‘Tech Won’t Run Itself’: Analyzing Cyber Security’s Talent Crisis

Monday night’s episode of VoiceAmerica’s “Task Force 7” Radio tackled both the debilitating talent crisis in cyber security and the “mega”-breach at Uber, details of which continue to come to light.

Information security executive and host George Rettas also dedicated time to the diplomatic crisis in the Middle East – involving a Qatari cyber-attack – and details surrounding the indictment of an Iranian national who stands charged with tampering with HBO’s data, and leaking content from the pay cable channel.

On the cyber security skills gap, Rettas said the space is dealing with a “must-win battle.” The conclusion of said battle must be a “multi-prong” solution,” the host continued, before acknowledging the complexity of the subject.

Rettas said the talent crisis has been particularly exacerbated in the past 12 months, as scores of headlines have circulated across the web.

“Cyber security is growing 12 times faster than any other job market in the United States,” Rettas said. Yet, the “Task Force 7” host continued, saying there are 350,000 open related jobs in the U.S., with no talent to fill them. For the same reasons, there are a million vacant jobs worldwide.

Rettas quoted additional statistics, saying that 2 million jobs are projected to be vacant by 2019 and 3.5 million by 2021. The latter figure is original research from Cyber Security Ventures.

“So things aren’t getting any better. In fact, they’re getting a lot worse,” Rettas said. Every year, 40,000 jobs go unfilled – and there are 2,500 vacant CISO jobs right now in the U.S.

For every 10 cyber security job ads that appear on career sites, only seven people even click on the ads, let alone apply for the position, the host added.

Yet, Rettas took time to highlight the importance of such an industry. “Cyber security programs are essential to protecting critical infrastructures that support and facilitate our freedoms, our liberties and our way of life. This is no exaggeration.”

See related: Cyber Feminist: Cyber Security 'Needs More Diversity'

According to information relayed by the VoiceAmerica show host, 29% of breached organizations lost revenue out of operations. With no talent in place to protect data, it equates to more risk – and more consequences to profits and losses (P&L).

The global cyber security spend is projected to be $200 billion in 2020. “So where are they?” Rettas asked of the security professionals. “I’ve got news for everyone: technology is not going to run itself.”

Rettas said that according to Cyber Security Ventures' research, cyber-crime is expected to cost the world $6 trillion by 2021, up from $3 trillion in 2015.

The host said that according to Cyber Security Ventures, the $3 trillion to $6 trillion shift would be the greatest transfer of economic wealth in human history. That means the illicit dealings would be more profitable than the trade of all illegal drugs, combined.

Just because one company hires talent – and has the reputation to do so – does not “mitigate” the crisis across the whole sector, Rettas added.

Uber Breach

In revisiting the topic of the pervasive Uber breach that was revealed last month, Rettas said that the company’s outgoing cyber security chief, Joe Sullivan, has a good reputation in the cyber security community.

“Unfortunately we probably won’t be able to hear from him any time soon (for his side of the story) – due to impending lawsuits (Uber faces),” Rettas said.

The host the further explained the company’s “Greyball” tool, a part of the violation of terms of service (VTOS) program, which began as early as 2014 and remains in use predominantly outside the U.S.

Uber says the program denies users trying to manipulate its systems. However, as Rettas pointed out, officials have remained concerned that Uber may’ve worked to thwart cities’ capabilities to protect the public.

That is, while the Greyball tool was allegedly used to weed out riders thought to be using the service improperly, it may have been drawn on to employ “counter-surveillance” operations, Rettas said.

For potential users linked to law enforcement, Uber might “greyball” them with a small piece of code. At which point, the company might show zero cars available for users suspected to be law enforcement officials.

See related: Incident Of The Week: Uber's Internal Handling Of Pervasive Hack

At least 50 people inside Uber knew about Greyball, Rettas said, citing deep journalistic dives into the subject. And it was allegedly approved by Uber’s legal team.

The host also pointed out the problem with ransom money payment – in that it’s uncertain where the money goes after cyber-criminals get their hands on it. Rettas cited Fraud-Magazine.com in saying that cyber-crimes that involve fraud are used, in some cases, to fund terrorist cells.

He also cited commentary that suggests Uber may have violated a FTC rule on breach disclosure when it asked the hackers to destroy stolen data. Pertinent state laws also demand disclosure.

Rettas asked whether what we’ve seen has even “scratched the surface with what’s going on over there.”

Rettas rounded out the show with overviews of the diplomatic crisis in the Middle East said to be catalyzed by a Qatari cyber-attack, and this year’s HBO hack, which resulted in leaked content from the pay cable channel.

Behzad Mesri, an Iranian national – who allegedly demanded steep ransom costs in bitcoin – has been indicted for his alleged cyber assault on HBO. The indictment suggests the hacker will not be able to leave Iran, on pain of extradition to the U.S.

The “Task Force 7” Radio recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7" Radio, click here.