A veteran’s look at the cybersecurity industry and the problems that need solving

For many in the infosec industry, Daniel Miessler needs no introduction, as he’s a 20-year industry veteran, a professional that fulfilled a variety of security roles at companies like HP and IOActive, a leader of the OWASP IoT Security Project and, most prominently, the author of the popular Unsupervised Learning podcast, newsletter and blog.

Daniel Miessler

Apart from effectively curating and summarizing content produced by others, Miessler is also the source of interesting ideas and occasionally unorthodox opinions such as, for example, that we have exactly the right amount of software security given how high we prioritize it compared to building features and expanding business.

“If we were losing a lot more money, or lots of people were getting hurt or killed, security would improve overnight. That isn’t happening because the security we currently have is mostly good enough,” he told Help Net Security.

But, he believes, that status quo could change soon due to the emerging IoT proliferation, blossoming privacy challenges and the general digitization of more and more of our lives.

“Once insecurity starts colliding with our ability to run successful businesses – in a real way, not just being an annoyance – and/or people start getting hurt, that’s when we’ll see a combination of regulation and laser focus on security from industry,” he opined.

Current industry problems

Despite the fact that the information security industry has been developing for the past few decades, it is still in the “wizardry and alchemy” phase, and that’s why, according to Miessler, sales are still linked to disasters.

Breaches and hacking are still wild and mysterious and scary to business leaders, he says. Fear causes emotional reactions and, when business people get scared, they open their wallets. Still, most of those in the industry would genuinely like to see organizations adopting sound security practices and cybercriminals getting the shorter end of the stick.

“As industries mature they become more boring – like accounting, or insurance. That’s ironically the goal of security: to be able to translate every decision into a tradeoff between cost of control and cost of impact. Right now we’re nowhere close to this – we’re still a bunch of wizards trying to have an accounting conversation,” he noted.

“The bigger problem is that we don’t have a common language that bridges infosec and business, since security people can’t quantify their risk as money, and business people ultimately see everthing in those terms. This is why people who can translate between the two are in such demand.”

Yet another problem that needs solving as soon as possible is how to find and hire the right talent for cybersecurity roles.

The problem is caused by a dearth of entry-level cybersecurity positions and bad hiring processes by most companies, Miessler believes.

“The skills required to do even an introductory level position in infosec are significant. If you don’t have some foundation in system administration, networking, or programming – or some other practical experience related to security – you can be repeatedly passed over for positions,” he noted.

“The best thing you can possibly do to get into security is figure out the exact skills that employers are looking for and come to the interview being somewhat functional in one or more of them. Employers want to know what you can do immediately, because they don’t have the time or the risk tolerance to train someone new and potentially find out they’re not a good fit. You have to be useful on day one.”

This is why university interns and bug-bounty people have such a major advantage in the market, he says – they come into conversations having already done projects, seen the real world, so even if they’re not very advanced, they’re still functional immediately.

Employers, on the other hand, can start by concentrating less on filtering and hiring techniques that were used in the past (e.g., degrees) and more on verifying and confirming that the candidate can build something, code, or solve problems.

Future cybersecurity industry problems

As noted earlier, one of the key challenges he expects the infosec industry will have to tackle in the next five or so years is privacy. Fuelled by the rise of IoT and wearables, data about all of use will become a primary currency in our economy, he believes.

The problem of data stolen and misused by cyber criminals is just a small part of the problem – the real problem is data brokers, who systematically organize and sell our data in a way no criminal can, he notes.

“If we want to address privacy properly we need to look at the ‘legitimate’ business models that are built around doing precisely the opposite of what most consumers want done with their data,” he added.

Another big challenge for the industry is staying relevant.

“If security groups can’t stop breaches, the public doesn’t stop doing business with a company when it gets compromised, and the business can gain protection through insurance, they might very well switch their efforts towards insurance-based protection,” he explained.

“In that world, the business asks the insurance companies what they should do, since they’ll be the ones with the best data on how to protect things. We’re not there yet, but I think the future has much of the infosec world working within the context of insurance. Infosec’s biggest problem is not being able to make data-based decisions on what to do to reduce the most risk, and insurance companies are the best situated from an incentive and business standpoint to collect and make use of that data.”