They say that one man’s meat is another man’s poison. In tech, it’s more like one group’s bonanza of opportunity is another group’s crisis of scarcity. Here’s the situation: India has long been a go-to pool for offshoring technology work. Western companies looking for everything from tech customer service to building software find relatively cheap labor on the subcontinent while providing some 4 million Indians with a gateway to the middle class. Win-win.
Enter automation, which is beginning what promises to be a rapid transformation of the tech sector employment landscape. In this process, India is the proverbial canary in the coal mine. And with 4 million tech jobs at stake, it is one very big canary. A 2015 study released by McKinsey India and the trade organization Nasscom (National Association of Software and Services Companies) reported that 50 to 70 percent of Indian tech workers’ skills will be irrelevant by 2020.
Watch the big canary start to wheeze, and behold the coming crisis of global tech jobs drying up. Yet, if automation is the grim reaper for some, it is the bringer of opportunity for others. And if there is one field benefitting from high-tech automation right now, it’s cybercrime.
The automation of malware’s creation and distribution is creating a bonanza of cybercrime, which Juniper Research estimates will cost $2 trillion by 2019, three times the 2015 estimate of $500 billion.
By reducing the cost of entry into the field of cybercrime — a ransomware kit, for example, can be rented for a mere $1,000 a month — automation has not only created an employment bonanza for bad guys, it has also created a booming demand for cybersecurity jobs.
But, at the same time, businesses everywhere are facing the fact: the security talent pool is dry. This is good news for security professionals, who have one of the few jobs that automation won’t replace soon, and there’s no end in sight to the skills shortage. However, if we take a wider view, this is a big economic problem. Security work is either not getting done, or is being done by people who lack the background or aptitude.
Exactly how dry is the talent drought?
The eighth Global Information Security Workforce Study, conducted by the global nonprofit IT security professional organization (ISC)2, predicts that the number of unfilled cybersecurity jobs will rise to 1.8 million over the next five years. The cybersecurity market intelligence research firm Cybersecurity Ventures puts the shortfall much higher, at a 3.5 million worker shortage by 2021.
What rational hope do business leaders have of recruiting or training between 1.8 million and 3.5 million cybersecurity personnel ASAP?
Little to none. So, it is time to rethink the crisis.
Clearly, cybercrime is a criminal enterprise, but business leaders need to focus at least as closely on the word enterprise as on criminal. Like you, cybercriminals are engaged in an enterprise. In fact, they have become your fiercest competitors. What can you do to catch up?
No. 1: Stop thinking about cybersecurity as an employment problem. We do need more cybersecurity professionals, but simply throwing them at the problem — even if we had all 3.5 million to throw right now — will not stop the attacks. Matching mere mortals against automation is a guaranteed losing proposition.
Which brings us to No. 2: Stop thinking about cyber security. The elements of security — anti-malware software, antivirus software, firewalls and training people in safe computing practices — are essential: necessary, but not sufficient.
Security may defeat 99 out of 100 attacks or even 999 out of 1000. But, security alone does nothing about the one attack that gets through. And it will get through.
The move that will preserve, protect and defend your business now is to stop relying exclusively on security — and on those increasingly hard-to-get cybersecurity employees. Accept the reality that you are being attacked, continually; that some of the attacks will penetrate your security defenses; and that some of those penetrations will result in breaches — and the exfiltration of data. Having accepted this reality, you are ready to add resilience to your cyber-defense arsenal.
Security strategies are the digital equivalent to walls in the physical world. They are designed to prevent attacks through exclusion. But, as former Homeland Security Department Secretary Janet Napolitano once remarked in opposition to building a border wall to prevent illegal immigration: “You show me a 50-foot wall, and I’ll show you a 51-foot ladder.”
In contrast to the static wall paradigm of cybersecurity, the strategies of resilience are dynamic. They are about making your network hard to hit, acquiring the knowledge and tools needed to detect the attacks that do get through, and then responding to them rapidly enough to prevent or minimize the exfiltration of data.
Most of all, resilience strategies are about doing as much as possible with whatever resources you have now. To be smart about resources, you need to understand your network and know where its weak points lie. Then you need to follow up this knowledge with a comprehensive understanding of the levels of data that are at risk. All data is not created equal. Some needs to be widely and readily accessible; some needs to be highly secure. Defenses need to be prioritized according to data priorities, and sensors deployed network-wide to cover gaps in protection.
Finally, a resilience strategy includes a component cybersecurity fails to address: recovery. Under attack, a resilient organization can continue to do business. After the attack, it can quickly recover.
The security talent drought is real and is not getting better anytime soon. You cannot get all the troops you need, and therefore you need to be self-reliant. Actualized by resilience, self-reliance is an immediate solution to what promises to be an enduring crisis.