Looking for security talent at unexpected places

A business panel discussion during RSA’s conference in Singapore revealed, among other things, a lot of interesting ideas/practices around where the future pipeline for security talent might be.

While addressing the topic of talent shortage in the area of cybersecurity, Senior Fellow at Singapore’s Centre of Excellence for National Security (CENS), Benjamin Ang, said, “A lot of laws criminalise ‘exploratory’ activities,” while explaining part of these exploratory activities, actually uncover cyber exploits which are then shared with the cybersecurity community.

Ang said, “The industry should integrate white hats into cybersecurity areas,” and added that companies’ should consider channelling training funds into the military sector.

RSA CTO, Zulfikar Ramzan, took the idea that the right mindset in the right conditions is important for cybersecurity roles, by sharing how truck drivers could be leveraged to be security analysts, because of their trained mentality to be always on-alert and observant of their surroundings.

Talent against a fast-evolving backdrop

When moderator Hugh Thompson, Symantec’s CTO, posed the question of how to prepare for a role that is changing so much, Ang brought up the matter of cross-domain experts, and how we may need to look for talent outside of conventional technology streams, who are willing to cross over. “It would help if they are able to speak the business language.”

Ramzan explained that boards also have fundamental questions that they want answered, which requires handling by someone who can speak the language of business.  “If we can start to articulate at security levels to their business levels, that can help… policies can be mandated from top-town, so governance can be done properly.”

GDPR

On May 2018, the EU General Data Protection Regulation (GDPR) will come into enforcement; all companies affected by the GDPR will have to comply with its regulations to harmonise data privacy laws across Europe, to protect, and empower all EU citizen’s data privacy.

The epicentre of the GDPR is the European Union, but its implications are global. While it does not impact this region as much as a similar GDPR regulation that is sized for Southeast Asia or Asia Pacific would, it impacts these regions, nevertheless.

The GDPR applies to companies that handle EU citizens’ data, and Ramzan said, regardless of the region companies are in, there is a very good chance companies are handling data of an EU citizen, and hence a chance they would have to worry about GDPR issues.

This ‘worry’ can be categorised into three broad questions to answer – who is accessing your data, where is your critical data located, and can you explain the first two answers correctly to a third-party?

One of the main points about GDPR which Ramzan pointed out, is that breaches must be reported 72 hours after it occurs. “In reality, it takes 9 to 12 months to detect a breach. Every organisation knows they have a lot to do, because the cost of non-compliance, is more than the cost of compliance.”

 IBM’s Global Executive Security Advisor, Diana Kelley, added further thought about GDPR and its impact upon where to build data centres, when she pointed out that data is not static. “Data is flowing around the globe. Data has different control and sensitivity levels in different geographies.

“These are a big part of considerations when building infrastructures,” she said, while Ang concluded that academia plays a huge role mediating between public and private organisations, as the latter engages regulators to try understand, and sometimes, help shape policy.