Redefining business for a digital world with smart security decisions

Kurt John is Chief Cybersecurity Officer of Siemens USA, where he is responsible for the information security strategy, governance and implementation for the company’s largest market with ~$23B in annual revenues. In this interview with Help Net Security, he explores a variety of smart security decisions.

Kurt discusses the challenges modern CISO have to deal with, the importance of IT security certification, he provides his opinion on what an ideal cybersecurity candidate looks like, and much more.

What advice would you give to a newly appointed CISO that was tasked with hiring more security professionals in order to strengthen overall enterprise security?

I would say that we can’t solely depend on data and machine learning tools to guard against hackers trying to break into networks. We need people making sense of the information. Analytics might detect things, but it’s the human who can understand the full story. And that information undoubtedly transcends multiple functions and departments – all using it to keep the business future facing and effective.

The technical skills are sometimes hard to find, but finding someone who has the soft skills and mindset to be collaborative and a strategic partner often can be even harder. Find someone who understands the business’ mission and is invested in achieving that mission as part of a broader team.

What makes a perfect cybersecurity candidate? What are the dos and don’ts for those looking to land a dream information security job?

In my experience, one quality I have seen in most great cybersecurity professionals is that they all enjoy solving problems. Cybersecurity skills are not only the gateway to a good-paying job and career; they also offer people the chance to work on the frontlines of a major challenge that’s affecting millions of people and spanning industries, geographies and backgrounds. It’s crucial they recognize how interconnected this shared challenge is across companies, industries and countries.

Candidates should also be comfortable with ambiguity in a sense. As a technical field, a lot of things are grounded in hard data. However, overall as a field, cybersecurity is still relatively immature and evolving. Add to that the speed of innovation in technology and we have a recipe for an ever-changing environment that requires comfort with ambiguity as well as speed and flexibility to remain relevant.

How can we expect the cybersecurity skills shortage to play out in the near future?

Cybersecurity positions are growing three times faster than other IT positions. When compared to other jobs, they are growing 12 times faster. It’s estimated the amount of additional trained staff needed to close the skills gap is more than 4 million professionals. So, cybersecurity needs to be central to every business strategy today. What we need to do is pivot on what it means to be qualified as well as how we identify and train talent.

That aside, it’s difficult to tell right now, but I see positive events unfolding, including government support and funding for Career and Technical Education (CTE), greater collaboration between private sector and educational institutions in the form of apprenticeship programs; and openness in the private sector to invest in upskilling and reskilling to support workers who traditionally don’t have education or expertise in the cybersecurity field. I’m optimistic that we will be able to move the needle on the skills shortage.

One more thing to consider is that we may need to have a feedback loop that helps us rethink what it means to be a qualified cybersecurity professional in the future. With technology advancing so quickly, I believe that the lower and middle tiers of cybersecurity will be managed by AI and machine learning.

This means that instead of learning how to execute on the technical aspects of patch management, our experts of the future will be able to focus on the implication of output of an automated patch management process such as what is the primary value chain(s) of the business impacted by this vulnerability? What’s the impact to the company if this patch goes wrong? Are there secondary controls we can implement to enhance security until we can install the patch, given that we’re in the middle of supporting this critical infrastructure upgrade?

These questions move the cybersecurity expert from execution to a strategic business partner that front loads and processes more of the business context prior to making recommendations on a path to protect the business.

Can security certifications help with the cybersecurity skills shortage?

Yes, I believe certifications can be helpful in filling specific roles within the cybersecurity field. For example, companies like Siemens continue to hire cybersecurity experts with a focus on securing operational technology in manufacturing plants and at general utility companies to protect critical infrastructure.

However, I believe certifications work best when paired with a holistic cybersecurity education approach that ensures experts not only know their field, but know how their roles fit into the larger cybersecurity landscape.

Security teams are overworked, and many are considering leaving the industry due to burnout. What’s the best way to address the cybersecurity skills shortage while making sure current security professionals have all the resources they need?

First off, mental health and an appropriate work-life balance is crucial in any field to prevent burnout, even cybersecurity. Especially now, as cybersecurity has come into the spotlight due to the remote nature of the pandemic, we must remember that overworking employees will only hurt companies in the long run. Alongside our investment in technology, we need to invest in the people who will use it.

I think that too often companies may be trying to do it all when it comes to cybersecurity. There simply are not enough resources to get it perfect, and even then, vulnerabilities cannot be completely prevented. I have two bits of advice: First, business leaders should integrate cybersecurity much more deeply into their executive priorities. Think of cybersecurity experts as strategic advisors on most parts of business activities.

If there’s an IT system enabling a business process, then cybersecurity should go hand in glove. The second part is that cybersecurity experts need to stop thinking like technical experts and start thinking like CEOs – a very tall order, but it’s critical for success here. This is because cybersecurity is the foundation that will protect business processes and innovation.

Cybersecurity experts need to understand business processes and be able to draw insights and correlations across multiple business functions or processes. This will not happen overnight, but it needs to be one of the core factors upon which cybersecurity experts pivot, in order to be business relevant and future facing. These two bits of advice should help drastically reduce the urgency and hyperactivity around cybersecurity, which often leads to overwork and stress.