Whether or not you observe National Cybersecurity Awareness Month, you’re probably more aware than ever of cybersecurity threats. The FBI saw reported cyber-crime costs approach $7 billion in 2021. Meanwhile, 82% of CIOs believe their software infrastructure is vulnerable to cyber attack.
"Honestly, we are losing the arms race with threat actors," said Stan Wisseman, chief security strategist with Micro Focus' CyberRes line of business. In an effort to highlight how cybersecurity is evolving to even the race, Wisseman launched and co-hosts Reimagining Cyber, a podcast series dedicated to highlighting "common challenges, trends, and solutions" for today's cybersecurity professionals.
All About Monetization
Why are we losing the arms race? What makes the foe so formidable? In part, it's because the foe is not a monolith—and the fight takes place on several fronts at once. Wisseman and his co-host, fellow chief security strategist Rob Aragao, break threat actors into two major buckets: cyber-crime underground and nation-state threat actors.
"The cyber-criminal underground is all about monetization," said Aragao. "They steal and/or lock up sensitive data from organizations and extort money."
Outsiders might be inclined to think of the cyber-crime underground as resource-strapped, desperate criminals. They actually function as legitimate businesses with highly sophisticated, well-staffed, technology-rich organizations—as shared in a recent episode featuring Raveed Laeb, vice president for product at cyber intelligence technology company KELA.
"The bad guys have access to all the same security frameworks, tech, and controls that we do and have tactics and techniques to bypass them," Aragao said.
Nation-State Power Plays
For the criminal underground, cyber crime is about money. But for nation-states like Iran and China, cyber crime is about something much more nefarious: power.
For its part, China is considered one of the top-tier nation-state threat actors today.
"China isn't hacking to sell data," Wisseman said. "They're doing it for their own geopolitical purposes as a nation—hoovering up data and potentially creating a social media-type platform, knowing everything about you and your family. So, if they wanted to extort something out of you, it would be a piece of cake."
One of the more infamous examples of Chinese cyber espionage was the 2015 US Office of Personal Management (OPM) hack. With it, the Chinese obtained tens of millions of SF-86 forms containing intimate information about people seeking US security clearances—including 5.6 million fingerprints.
In 2018, the Center for Strategic & International Studies estimated that Chinese cyber espionage cost the United States between $20 billion and $30 billion annually. The full consequences of Chinese and other nation-state cyber crime are not clear. But cybersecurity professionals must assume the worst—particularly in a volatile geopolitical climate.
Additionally, Wisseman and Aragao recently interviewed William Hagestad, an internationally recognized expert on nation-state cyber-threat actors and author of the books Chinese Cyber Crime: China's Hacking Underworld and 21st Century Chinese Cyber Warfare. The episode—titled "Time to Take Them Seriously . . . What's Iran Doing in Cyber?"—examines how Iran has enhanced its capabilities as a threat actor in cyber space.
Sociotechnical Research
On a more heartening note, the podcast episodes illuminate a slew of creative approaches that individuals and organizations are using to adapt to today's threat landscape.
Wisseman and Aragao both were stirred by their interview with Jeremy Epstein, lead program officer with the National Science Foundation (NSF). Epstein discussed the importance of sociotechnical research, "which was something completely new to me," Wisseman said.
Sociotechnical research approaches cybersecurity from both a technical and human lens. Given that 82% of breaches in 2021 involved the "human element," sociotechnical research aims to address the human failings that make organizations vulnerable to cyber attack.
"An example project the NSF funded was putting anthropologists in security operations centers to help them figure out better ways for different people to work together in a collaborative manner," Wisseman said. "As experts in human nature, anthropologists were able to give added insight that they otherwise wouldn't have gotten. So cool."
Projects like the NSF's that take an interdisciplinary approach to cybersecurity epitomize what both podcasters consider a sea change in the industry.
"People have long thought of cybersecurity as a kind of regulatory chore," said Aragao. "But nowadays, you have to treat it as an art form."
Indeed, the state of the art is to take cues from as many different areas of expertise as possible. A quick glance through the topics covered by Reimagining Cyber evidences this breadth. One episode, "Connected Vehicles and the Cyber Equivalent of Seatbelts and Airbags," does a deep-dive into the cybersecurity intricacies of autonomous cars and automotive security. Another, "Women in Tech Choose to Challenge and Refuse to Be Silenced During Women's History Month and Beyond," details the growing role of women in the world of cybersecurity. The podcast series' guests span academia, large commercial enterprises, state government, federal government, cybersecurity firms, nonprofits, law firms, and more.
Cyber Skills in Demand
Not surprisingly, companies working in the cybersecurity sector are clamoring for fresh talent. 2022 data published by CyberSeek shows almost 770,000 openings for jobs either partly or wholly dependent on cybersecurity skills. CyberSeek also reports that the demand for cybersecurity professionals is growing at more than twice the rate of job openings across the rest of the US economy. Marian Merritt, the deputy director of the National Initiative for Cybersecurity Education (NICE), discussed this topic in greater depth in the Reimagining Cyber episode "Closing the Cyber Workforce Gap."
"Cybersecurity is outpacing other industries because every sector needs staff," said Merritt. "The employers who are leading the way in cybersecurity workforce solutions are breaking barriers. . . . They are revising position descriptions to remove certification and degree requirements, investing in on-the-job training programs, and reskilling employees . . . to address hard-to-find skill areas like cloud or data sciences."
Wisseman and Aragao are encouraged by the response to their podcast. They relayed a statement from Parham Eftekhari, executive vice president of the CISO Community for the CyberRisk Alliance, a podcast guest for the "Cybersecurity and the Modern CISO" episode. Eftekhari praised the podcast for "helping demystify cyber risk for C-suite and boardroom executives."
"With a deeper understanding of cyber threats and mitigation strategies," said Eftekhari, "these leaders can make informed decisions that balance business needs with cybersecurity risk—including security-by-design, responsible product development, and appropriate funding for security teams."
The theme of this year's Cybersecurity Awareness Month is "See Yourself in Cyber," emphasizing the critical role that individual education and action play in managing cybersecurity risk. On that topic, Wisseman and Aragao recommend two simple steps anyone can take to reduce their risk from cyber threats:
- Set up two-factor identification (2FA) for sensitive logins.
- Adopt a high level of skepticism around suspicious-looking emails and texts—likely indications of phishing and smishing attacks, respectively.
Clear Access Controls
For businesses, the matter is a bit more complex. Asked separately to list the most important steps for all businesses to take, both answered nearly identically:
- Establish very clear access controls.
- Back up—and encrypt—all sensitive data.
- Monitor your environment closely; establish a "normal" baseline of activity and learn to identify abnormalities.
- Use automated solutions to respond quickly to anomalies.
The breakneck speed of IT innovation will only present further cybersecurity challenges. Increased dependence on third-party apps, for example, opens organizations to whatever security vulnerabilities app vendors might have. Other technological innovations, such as cloud delivery, have made businesses' "security exteriors very porous," as Wisseman put it.
Through it all, Reimagining Cyber will continue to document common challenges, best practices to become more cyber resilient, and creative solutions to novel threats.
"We're going to be doing a bit to drive up subscriptions," Wisseman said of the next steps for the show. "And we are always looking for good guests!"
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.