication today is ultimately just a façade for a password – and therefore not really any stronger or safer than the password underlying the method. What we think of as “passwordless” really isn’t; it’s a system still rooted in something that’s pretty easy to steal and use to impersonate you. And if you don’t remember your username and password, the recovery mechanism is also easy to breach by just about anyone who can track down your mother’s maiden name (on that “private” family history website your cousin runs) or the model of your first car (a picture of which you proudly posted on social media).

Let’s face it: In just about every case of digital identity, there seems to be a set of credential recovery mechanisms that are weaker than the authentication method itself. Lose your phone with the facial recognition feature? No problem, just type in your password. Can’t remember it? Just tell us your mother’s maiden name and we’ll give you a new one. Lose your hardware token? No problem, just provide your Active Directory username and password and we’ll mail you another. If authentication in a passwordless world is going to be as secure as everyone wants it to be, we have to reverse this pattern and make the recovery mechanisms more secure than the authentication method itself. Maybe a hardware token serves as the recovery mechanism for a mobile authenticator (Lose your phone? Grab your hardware token to authenticate.) The main challenge may be in making the recovery mechanism more secure while also keeping it simple and practical.

The questions presented here revolve around one theme: the importance of awareness. To assume that passwordless standards and authentication methods are all we need to create a passwordless world is a mistake, as is overlooking the fact that even in those areas, most organizations still have a lot of work to do. It’s exciting to think about the existing and emerging solutions that are already moving us down the road to that world, but it’s also necessary to be aware of the gaps to be bridged and obstacles to be overcome. In this case, knowing what challenges we face and thinking about how to address them are the first steps to a passwordless future.

Jim Ducharme is Vice President of Identity Products at RSA. He is responsible for product strategy and leads the associated product management and engineering teams. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA, and Aveksa.


Source: How Do We Get to a Passwordless World? One Step at a Time.

Immersive Labs Raises $40 Million for Cyber Skills Platform

Immersive Labs Raises $40 Million for Cyber Skills Platform

Immersive Labs, a company that provides an interactive and gamified cyber skills development platform, has raised $40 million in a series B funding round.

The funding round, which brings the total raised by the firm to $48 million, was led by Summit Partners, with participation from Goldman Sachs. Immersive Labs says it plans on using the money to further improve its platform and expand in North America.

The company was founded by a former employee of the UK’s GCHQ intelligence agency and it has offices in both Britain and the United States. Immersive Labs says its solutions are used by over 100 organizations worldwide, including government organizations in the UK, Citigroup, Goldman Sachs, and Bank of Montreal.

The company’s on-demand platform enables customers to continuously improve their cyber skills while making it easy for them to track progress. The solution can be used by both business users and security specialists to see how well they would handle a real-world threat or incident. It can be used to simulate a wide range of scenarios, from basics to malware analysis and threat hunting.

The Immersive Labs browser-based platform maps a customer’s capabilities to frameworks such as NIST NICE and MITRE ATT&CK, and helps them plan, report and predict risks. It can also be useful for discovering specific skill shortages.

“Gaps in cybersecurity knowledge meaningfully increase risk to an organization, creating vulnerability and presenting opportunity for attackers. The rapid, constantly evolving threat landscape has made traditional classroom training for cyber skills obsolete,” said James Hadley, CEO of Immersive Labs. “At a time when cyber skills are stretched across the board, the Immersive Labs platform enables companies to identify these weak points and rapidly skill people to address them.”

Related: Security Awareness Training Firm KnowBe4 Raises $300 Million

Related: Awareness Training Firm CybeReady Opens U.S. Office With $5 Million Funding

Related: Dataswift Raises $2 Million in Seed Funding to Revolutionize Personal Data Sharing

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Source: Immersive Labs Raises $40 Million for Cyber Skills Platform