Cybersecurity Skills Gap - Inspired by Global Cybersecurity Forum 2020, Saudi Arabia
The Global Cybersecurity Forum that took a place on 4-5 February 2020 in Riyadh, Saudi Arabia is already behind us. Unfortunately, I could not attend the event on-site, but luckily organizers delivered a live stream for which I am extremely grateful. I am not able to say how I am impressed of event organization, the place, the focus of participants during sessions and of course the high quality of interesting topics, discussions, and conclusions of the greatest global cybersecurity panelists. Saying just 'wow' is definitely not enough!
Except for my technical experience (~15 years of having hands dirty on the keyboard), I just love to deliver technical training sessions and workshops. Thus, as a trainer - who trained more or less 1k people around the globe - I found a 'The Cybersecurity Skills and Workforce Gap – New Thinking' session as one of the most interesting:
People are the key to solving cybersecurity challenges, yet the cybersecurity workforce is now facing a critical skills shortage and struggling to attract new talent. What can be done to fill the workforce gap and what infrastructure needs to be in place for this purpose?
What conclusions then? Let me write down a list of important points seen through my prism that was mentioned during the session. And my thoughts as a bonus.
- We have a crisis - 3.5 million of cybersecurity experts needed globally - a known issue for a long time in the whole IT world that is not only related to the technical scope.
- Watch out for people who have "cyber" and list of certifications in the resume without a real experience - you need to ask good technical questions initially to detect fake and measure the skills.
- Cybersecurity is a team sport and teamwork - do not be ashamed of your current skills - each of us must learn new things every single day and there is no person who knows everything.
- Education is a must - we have to inspire other people during training - personally, it's a big thing for me and I hope you feel it during meetings/training with me.
- Cybersecurity is the sexiest thing you could ever imagine for your daily job as long as you love to spend thousands of hours at the computer digging into the stuff.
- Cybersecurity is about the mindset - you have to be inquisitive, ask many questions like "Uhmm, what if?" and look where others don't.
- Look over the horizon - be well prepared for the problems of the nearest cyber future
- Stay close with the community and make your own research as it develops everyone's skills.
- Cybersecurity education means helping in building cybersecurity talents and this allows us to achieve innovation.
- Encourage children and make them cyber-aware - during a visit to the office of my 7y old son, he always asks questions when looking at my monitor. Lately, he asks more detailed questions: "Ooo, so you just killed the process from the root account, right Dad?" Another story: during a movie watching he screams: "Dad! look! There is a Linux console in the movie!!!" Good start I guess in the matter of awareness
- Learning by doing as a traditional academic learning style is obsolete. Teaching a practical side is the key. As Confucius says: "Tell me and I will forget, show me and I may remember; involve me and I will understand." Hands-on labs, adversary simulations and dedicated RED/BLUE laboratories with the full stack of Open Source Security Software (+commercial solutions if possible) are these activities I would consider as a recommended path for learning and improving skills.
- Want to become a cybersecurity expert? Start from the basics. Learn operating systems architectures, do some scripting, feel the network and become comfortable in the environment of various Linux distributions, then dig deeper. We have to create learning paths as advanced stuff merges sooner or later. As a good example from my past experience, the SSO integration project of Active Directory, Linux SSSD, Solaris, AIX and HP-UX which had been driving me crazy, later allowed me much easier to understand things related to Kerberos/LDAP security that you could find for example in this great research from Troopers 19: https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf . Backdooring PAM is another example. One more, this time from the training class I delivered - it can't be like that, that we are focusing on advanced network exfiltration and post-exploitation stuff and the biggest issue at the beginning of the training is how to establish an SSH connection to the C2 server on the non-default port (ssh -p $PORT !). A small step by step approach is definitely needed here as well, but first, you must focus on basics. Don't worry - you will find your path.
- 'Protection and detection through attack' learning approach or "Detection as Code vs Adversary Simulations". IMHO it's that holistic approach that allows you to understand better different detection phases and layers by triggering generic SIEM alerts/rules through running well-chosen offensive tools, tactics and procedures in the chained style. Improving red and blue skills in one lab? Definitely possible and important as never before. The next step is, of course, trying to bypass previously triggered detection points. Continuous seek and hide game. For me, it sounds like an adventure I was looking for in the purple scope for many years. It seems such an approach is in line with global cybersecurity needs and expectations - and this is awesome! Naturally, don't forget it's about competencies, gaining new skills, not hot certificates.
Usually, I write more technical posts, but to be honest, I was inspired. Seriously, I was inspired by the content of the Global Cybersecurity Forum and all the panelist's knowledge and points of view, which in many places was exactly how I feel. I thought I will add my 2 cents. Thank you all! Especially thank you so much to the panelists of this session:
- Hajar Algosair
- Dr. Tony F. Chan
- Prof. Marc ‘M.’ Dacier
- Dr. Kevin Du
- Rowland Johnson,
- and wonderful moderator Richard C. Schaeffer, Jr.
You made a tremendous job! Hopefully, you will find my post here as interesting and valuable. See you next year? See you sooner? #HITB in #Amsterdam #Singapore #AbuDhabi or #44CON in #UK ? Who knows.
With love and respect to the cybersecurity community.
Leszek Mis - Founder of Defensive Security.