Today’s Threats, Tomorrow’s Skill Sets?
Being aware of emerging threats and how they impact technologies is key to bolstering defenses. But can this knowledge also prove useful to your career? Today, the top skill sets employers are looking for include cloud computing security skills (40%), followed by risk assessment, analysis and management (26%) and artificial intelligence (AI) and machine learning (ML) (25%), according to the ISC(2)’s Cybersecurity Workforce Study 2021. So we know that expertise in these areas is in relatively short supply. Focusing on the threat vectors unique to each could therefore help predict future demand, effectively futureproofing your career.
Breaks in the Cloud
Within the realm of the cloud, the top attack types noted in the Cloud Security Alliance (CSA)’s threat chart have changed markedly. Usually produced every two years, this year’s report revealed that the top threat was insufficient identity, credentials, access and key management, which has moved up from fourth place. This suggests that automated identity and access management (IAM) will become a key technology with which the security team should familiarise themselves.
In second place were insecure interfaces and APIs which have made a massive leap five places up the chart from number seven. APIs are rapidly surpassing web applications and so there’s now a need for hands-on management of APIs, from inventorization to prevent shadow and zombie APIs to the need to manage API-specific tools for threat detection. In third place was misconfiguration and inadequate change control, which has actually moved down one place, suggesting security in this area is improving.
GRC Opportunities
Risk assessment, analysis and management covers a multitude of areas but essentially it governs the means to determine the risk tolerance of the business which means establishing threats, how well equipped the business is to deal with them, and their likely impact. One of the reasons it’s now in such demand is because of the rise in regulatory compliance, both in terms of industry-specific regulations as well as those pertaining to security ie PCI DSS, ISO 27001, etc.
But effective risk management should not be driven by compliance or rely too heavily on metrics. Instead, it should seek to keep decision makers and the board informed, take proactive action to mitigate risks, and integrate cyber risk with business risk, according to the NCSC. This means that soft skills such as problem-solving and effective communication will be critical going forward. However, the State of Cybersecurity 2022 report from ISACA, found these very same soft skills (communication, flexibility and leadership) were in short supply; they came out as the number one skill set cybersecurity professionals lack.
Upskilling in AI/ML
AI and ML are both highly dependent on the ability to access large quantities of data and on being able to mine that data correctly using specific algorithms. Any exploitation or misconfiguration can therefore have far-reaching consequences on predictive modeling. Typical attacks can include data poisoning and input attacks that manipulate the data and there is of course always the risk of data leakage or theft. Currently, AI systems are still in their infancy and the preoccupation is with creating transparency, standardization and auditing methodologies in order to secure them.
There is, of course, the risk of cyberattacks becoming AI-powered, enabling today’s automated attacks to become more refined and evasive. Offensive AI is likely to see attacks utilize OSINT and mimic user language and voice for phishing attacks while malware will morph and change to avoid detection. Will this then necessitate the use of AI to defend against AI? Or will we be entering the age of cyborg cybersecurity, where an AI-assisted human will be the best means of defense?
Time will tell but what we do know is that AI/ML skills are in high demand. The World Economic Forum (WEF) Future of Jobs report found that within digital communications and IT, the top emerging job role was for AI and ML specialists. But, equally, that lack of skilled personnel is threatening uptake, with 60% citing the skills gap and 55% an inability to attract specialized talent as barriers to the adoption of new technology, creating a chicken and egg type dilemma. Perhaps it’s for this reason that only a quarter of cybersecurity professionals said they were actively developing AI/ML skills in the ISC(2) survey.
Filling the Gaps
Contrary to popular belief, the skills in high demand are not wholly technical. While being conversant in security controls came out as number one and networking-related skills at number three, it was soft skills that came in as number two in the ISACA survey. It details the top soft skills as communication, critical thinking, problem-solving, teamwork and attention to detail. Similarly, the ISC(2) study noted problem-solving, curiosity and a willingness to learn, communication skills and strategic thinking among the most important non-technical skills. So, while proficiency in software and network skills related to cloud, GRC or AI/ML are valuable, they should be augmented.
What is clear is that those looking to seize the initiative and upskill today will make themselves indispensable in the future. By looking at where today’s cyber weaknesses are and anticipating future technological change it is possible to gauge where the demand will be and, by getting ahead of the crowd and upskilling, you can ensure you’ll never be out of a job.
