I saw a Journal article about a shortage of people in Cyber Security today that kind of surprised me. It said there were upwards of a million unfilled Cyber Security jobs in the world and AI was going to help fill them. Since this is a story that I have heard since 1977 when I got into this business, I kind of wondered why they thought that was going to happen now, when it hasn’t happened in all these years.
First, to keep those thinking of getting into the cyber security business, I doubt that number is anywhere close to realistic. If you total up all the businesses in the world that need cyber security specialists there just aren’t that many. Small businesses rely on services that help them, many of those cloud services that are growing faster than corn in Iowa. The clouds might have a couple of hundred thousand people doing cyber and a bunch of administrators who know it well enough to do their jobs. It takes a little of both operations and security to get by in the business.
Second, AI is no better at solving these kinds of problems until it can find new exploits that get into systems and compromise them. One of the biggest flaws in our security systems today is the inability to discover new methods of attack until the attacks have already taken place. We need to find and monitor groups of hackers who develop code to do that, and companies that devote the kind of time it takes get good rewards- ask Mandiant how much money they made when FireEye purchased them.
Then, of course, we need to disrupt them at least to the point that it becomes very expensive to maintain their business models. Businesses, especially International Banking, seem content to stay on the sidelines and watch hackers get better. We need much more security because we don’t have anyone doing the disruption that needs to be done.
Third, much of the world’s cyber defenses are now operating against foreign governments. The real need for cyber defense is in government which has neither the desire nor the capacity to hire and train the best. Admittedly, some of them get sucked into industry but not as many as one might think. Government security is not sophisticated enough to get people prepared for life in the commercial world. It teaches all the wrong skills and worries about this form or that rather than if a system is secure. The government policies, if followed, will not make a system reasonably secure. Worse yet, it produces drones who don’t know how to secure a system, but only to make paper descriptions look like they do.
So, AI, what can you do for these kinds of problems? Not much. It might be better than the endless stream of alarms over a network intrusion detection system, but not a whole lot better. Those sensors are programmed to watch for things we already know have happened. Give me a system that adapts to new attack techniques we have never seen before and I will buy it in a minute. I just don’t think the systems I have seen will do that. Give me a system that will adapt to new attack techniques and reconfigure the network without stopping operations and I will buy that in a minute. We have people who said they could do that 10 years ago. We are still waiting.
Now, do we need more people in Cyber Security? No. We need better skills in the ones we have. Those skills have nothing to do with certificates or letters after a person’s name. These are skills with managing and security of networks that interconnect across the world. Human Resources has no way to measure that kind of thing anymore. Shame on them. It keeps ones who can do that from getting into the places we really need them. It reminds me of new security architects coming into my office for an interview. I asked them to sketch out the last architecture they had developed and fill in some details as they went. It was surprising at the number who couldn’t do that. They didn’t need certs to do that. They needed experience.
No comments:
Post a Comment