Surveying the Threat Landscape: 5 Future Careers in CybersecurityJune 3, 2014 by Daniel Humphries
IT security is booming. Last year, Forbes magazine predicted that the industry would expand tenfold in the next decade. But as fast as security is growing, it’s also changing—with even the effectiveness of anti-virus, a defense until now regarded as fundamental, increasingly up for debate.
With new and more dangerous threats appearing all the time, businesses and security firms are constantly forced to adapt and evolve. So we wanted to know which new jobs are emerging, and which old ones are changing. We asked five top figures in cybersecurity to gaze into the future for us, and to reveal the shape of things to come in IT security careers.
The Expanded CISO
Requirements: Advanced technical skills, in-depth business knowledge
Traditionally, Chief Information Security Officers (CISOs) have been experts in the tools and science of defending data against bad guys. However, the threats facing businesses today are so complex and multifaceted that in the future, CISOs will need to complement their technical expertise with a deeper understanding of the businesses they are fighting to protect, says Yuval Ben-Itzhak, Chief Technical Officer (CTO) of antivirus giant AVG.
Practically everything in a business is now connected, Ben-Itzhak explains—and to illustrate his point, he gives the example of a stolen truck. Once upon a time, it was just that; the company would be out for the cost of the vehicle and whatever physical property it might have contained. In today’s wired world, however, that stolen truck could contain a device that is connected to the business’s network, which thieves might be able to access in order to steal data of much greater value. In other words: Threats can come from anywhere.
As a result, says Ben-Itzhak, the CISO of the future will need to spend time “learning about how the business operates—its goals, its targets as well as what the threat landscape looks like.”
Correctly allocating a company’s security resources, says Ben-Itzhak, requires CISOs to view the data at a business level. They must distinguish between information that is crucial to the business and must be closely guarded, such as financial reports or customer lists, and that which is less important, requiring more general protections—for example, marketing materials or customer support replies.
Firms that understand this will soon be sending their cybersecurity experts to study for MBAs or other financial and business training courses, he believes. Without this broader perspective, CISOs will struggle to make the right risk management decisions.
“To get an individual from one side of the business and train him for the other is very challenging,” Ben-Itzhak says. “But there’s no other choice—we don’t want to further spend on securing things that will not focus on where the problems are.”
Requirements: Advanced data crunching, analytical skills, threat assessment skills
“When my students ask me how their studies might transfer into corporate IT positions, I point to the rapid rise in malware analyst positions worldwide,” says Giovanni Vigna, PhD, professor of computer science at the University of California, Santa Barbara and co-founder of IT security firm Lastline.
Vigna argues that malware researchers are in demand due to the rise in new strains of sophisticated malware and advanced persistent threats that are currently “bombarding organizations.”
Traditional IT security tools are no longer enough to catch this sophisticated malware, says Vigna. However, more sensitive malware detection tools are in some cases generating hundreds of alerts each hour, which in turn leads to “alert fatigue”—as happened at Target. In today’s threat landscape, then, businesses will need more and more malware analysts to make sense of the confusing flood of warnings.
These threat experts, Vigna says, “not only quickly detect and mitigate malware attacks in progress, they must also reverse-engineer the malware itself to determine what, if any, damage may have been done, what the intent of the malware creator was and how to prevent future attacks using similar techniques.”
The old ways are dead, argues Vigna. Whereas in the past, banks or retailers would hire hackers to manually hack into their systems to test their defenses, malware analysts “must be able to compile and analyze tremendous amounts of real-world, external data on automated, systemized, evasive, changing and highly-sophisticated malicious software.”
Malware researchers must go beyond plugging identifiable holes in company defenses revealed by the traditional white-hat hack. Instead, Vigna explains, they will identify and block new types of malware “using heuristics, sandboxing, analytics and statistical patterning.”
Vigna says the rise of the malware researcher is already underway, and has the stats to back up his statement: A recent study by online recruitment company RealMatch measured a 60 percent increase in malware analyst positions in its JobNetwork database year-over-year from April 2013 to April 2014.
Data Disappearance Expert
Requirements: Internet expertise
As we go about our days attached to mobile devices loaded with apps that record an infinitude of details about our lives, so the firms behind those delightful little tools collect (and exploit) incredible amounts of data about us. Currently, we have little visibility into what these firms are collecting or who is using that information. But this will change—and when it does, it will open up a whole new type of security career, says Mark Herschberg, CTO at behavioral intelligence firm Madison Logic.
“Today there are agencies that can tell you your credit profile and help you clean it,” Herschberg says. “Tomorrow similar agencies will tell you your data profile—what companies know about you—and help you clean mistakes or restrict access to that data.”
Herschberg says he is certain this prediction will come to pass, and points to analogous services such as credit score cleanup services and public relations (PR) agents that attempt to hide negative press for their clients by pushing damaging information and unfavorable details further down in Internet search results.
However, Herschberg thinks that these services merely hint at what is to come, and points to the recent ruling by the European Union’s court of justice that individuals have a “right to be forgotten” in search results as a sign of how serious the business of data disappearance is getting. He argues that PR activities aimed at concealing or suppressing unfavorable data will become a lot more specific, as new firms will emerge offering to remove data entirely, rather than just hide it.
“People applying to jobs and schools care primarily about what information [of theirs] is public,” Herschberg says, “and the service will be almost be like hiring a private investigator to dig up dirt on [you], and then help you make it not public.”
While he expects that the disappearance services will initially be targeted at assisting individuals, as “laws and data services evolve,” businesses could also start to employ them. As to who will disappear inconvenient data, Herschberg thinks the job market will be pretty open.
“Like their cousins in credit cleanup and PR, I suspect there won’t be much of a specific background at first,” says Herschberg. “They’ll mostly hire unemployed college grads who are Internet-savvy. It’s such a new field, there’s not a lot of deep background needed. But just as [search engine optimization] went from ‘that-college-kid-who-knows-about-websites’ 18 years ago to professionals today who understand the industry, so too will this evolve as the industry gets more complex.”
Online memory wipe, anyone?
Real-Time Security Sensor Designer
Requirements: Vulnerabilities expertise
“I think a whole set of jobs will emerge around designing, implementing, using and managing a network of real-time security sensors for software,” says Jeff Williams, CTO and co-founder of Aspect Security. “Currently, we have some of this at the network and product levels, but nothing for custom Web applications and Web services. The result is that we basically have no idea whether our software is running securely, vulnerable to attack or actually being attacked!”
Williams says that today, many of the Web apps we see and take for granted are ripe for exploitation. For instance, even an act as simple as clicking a “Buy Now” button on a website can involve a complex series of behind-the-scenes processes, and with our current state of technology, we have very little that can offer us visibility into those processes as they occur—or alert us if an attack is taking place.
“Imagine trying to fix that!” says Williams. “The sensors will provide us with real-time information, analysis and insight into what’s happening with our apps, and enable us to react to situations as they arise and fix them.”
Williams has little faith in formal security certifications, and argues that the best designers of these sensors will likely be drawn from the ranks of IT security experts who have demonstrable skills working with vulnerabilities. In addition, they will need to have what he calls “security DNA”: an interest in breaking into things and taking things apart to discover their weaknesses, then developing ways to remedy them.
The sensors will bring immediate and immense benefits, says Williams. He cites the case of the Heartbleed bug, the encryption flaw that affected two-thirds of the world’s websites. At many companies, it took hundreds of hours for security experts to manually inspect all of the software and Web apps used by their firms to find out if they had been compromised by the bug. Real-time sensors—whether integrated into the programs we use, or deployed as external tools by cybersecurity experts—will automate and streamline the process, Williams predicts.
Security Presales Systems Engineer (SE)
Requirements: IT infrastructure knowledge, sales prowess, risk and threat assessment skills
Finally, we come to a role often overlooked in surveys of radical change: the Security Presales Systems Engineer. Today, when a client is purchasing software, the Security Presales SE demonstrates how it works and how it will interact with the client’s systems.
However, Mike Canavan, senior director of systems engineering at Kaspersky Lab North America, predicts that “within the next few years, the role will evolve into a highly-specialized position requiring the understanding of threats, while at the same time maintaining technical aptitude around generalized IT infrastructure.”
This combination will allow for not only the best risk-assessment capabilities, says Canavan, but also the “know-how to implement security solutions in the ever-evolving customer environment.”
Canavan explains that with the continued stress on IT staffing, the security industry is currently seeing an increase in demand for professional services: external experts who manage security systems for clients. However, one major drawback with the rise in professional services is the change in personnel that generally occurs. Canavan points out that the presales SE already has fundamental knowledge of the customer environment and implementation requirements—but he is usually replaced by a professional services engineer to manage the system for the client once it has been deployed. This shift can be disruptive.
“In the long term,” says Canavan, “it is highly likely we will see a hybrid SE: a professional services engineer who will transcend the traditional demarcation of ‘the sale’ in an effort to provide the best customer experience.”
This hybrid SE, says Canavan, will bridge the gap between these two historically-separate roles, taking more of a project management role in the professional services realm.
So, this is what our experts foresee: an interesting blend of prophecies, ranging from those based on trends we see emerging around us right now to others which are a little more speculative. But what do you think? Are there any other significant future jobs that you think we have missed? Let us know in the comments below!